Edit tour

Windows Analysis Report
setup.exe

Overview

General Information

Sample name:	setup.exe
Analysis ID:	1465696
MD5:	5ad5e4f1f3126c5d6cfdbfbbe5597c84
SHA1:	47b46cbe987e0e33c9d23f4c6cc304d116e5e80f
SHA256:	e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0
Tags:	Amadeyexe
Infos:

Detection

LummaC, Amadey, LummaC Stealer, Mars Stealer, RedLine, SmokeLoader, Stealc

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Benign windows process drops PE files

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected Amadey

Yara detected Amadeys stealer DLL

Yara detected LummaC Stealer

Yara detected Mars stealer

Yara detected RedLine Stealer

Yara detected SmokeLoader

Yara detected Stealc

Yara detected Vidar stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Contains functionality to inject code into remote processes

Creates HTML files with .exe extension (expired dropper behavior)

Creates a thread in another existing process (thread injection)

Found many strings related to Crypto-Wallets (likely being stolen)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hides threads from debuggers

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

PE file contains section with special chars

PE file has a writeable .text section

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Switches to a custom stack to bypass stack traces

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Use Short Name Path in Command Line

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

setup.exe (PID: 5368 cmdline: "C:\Users\user\Desktop\setup.exe" MD5: 5AD5E4F1F3126C5D6CFDBFBBE5597C84)

axplong.exe (PID: 7520 cmdline: "C:\Users\user~1\AppData\Local\Temp\8254624243\axplong.exe" MD5: 5AD5E4F1F3126C5D6CFDBFBBE5597C84)

streamer.exe (PID: 7864 cmdline: "C:\Users\user~1\AppData\Local\Temp\1000111001\streamer.exe" MD5: 2BC0DB539A8FAB08BF4104EB7F2DE7E7)

BitLockerToGo.exe (PID: 1504 cmdline: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)

TpWWMUpe0LEV.exe (PID: 7992 cmdline: "C:\Users\user~1\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe" MD5: 242214131486132E33CEDA794D66CA1F)

conhost.exe (PID: 8000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

aspnet_regiis.exe (PID: 8052 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" MD5: 5D1D74198D75640E889F0A577BBF31FC)

Freshbuild.exe (PID: 8120 cmdline: "C:\Users\user~1\AppData\Local\Temp\1000125001\Freshbuild.exe" MD5: 07101CAC5B9477BA636CD8CA7B9932CB)

Hkbsse.exe (PID: 8184 cmdline: "C:\Users\user~1\AppData\Local\Temp\b66a8ae076\Hkbsse.exe" MD5: 07101CAC5B9477BA636CD8CA7B9932CB)

1.exe (PID: 2196 cmdline: "C:\Users\user~1\AppData\Local\Temp\1000030001\1.exe" MD5: 5AB7C9BADBFDAB65FBC3E519BDB81235)

explorer.exe (PID: 4056 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

50EC.exe (PID: 2980 cmdline: C:\Users\user~1\AppData\Local\Temp\50EC.exe MD5: BD2EAC64CBDED877608468D86786594A)

crypt6.exe (PID: 1196 cmdline: "C:\Users\user~1\AppData\Local\Temp\1000128001\crypt6.exe" MD5: A957DC16D684FBD7E12FC87E8EE12FEA)

conhost.exe (PID: 2120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 7444 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

WerFault.exe (PID: 4340 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 312 MD5: C31336C1EFC2CCB44B4326EA793040F2)

newlogs.exe (PID: 6184 cmdline: "C:\Users\user~1\AppData\Local\Temp\1000130001\newlogs.exe" MD5: 0970456D2E2BCB36F49D23F5F2EEC4CE)

stealc_zov.exe (PID: 1272 cmdline: "C:\Users\user~1\AppData\Local\Temp\1000131001\stealc_zov.exe" MD5: 253CCAC8A47B80287F651987C0C779EA)

newbuild.exe (PID: 316 cmdline: "C:\Users\user~1\AppData\Local\Temp\1000132001\newbuild.exe" MD5: 9AB4DE8B2F2B99F009D32AA790CD091B)

ZharkBOT.exe (PID: 2908 cmdline: "C:\Users\user~1\AppData\Local\Temp\1000144001\ZharkBOT.exe" MD5: 339271AF2BBDAD0395A479C3EF2A714A)

34vgn892c.exe (PID: 6820 cmdline: "C:\ProgramData\34vgn892c.exe" MD5: 339271AF2BBDAD0395A479C3EF2A714A)

Hkbsse.exe (PID: 3540 cmdline: C:\Users\user~1\AppData\Local\Temp\b66a8ae076\Hkbsse.exe MD5: 07101CAC5B9477BA636CD8CA7B9932CB)

dcbedta (PID: 7000 cmdline: C:\Users\user\AppData\Roaming\dcbedta MD5: 5AB7C9BADBFDAB65FBC3E519BDB81235)

Hkbsse.exe (PID: 4324 cmdline: C:\Users\user~1\AppData\Local\Temp\b66a8ae076\Hkbsse.exe MD5: 07101CAC5B9477BA636CD8CA7B9932CB)

axplong.exe (PID: 5088 cmdline: C:\Users\user~1\AppData\Local\Temp\8254624243\axplong.exe MD5: 5AD5E4F1F3126C5D6CFDBFBBE5597C84)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://darktrace.com/blog/the-rise-of-the-lumma-info-stealer https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-lummac2-94111d4b1e11	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/ https://bitsight.com/blog/unveiling-socks5systemz-rise-new-proxy-service-privateloader-and-amadey	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
SmokeLoader	The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.	SMOKY SPIDER	http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries	https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://65.21.175.0/108e010e8f91c38c.php"}

Threatname: LummaC

{"C2 url": ["pedestriankodwu.xyz", "towerxxuytwi.xyzi", "ellaboratepwsz.xyz", "penetratedpoopp.xyz", "swellfrrgwwos.xyze", "contintnetksows.shop", "foodypannyjsud.shop", "potterryisiw.shop"], "Build id": "DWWXLF--24524534563"}

Threatname: Vidar

{"C2 url": "http://65.21.175.0/108e010e8f91c38c.php"}

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://evilos.cc/tmp/index.php", "http://gebeus.ru/tmp/index.php", "http://office-techs.biz/tmp/index.php", "http://cx5519.com/tmp/index.php"]}

Threatname: Amadey

{"C2 url": "185.172.128.116/Mb3GvQs8/index.php", "Version": "4.30"}

Threatname: RedLine

{"C2 url": "4.185.56.82:42687", "Bot Id": "LiveTraffoc", "Message": "Error, disable antivirus and try again!", "Authorization Header": "238eb848efbf8f0276be0a0ec24f81cd"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\stealc_zov[1].exe	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\stealc_zov[1].exe	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\Freshbuild[1].exe	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\newlogs[1].exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\newbuild[1].exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 6 entries

Memory Dumps

Source	Rule	Description	Author	Strings
0000001F.00000003.1709677823.00000000036E2000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000028.00000000.1918746786.00000000000A1000.00000020.00000001.01000000.0000000F.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000013.00000002.3721434800.00000000000A1000.00000020.00000001.01000000.0000000F.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000011.00000002.2985442915.0000000000D97000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000012.00000000.1558483602.0000000000031000.00000020.00000001.01000000.0000000D.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000001.00000002.1335718111.0000000000781000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000029.00000003.1949201156.0000000005430000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000026.00000003.2053180664.00000000032CD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0000001D.00000002.1733003318.0000000004751000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000001D.00000002.1733003318.0000000004751000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x234:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000001D.00000002.1731585464.0000000002CF0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
0000000B.00000002.3724885507.0000000000D51000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000023.00000003.1790275554.00000000028D9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000011.00000002.2975005911.0000000000960000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000011.00000002.2975005911.0000000000960000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
0000001D.00000002.1732396588.0000000002E7F000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x702b:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000027.00000002.2186372317.0000000002DA1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000027.00000002.2186372317.0000000002DA1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x234:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000000B.00000003.1340637010.0000000005450000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000001E.00000002.3246282241.0000000000671000.00000080.00000001.01000000.00000014.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000001E.00000002.3246282241.0000000000671000.00000080.00000001.01000000.00000014.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
0000001E.00000000.1626680891.0000000000671000.00000080.00000001.01000000.00000014.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000001E.00000000.1626680891.0000000000671000.00000080.00000001.01000000.00000014.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
00000027.00000002.2185619506.0000000002D70000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000028.00000002.1931585603.00000000000A1000.00000020.00000001.01000000.0000000F.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000001F.00000003.1653312909.00000000036E2000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000015.00000002.1766982252.0000000000984000.00000004.00000001.01000000.00000010.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000013.00000000.1571924265.00000000000A1000.00000020.00000001.01000000.0000000F.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000027.00000002.2185877753.0000000002D80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000027.00000002.2185877753.0000000002D80000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x634:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000026.00000003.2065808485.00000000032CD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000014.00000002.1591289151.00000000000A1000.00000020.00000001.01000000.0000000F.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000001C.00000000.1604424609.0000000000242000.00000002.00000001.01000000.00000012.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000023.00000003.1803784360.00000000028CB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000017.00000002.1725978010.0000000000421000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001E.00000002.3253196332.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000029.00000002.1990646891.0000000000D51000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000014.00000000.1580634291.00000000000A1000.00000020.00000001.01000000.0000000F.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000000F.00000002.1489172260.000000006CB1E000.00000004.00000001.01000000.0000000C.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0000000F.00000002.1489172260.000000006CB1E000.00000004.00000001.01000000.0000000C.sdmp	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
00000027.00000002.2187001287.0000000002F8E000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x7243:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000001F.00000003.1710428950.00000000036E6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001D.00000002.1731795497.0000000002E50000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000001D.00000002.1731795497.0000000002E50000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x634:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000001.00000003.1295247202.0000000004D30000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000012.00000001.1558636048.0000000000031000.00000020.00000001.01000000.0000000D.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000011.00000002.2979412810.00000000009A5000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000001F.00000003.1665322987.00000000036E3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000017.00000002.1730701339.000000000320C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: aspnet_regiis.exe PID: 8052	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: crypt6.exe PID: 1196	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 7444	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 7444	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: newlogs.exe PID: 6184	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: stealc_zov.exe PID: 1272	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: stealc_zov.exe PID: 1272	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: stealc_zov.exe PID: 1272	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: BitLockerToGo.exe PID: 1504	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: BitLockerToGo.exe PID: 1504	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: BitLockerToGo.exe PID: 1504	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: newbuild.exe PID: 316	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: newbuild.exe PID: 316	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: ZharkBOT.exe PID: 2908	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
decrypted.memstr	JoeSecurity_Amadey_4	Yara detected Amadey	Joe Security
decrypted.memstr	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 64 entries

Unpacked PEs

Source	Rule	Description	Author
15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
15.2.TpWWMUpe0LEV.exe.6cb1e000.2.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
15.2.TpWWMUpe0LEV.exe.6cb1e000.2.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
17.2.aspnet_regiis.exe.960000.0.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
17.2.aspnet_regiis.exe.960000.0.raw.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
23.2.RegAsm.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
40.0.Hkbsse.exe.a0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
18.2.Freshbuild.exe.30000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
40.2.Hkbsse.exe.a0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
21.2.crypt6.exe.950000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
30.0.stealc_zov.exe.670000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
30.0.stealc_zov.exe.670000.0.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
20.2.Hkbsse.exe.a0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
33.0.newbuild.exe.e30000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
17.2.aspnet_regiis.exe.960000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
17.2.aspnet_regiis.exe.960000.0.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
18.0.Freshbuild.exe.30000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
30.2.stealc_zov.exe.670000.0.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
30.2.stealc_zov.exe.670000.0.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
28.0.newlogs.exe.240000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
20.0.Hkbsse.exe.a0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
19.0.Hkbsse.exe.a0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
11.2.axplong.exe.d50000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
19.2.Hkbsse.exe.a0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
15.2.TpWWMUpe0LEV.exe.6cb00000.1.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
15.2.TpWWMUpe0LEV.exe.6cb00000.1.unpack	JoeSecurity_MarsStealer	Yara detected Mars stealer	Joe Security
41.2.axplong.exe.d50000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
1.2.setup.exe.780000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 24 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\34vgn892c.exe, EventID: 13, EventType: SetValue, Image: C:\ProgramData\34vgn892c.exe, ProcessId: 6820, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3v82v2vcc2

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\dcbedta, CommandLine: C:\Users\user\AppData\Roaming\dcbedta, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\dcbedta, NewProcessName: C:\Users\user\AppData\Roaming\dcbedta, OriginalFileName: C:\Users\user\AppData\Roaming\dcbedta, ParentCommandLine: , ParentImage: , ParentProcessId: 932, ProcessCommandLine: C:\Users\user\AppData\Roaming\dcbedta, ProcessId: 7000, ProcessName: dcbedta

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: "C:\Users\user~1\AppData\Local\Temp\8254624243\axplong.exe" , CommandLine: "C:\Users\user~1\AppData\Local\Temp\8254624243\axplong.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe, ParentCommandLine: "C:\Users\user\Desktop\setup.exe", ParentImage: C:\Users\user\Desktop\setup.exe, ParentProcessId: 5368, ParentProcessName: setup.exe, ProcessCommandLine: "C:\Users\user~1\AppData\Local\Temp\8254624243\axplong.exe" , ProcessId: 7520, ProcessName: axplong.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: setup.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://40.86.87.10/108e010e8f91c38c.php#	Avira URL Cloud: Label: malware
Source: http://65.21.175.0	Avira URL Cloud: Label: malware
Source: http://77.91.77.81/Kiru9gu/index.phpX	Avira URL Cloud: Label: phishing
Source: http://40.86.87.10/b13597c85f807692/vcruntime140.dllqk	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.php:	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.php=	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.php9	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/b13597c85f807692/freebl3.dll	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.php7	Avira URL Cloud: Label: malware
Source: http://77.91.77.81/Kiru9gu/index.phpo	Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/Kiru9gu/index.phpl	Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/Kiru9gu/index.phpd	Avira URL Cloud: Label: phishing
Source: http://40.86.87.10/108e010e8f91c38c.php4	Avira URL Cloud: Label: malware
Source: http://40.86.87.10	Avira URL Cloud: Label: malware
Source: http://77.91.77.81/lend/stealc_zov.exeu	Avira URL Cloud: Label: phishing
Source: http://65.21.175.0/b13597c85f807692/sqlite3.dllen-GB	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/b13597c85f807692/msvcp140.dllGIECBGHIJEHIIDGD4	Avira URL Cloud: Label: malware
Source: http://77.91.77.81/Kiru9gu/index.php~1	Avira URL Cloud: Label: phishing
Source: http://cx5519.com/tmp/index.php	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/b13597c85f807692/vcruntime140.dll	Avira URL Cloud: Label: malware
Source: http://evilos.cc/tmp/index.php	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.phps	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.phpg	Avira URL Cloud: Label: malware
Source: https://potterryisiw.shop/apim	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.phpL	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.phpM	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.phpD	Avira URL Cloud: Label: malware
Source: http://65.21.175.0/108e010e8f91c38c.	Avira URL Cloud: Label: malware
Source: https://potterryisiw.shop/apik	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.phpU	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.phpR	Avira URL Cloud: Label: malware
Source: https://potterryisiw.shop/apiX	Avira URL Cloud: Label: malware
Source: http://40.86.87.10/108e010e8f91c38c.phpO	Avira URL Cloud: Label: malware
Source: http://65.21.175.0/b13597c85f807692/sqlite3.dll$	Avira URL Cloud: Label: malware
Source: https://potterryisiw.shop/api4	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\stealc_zov[1].exe	Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\crypt6[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1317026

Found malware configuration

Source: 00000011.00000002.2985442915.0000000000D97000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: StealC {"C2 url": "http://65.21.175.0/108e010e8f91c38c.php"}
Source: 00000027.00000002.2185877753.0000000002D80000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://evilos.cc/tmp/index.php", "http://gebeus.ru/tmp/index.php", "http://office-techs.biz/tmp/index.php", "http://cx5519.com/tmp/index.php"]}
Source: 0000000F.00000002.1489172260.000000006CB1E000.00000004.00000001.01000000.0000000C.sdmp	Malware Configuration Extractor: Vidar {"C2 url": "http://65.21.175.0/108e010e8f91c38c.php"}
Source: 18.2.Freshbuild.exe.30000.0.unpack	Malware Configuration Extractor: Amadey {"C2 url": "185.172.128.116/Mb3GvQs8/index.php", "Version": "4.30"}
Source: 21.2.crypt6.exe.950000.0.unpack	Malware Configuration Extractor: RedLine {"C2 url": "4.185.56.82:42687", "Bot Id": "LiveTraffoc", "Message": "Error, disable antivirus and try again!", "Authorization Header": "238eb848efbf8f0276be0a0ec24f81cd"}
Source: BitLockerToGo.exe.1504.31.memstrmin	Malware Configuration Extractor: LummaC {"C2 url": ["pedestriankodwu.xyz", "towerxxuytwi.xyzi", "ellaboratepwsz.xyz", "penetratedpoopp.xyz", "swellfrrgwwos.xyze", "contintnetksows.shop", "foodypannyjsud.shop", "potterryisiw.shop"], "Build id": "DWWXLF--24524534563"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\crypt6[1].exe	ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\newlogs[1].exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\Freshbuild[1].exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\newbuild[1].exe	ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\stealc_zov[1].exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\whiteheroin[1].exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\786A.exe	ReversingLabs: Detection: 20%
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	ReversingLabs: Detection: 68%
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Roaming\d3d9.dll	ReversingLabs: Detection: 91%

Multi AV Scanner detection for submitted file

Source: setup.exe

ReversingLabs: Detection: 68%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\crypt6[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\whiteheroin[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\Freshbuild[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\newlogs[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\1[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\newbuild[1].exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: setup.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: 185.172.128.116
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: /Mb3GvQs8/index.php
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: S-%lu-
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: b66a8ae076
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: Hkbsse.exe
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: Startup
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: cmd /C RMDIR /s/q
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: rundll32
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: Programs
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: %USERPROFILE%
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: cred.dll\|clip.dll\|
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: http://
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: https://
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: /Plugins/
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: &unit=
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: shell32.dll
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: kernel32.dll
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: GetNativeSystemInfo
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: ProgramData\
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: AVAST Software
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: Kaspersky Lab
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: Panda Security
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: Doctor Web
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: 360TotalSecurity
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: Bitdefender
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: Norton
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: Sophos
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: Comodo
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: WinDefender
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: 0123456789
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: ------
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: ?scr=1
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: Content-Type: application/x-www-form-urlencoded
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: ComputerName
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: abcdefghijklmnopqrstuvwxyz0123456789-_
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: -unicode-
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: SYSTEM\CurrentControlSet\Control\UnitedVideo\CONTROL\VIDEO\
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: SYSTEM\ControlSet001\Services\BasicDisplay\Video
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: VideoID
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: DefaultSettings.XResolution
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: DefaultSettings.YResolution
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: ProductName
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: CurrentBuild
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: rundll32.exe
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: "taskkill /f /im "
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: " && timeout 1 && del
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: && Exit"
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: " && ren
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: Powershell.exe
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: -executionpolicy remotesigned -File "
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: shutdown -s -t 0
Source: 18.2.Freshbuild.exe.30000.0.unpack	String decryptor: random
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: INSERT_KEY_HERE
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetProcAddress
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: LoadLibraryA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: lstrcatA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: OpenEventA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: CreateEventA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: CloseHandle
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Sleep
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetUserDefaultLangID
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: VirtualAllocExNuma
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: VirtualFree
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetSystemInfo
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: VirtualAlloc
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: HeapAlloc
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetComputerNameA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: lstrcpyA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetProcessHeap
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetCurrentProcess
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: lstrlenA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: ExitProcess
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GlobalMemoryStatusEx
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetSystemTime
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: SystemTimeToFileTime
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: advapi32.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: gdi32.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: user32.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: crypt32.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: ntdll.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetUserNameA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: CreateDCA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetDeviceCaps
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: ReleaseDC
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: CryptStringToBinaryA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: sscanf
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: VMwareVMware
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: HAL9TH
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: JohnDoe
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: DISPLAY
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: %hu/%hu/%hu
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: http://65.21.175.0
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: /108e010e8f91c38c.php
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: /b13597c85f807692/
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: jopa
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetEnvironmentVariableA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetFileAttributesA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GlobalLock
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: HeapFree
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetFileSize
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GlobalSize
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: IsWow64Process
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Process32Next
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetLocalTime
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: FreeLibrary
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetTimeZoneInformation
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetSystemPowerStatus
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetVolumeInformationA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetWindowsDirectoryA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Process32First
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetLocaleInfoA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetUserDefaultLocaleName
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetModuleFileNameA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: DeleteFileA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: FindNextFileA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: LocalFree
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: FindClose
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: SetEnvironmentVariableA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: LocalAlloc
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetFileSizeEx
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: ReadFile
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: SetFilePointer
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: WriteFile
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: CreateFileA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: FindFirstFileA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: CopyFileA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: VirtualProtect
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetLastError
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: lstrcpynA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: MultiByteToWideChar
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GlobalFree
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: WideCharToMultiByte
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GlobalAlloc
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: OpenProcess
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: TerminateProcess
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetCurrentProcessId
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: gdiplus.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: ole32.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: bcrypt.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: wininet.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: shlwapi.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: shell32.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: psapi.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: rstrtmgr.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: CreateCompatibleBitmap
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: SelectObject
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: BitBlt
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: DeleteObject
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: CreateCompatibleDC
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GdipGetImageEncodersSize
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GdipGetImageEncoders
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GdiplusStartup
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GdiplusShutdown
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GdipSaveImageToStream
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GdipDisposeImage
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GdipFree
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetHGlobalFromStream
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: CreateStreamOnHGlobal
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: CoUninitialize
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: CoInitialize
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: CoCreateInstance
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: BCryptDecrypt
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: BCryptSetProperty
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: BCryptDestroyKey
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetWindowRect
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetDesktopWindow
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetDC
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: CloseWindow
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: wsprintfA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: EnumDisplayDevicesA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetKeyboardLayoutList
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: CharToOemW
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: wsprintfW
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: RegQueryValueExA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: RegEnumKeyExA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: RegOpenKeyExA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: RegCloseKey
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: RegEnumValueA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: CryptBinaryToStringA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: CryptUnprotectData
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: SHGetFolderPathA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: ShellExecuteExA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: InternetOpenUrlA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: InternetConnectA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: InternetCloseHandle
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: InternetOpenA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: HttpSendRequestA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: HttpOpenRequestA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: InternetReadFile
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: InternetCrackUrlA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: StrCmpCA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: StrStrA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: StrCmpCW
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: PathMatchSpecA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: GetModuleFileNameExA
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: RmStartSession
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: RmRegisterResources
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: RmGetList
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: RmEndSession
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: sqlite3_open
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: sqlite3_prepare_v2
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: sqlite3_step
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: sqlite3_column_text
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: sqlite3_finalize
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: sqlite3_close
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: sqlite3_column_bytes
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: sqlite3_column_blob
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: encrypted_key
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: PATH
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: C:\ProgramData\nss3.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: NSS_Init
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: NSS_Shutdown
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: PK11_GetInternalKeySlot
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: PK11_FreeSlot
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: PK11_Authenticate
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: PK11SDR_Decrypt
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: C:\ProgramData\
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: browser:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: profile:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: url:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: login:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: password:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Opera
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: OperaGX
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Network
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: cookies
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: .txt
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: TRUE
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: FALSE
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: autofill
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: SELECT name, value FROM autofill
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: history
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: SELECT url FROM urls LIMIT 1000
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: name:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: month:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: year:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: card:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Cookies
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Login Data
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Web Data
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: History
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: logins.json
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: formSubmitURL
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: usernameField
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: encryptedUsername
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: encryptedPassword
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: guid
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: cookies.sqlite
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: formhistory.sqlite
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: places.sqlite
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: plugins
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Local Extension Settings
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Sync Extension Settings
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: IndexedDB
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Opera Stable
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Opera GX Stable
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: CURRENT
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: chrome-extension_
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: _0.indexeddb.leveldb
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Local State
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: profiles.ini
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: chrome
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: opera
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: firefox
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: wallets
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: %08lX%04lX%lu
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: ProductName
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: %d/%d/%d %d:%d:%d
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: ProcessorNameString
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: DisplayName
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: DisplayVersion
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Network Info:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - IP: IP?
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - Country: ISO?
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: System Summary:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - HWID:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - OS:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - Architecture:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - UserName:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - Computer Name:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - Local Time:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - UTC:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - Language:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - Keyboards:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - Laptop:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - Running Path:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - CPU:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - Threads:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - Cores:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - RAM:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - Display Resolution:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: - GPU:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: User Agents:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Installed Apps:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: All Users:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Current User:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Process List:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: system_info.txt
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: freebl3.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: mozglue.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: msvcp140.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: nss3.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: softokn3.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: vcruntime140.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: \Temp\
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: .exe
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: runas
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: open
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: /c start
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: %DESKTOP%
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: %APPDATA%
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: %LOCALAPPDATA%
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: %USERPROFILE%
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: %DOCUMENTS%
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: %PROGRAMFILES%
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: %PROGRAMFILES_86%
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: %RECENT%
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: *.lnk
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: files
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: \discord\
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: \Local Storage\leveldb\CURRENT
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: \Local Storage\leveldb
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: \Telegram Desktop\
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: key_datas
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: D877F783D5D3EF8C*
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: map*
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: A7FDF864FBC10B77*
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: A92DAA6EA6F891F2*
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: F8806DD0C461824F*
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Telegram
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: *.tox
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: *.ini
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Password
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: 00000001
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: 00000002
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: 00000003
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: 00000004
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: \Outlook\accounts.txt
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Pidgin
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: \.purple\
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: accounts.xml
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: dQw4w9WgXcQ
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: token:
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Software\Valve\Steam
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: SteamPath
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: \config\
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: ssfn*
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: config.vdf
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: DialogConfig.vdf
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: DialogConfigOverlay*.vdf
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: libraryfolders.vdf
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: loginusers.vdf
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: \Steam\
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: sqlite3.dll
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: browsers
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: done
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: soft
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: \Discord\tokens.txt
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: /c timeout /t 5 & del /f /q "
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: C:\Windows\system32\cmd.exe
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: https
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: POST
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: HTTP/1.1
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: hwid
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: build
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: token
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: file_name
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: file
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: message
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack	String decryptor: screenshot.jpg

Source: setup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source:	Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: newlogs.exe, 0000001C.00000002.3747272466.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdbP source: stealc_zov.exe, 0000001E.00000002.3355489493.000000005DB3D000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdb source: newlogs.exe, 0000001C.00000002.3747272466.0000000000B59000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb@ source: stealc_zov.exe, 0000001E.00000002.3360499356.000000005DCFF000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdbK& source: newlogs.exe, 0000001C.00000002.3747272466.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdb source: streamer.exe, 0000000E.00000002.1633510777.000000C00029A000.00000004.00001000.00020000.00000000.sdmp, streamer.exe, 0000000E.00000002.1633510777.000000C0001B6000.00000004.00001000.00020000.00000000.sdmp, streamer.exe, 0000000E.00000002.1633510777.000000C00031A000.00000004.00001000.00020000.00000000.sdmp, streamer.exe, 0000000E.00000003.1628415179.000001E9E7300000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb0~ source: newlogs.exe, 0000001C.00000002.3869165497.00000000055D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: newlogs.exe, 0000001C.00000002.3747272466.0000000000B37000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: stealc_zov.exe, 0000001E.00000002.3360499356.000000005DCFF000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: newlogs.exe, 0000001C.00000002.3747272466.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: stealc_zov.exe, 0000001E.00000002.3355489493.000000005DB3D000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: streamer.exe, 0000000E.00000002.1633510777.000000C00029A000.00000004.00001000.00020000.00000000.sdmp, streamer.exe, 0000000E.00000002.1633510777.000000C0001B6000.00000004.00001000.00020000.00000000.sdmp, streamer.exe, 0000000E.00000002.1633510777.000000C00031A000.00000004.00001000.00020000.00000000.sdmp, streamer.exe, 0000000E.00000003.1628415179.000001E9E7300000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Code function: 15_2_6CB10008 FindFirstFileExW,		15_2_6CB10008
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_0006DAAD FindFirstFileExW,		18_2_0006DAAD

Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 176.29.154.25 80
Source: C:\Windows\explorer.exe	Network Connect: 127.0.0.127 80
Source: C:\Windows\explorer.exe	Network Connect: 141.8.192.6 80
Source: C:\Windows\explorer.exe	Network Connect: 102.187.252.37 80
Source: C:\Windows\explorer.exe	Network Connect: 188.114.96.3 80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://65.21.175.0/108e010e8f91c38c.php
Source: Malware configuration extractor	URLs: pedestriankodwu.xyz
Source: Malware configuration extractor	URLs: towerxxuytwi.xyzi
Source: Malware configuration extractor	URLs: ellaboratepwsz.xyz
Source: Malware configuration extractor	URLs: penetratedpoopp.xyz
Source: Malware configuration extractor	URLs: swellfrrgwwos.xyze
Source: Malware configuration extractor	URLs: contintnetksows.shop
Source: Malware configuration extractor	URLs: foodypannyjsud.shop
Source: Malware configuration extractor	URLs: potterryisiw.shop
Source: Malware configuration extractor	URLs: http://65.21.175.0/108e010e8f91c38c.php
Source: Malware configuration extractor	URLs: http://evilos.cc/tmp/index.php
Source: Malware configuration extractor	URLs: http://gebeus.ru/tmp/index.php
Source: Malware configuration extractor	URLs: http://office-techs.biz/tmp/index.php
Source: Malware configuration extractor	URLs: http://cx5519.com/tmp/index.php
Source: Malware configuration extractor	IPs: 185.172.128.116
Source: Malware configuration extractor	URLs: 4.185.56.82:42687

Creates HTML files with .exe extension (expired dropper behavior)

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: build.exe.11.dr
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: FILE1.exe.11.dr

Source: Joe Sandbox View

IP Address: 185.172.128.116 185.172.128.116

Source: Joe Sandbox View	ASN Name: NADYMSS-ASRU NADYMSS-ASRU
Source: Joe Sandbox View	ASN Name: LEVEL3US LEVEL3US
Source: Joe Sandbox View	ASN Name: CP-ASDE CP-ASDE

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe

Code function: 11_2_00D5BD30 InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,InternetReadFile,

11_2_00D5BD30

Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116//
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/405117-2476756634-1003
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/405117-2476756634-10031
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/405117-2476756634-10035
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016E4000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2143802469.0000000001745000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000002.3748613213.0000000001745000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.0000000003629000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792182419.0000000003627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Freshbuild.exe
Source: axplong.exe, 0000000B.00000003.2143802469.0000000001745000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000002.3748613213.0000000001745000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.0000000003629000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792182419.0000000003627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Freshbuild.exe;
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016E4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.0000000003629000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792182419.0000000003627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Freshbuild.exeG
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016E4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.0000000003629000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792182419.0000000003627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Freshbuild.exef
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016E4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.0000000003629000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792182419.0000000003627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Freshbuild.exes
Source: ZharkBOT.exe, 00000023.00000003.1801769575.00000000036F3000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792220751.0000000003750000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792220751.00000000036CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Mb3GvQs8/index.php
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792220751.0000000003750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Mb3GvQs8/index.php1=
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792220751.0000000003750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Mb3GvQs8/index.phpC
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792220751.0000000003750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Mb3GvQs8/index.phpL
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Mb3GvQs8/index.phpM=
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792220751.0000000003750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Mb3GvQs8/index.phpcoded
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Mb3GvQs8/index.phpcoded-(Rcx
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Mb3GvQs8/index.phpcodedn(
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Mb3GvQs8/index.phpd
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792220751.0000000003750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Mb3GvQs8/index.phpded
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792220751.0000000003750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Mb3GvQs8/index.phpn
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792220751.0000000003750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Mb3GvQs8/index.phpo
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792220751.0000000003750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Mb3GvQs8/index.phpq
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792220751.0000000003750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Mb3GvQs8/index.phpu
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792220751.0000000003750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/Mb3GvQs8/index.php~=
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000D12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.116/a
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F50000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.php
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F50000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.php#
Source: stealc_zov.exe, 0000001E.00000002.3247862322.00000000006B8000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.php27eb6a46da1cb8e815a609f758924517
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.php4
Source: stealc_zov.exe, 0000001E.00000003.3084792585.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000003.3084847184.0000000000F96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.php7
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.php9
Source: stealc_zov.exe, 0000001E.00000003.3084792585.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000003.3084847184.0000000000F96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.php:
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.php=
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.phpD
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.phpL
Source: stealc_zov.exe, 0000001E.00000003.3084792585.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000003.3084847184.0000000000F96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.phpM
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F50000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.phpO
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.phpR
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.phpS
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.phpU
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.phpg
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.phplectrum
Source: stealc_zov.exe, 0000001E.00000002.3247862322.0000000000716000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.phposition:
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.phppera
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.phpppData
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/108e010e8f91c38c.phps
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/freebl3.dll
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/freebl3.dllt
Source: stealc_zov.exe, 0000001E.00000002.3303351548.0000000027402000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3253196332.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/mozglue.dll
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/mozglue.dllR
Source: stealc_zov.exe, 0000001E.00000002.3303351548.0000000027402000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/mozglue.dllT
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F41000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/msvcp140.dll
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/msvcp140.dll:O
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/msvcp140.dllF
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/msvcp140.dllGIECBGHIJEHIIDGD4
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/msvcp140.dllh
Source: stealc_zov.exe, 0000001E.00000002.3303351548.0000000027402000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/nss3.dll
Source: stealc_zov.exe, 0000001E.00000002.3303351548.0000000027402000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/nss3.dll$
Source: stealc_zov.exe, 0000001E.00000002.3303351548.0000000027402000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/nss3.dllll
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/nss3.dllv
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/softokn3.dll
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/softokn3.dll&O
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/softokn3.dllHO
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/softokn3.dllT
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/sqlite3.dll
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/vcruntime140.dll
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10/b13597c85f807692/vcruntime140.dllqk
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.10d
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://40.86.87.d
Source: axplong.exe, 0000000B.00000003.2143802469.0000000001745000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507842297.0000000001745000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000002.3748613213.0000000001745000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.0000000003629000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792182419.0000000003627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://43.153.49.49:8888/down/TpWWMUpe0LEV.exe
Source: ZharkBOT.exe, 00000023.00000003.1803784360.000000000290C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.21.175
Source: aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000D97000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1790275554.00000000028CB000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1803784360.00000000028CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.21.175.0
Source: aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000D97000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DB5000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1790275554.0000000002926000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1790275554.00000000028D9000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1803784360.000000000290C000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1803784360.00000000028CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.21.175.0/
Source: aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.21.175.0/1
Source: aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.21.175.0/108e010e8
Source: aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1803784360.000000000290C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.21.175.0/108e010e8f91c
Source: aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1790275554.0000000002926000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1803784360.000000000290C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.21.175.0/108e010e8f91c38c.
Source: aspnet_regiis.exe, 00000011.00000002.2979412810.00000000009A5000.00000040.00000400.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1790275554.00000000028D9000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1803784360.000000000290C000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1803784360.00000000028CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.21.175.0/108e010e8f91c38c.php
Source: aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DB5000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1790275554.00000000028D9000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1803784360.00000000028CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.21.175.0/108e010e8f91c38c.php5
Source: aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DB5000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1790275554.00000000028D9000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1803784360.00000000028CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.21.175.0/108e010e8f91c38c.phpE
Source: aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.21.175.0/108e010e8f91c38c.phpP
Source: aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1803784360.000000000290C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.21.175.0/108e010e8f91c38c.phpb
Source: aspnet_regiis.exe, 00000011.00000002.2979412810.000000000099A000.00000040.00000400.00020000.00000000.sdmp, aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DB5000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.21.175.0/b13597c85f807692/sqlite3.dll
Source: aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DB5000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.21.175.0/b13597c85f807692/sqlite3.dll$
Source: aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.21.175.0/b13597c85f807692/sqlite3.dllen-GB
Source: aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.21.175.0/b13597c85f807692/sqlite3.dllg
Source: aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.21.175.0/b13597c85f807692/sqlite3.dllx
Source: aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DFC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://65.21.175W
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/
Source: axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.000000000360C000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.0000000003629000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792182419.0000000003627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.php
Source: axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.php1000130001
Source: axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.php1000131001
Source: axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.php1000144001
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.php32
Source: axplong.exe, 0000000B.00000003.2144035484.000000000623B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.php7
Source: axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.php70551e6e5747850f04add5fc4bc#
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.php8
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.phpFA
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.phpM
Source: axplong.exe, 0000000B.00000002.3817129052.000000000623B000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000623B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.phpN
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.phpX
Source: axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.phpZharkBOT.exe
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016E4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.0000000003629000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792182419.0000000003627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.phpbA
Source: axplong.exe, 0000000B.00000003.2144035484.000000000623B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.phpd
Source: axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.phpemp
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.phpl
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016E4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.0000000003629000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792182419.0000000003627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.phplA
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.phplN
Source: axplong.exe, 0000000B.00000002.3817129052.000000000623B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.phpo
Source: axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/Kiru9gu/index.php~1
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/f
Source: axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/lend/crypt6.exe
Source: axplong.exe, 0000000B.00000002.3817129052.000000000623B000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000623B000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1677103825.000000000623B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/lend/newbuild.exe
Source: axplong.exe, 0000000B.00000002.3817129052.000000000623B000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000623B000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1677103825.000000000623B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/lend/newbuild.exeT
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/lend/newlogs.exe
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/lend/newlogs.exeD
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016C7000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.000000000360C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/lend/stealc_zov.exe
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016E4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.0000000003629000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792182419.0000000003627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/lend/stealc_zov.exe/
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016C7000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.000000000360C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/lend/stealc_zov.exe7
Source: axplong.exe, 0000000B.00000002.3817129052.000000000623B000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000623B000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1677103825.000000000623B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/lend/stealc_zov.exeu
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/t%
Source: BitLockerToGo.exe, 0000001F.00000003.1677630665.0000000005995000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: BitLockerToGo.exe, 0000001F.00000003.1677630665.0000000005995000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: explorer.exe, 00000022.00000003.1891018350.000000000730A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000022.00000000.1690337457.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000022.00000000.1685006963.0000000007306000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: ZharkBOT.exe, 00000023.00000003.1789825008.00000000035AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micros8i
Source: BitLockerToGo.exe, 0000001F.00000003.1677630665.0000000005995000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: BitLockerToGo.exe, 0000001F.00000003.1677630665.0000000005995000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: BitLockerToGo.exe, 0000001F.00000003.1677630665.0000000005995000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: explorer.exe, 00000022.00000003.1891018350.000000000730A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000022.00000000.1690337457.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000022.00000000.1685006963.0000000007306000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: BitLockerToGo.exe, 0000001F.00000003.1677630665.0000000005995000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: explorer.exe, 00000022.00000003.1891018350.000000000730A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000022.00000000.1690337457.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000022.00000000.1685006963.0000000007306000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: BitLockerToGo.exe, 0000001F.00000003.1677630665.0000000005995000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: BitLockerToGo.exe, 0000001F.00000003.1677630665.0000000005995000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000022.00000003.1891018350.000000000730A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000022.00000000.1690337457.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000022.00000000.1685006963.0000000007306000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: BitLockerToGo.exe, 0000001F.00000003.1677630665.0000000005995000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: explorer.exe, 00000022.00000000.1687380427.0000000007C70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000022.00000000.1688702793.0000000008810000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000022.00000000.1688737269.0000000008820000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.000000000321D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/D
Source: newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Ent
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: RegAsm.exe, 00000017.00000002.1730701339.00000000033AB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003479000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: RegAsm.exe, 00000017.00000002.1730701339.00000000031B4000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003479000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.000000000321D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.00000000033B3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: RegAsm.exe, 00000017.00000002.1730701339.00000000033B3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1730701339.000000000320C000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1730701339.000000000320C000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: RegAsm.exe, 00000017.00000002.1730701339.00000000033B3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: RegAsm.exe, 00000017.00000002.1730701339.00000000033B3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: RegAsm.exe, 00000017.00000002.1730701339.00000000033B3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19ResponsehM
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: RegAsm.exe, 00000017.00000002.1730701339.00000000033B3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.00000000034D9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: RegAsm.exe, 00000017.00000002.1730701339.00000000030C9000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22LR
Source: RegAsm.exe, 00000017.00000002.1730701339.00000000030C9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: RegAsm.exe, 00000017.00000002.1730701339.00000000030C9000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003479000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003215000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: RegAsm.exe, 00000017.00000002.1730701339.00000000030C9000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003479000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24ResponsehM
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: RegAsm.exe, 00000017.00000002.1730701339.00000000030C9000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1730701339.000000000344B000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1730701339.000000000320C000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8ResponsehM
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9LR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: RegAsm.exe, 00000017.00000002.1730701339.00000000030C9000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.000000000321D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
Source: newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9ResponsehM
Source: newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/hM
Source: explorer.exe, 00000022.00000000.1685006963.00000000071B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.foreca.com
Source: stealc_zov.exe, 0000001E.00000002.3355489493.000000005DB3D000.00000002.00000001.01000000.0000001D.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: stealc_zov.exe, 0000001E.00000002.3280954499.000000001B3AA000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3366911211.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: BitLockerToGo.exe, 0000001F.00000003.1677630665.0000000005995000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: BitLockerToGo.exe, 0000001F.00000003.1677630665.0000000005995000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: stealc_zov.exe, 0000001E.00000003.3084516926.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1654268126.0000000005988000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1653988672.000000000599F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: explorer.exe, 00000022.00000000.1690337457.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507798051.0000000006205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://admin.atlassian.com
Source: explorer.exe, 00000022.00000000.1690337457.000000000913F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000022.00000003.1890857549.000000000913F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507798051.0000000006205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.bitbucket.org
Source: crypt6.exe, 00000015.00000002.1766982252.0000000000984000.00000004.00000001.01000000.00000010.sdmp, RegAsm.exe, 00000017.00000002.1725978010.0000000000421000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000000.1604424609.0000000000242000.00000002.00000001.01000000.00000012.sdmp, newbuild.exe, 00000021.00000000.1648456279.0000000000E55000.00000002.00000001.01000000.00000015.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: explorer.exe, 00000022.00000000.1690337457.0000000008F09000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000022.00000000.1690337457.0000000008DA6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000022.00000000.1690337457.0000000008F09000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=DD4083B70FE54739AB05D6BBA3484042&timeOut=5000&oc
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000022.00000000.1685006963.0000000007276000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?t
Source: explorer.exe, 00000022.00000000.1690337457.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: axplong.exe, 0000000B.00000003.1379772731.0000000001720000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1677103825.000000000621C000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379772731.0000000001702000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507842297.000000000175A000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379671397.00000000016F7000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379671397.00000000016FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aui-cdn.atlassian.com/
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016E4000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379772731.0000000001720000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507842297.0000000001723000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1449527562.0000000001720000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.0000000003629000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792182419.0000000003627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/
Source: axplong.exe, 0000000B.00000003.1379772731.0000000001720000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/R
Source: axplong.exe, 0000000B.00000002.3748613213.0000000001745000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.0000000003629000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792182419.0000000003627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/bc2514d8-2277-4dd3-a4e2-b5b0ed90570d/downloads/67e8095f-ddaa-
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507798051.0000000006205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507842297.0000000001745000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000002.3748613213.00000000016C7000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.000000000360C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/%7Bfb83dd9a-6600-46cd-b25f-7b5decba6275%7D/
Source: axplong.exe, 0000000B.00000003.1507842297.0000000001745000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/709b9568a348ca9adec25b3fbf8b44263e4ab627c65d1729
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/account/sdgdf/avatar/
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507798051.0000000006205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/blog/announcing-our-new-ci-cd-runtime-with-up-to-8x-faster-builds
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507798051.0000000006205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/blog/wp-json/wp/v2/posts?categories=196&context=embed&per_page=6&orderby=date&
Source: axplong.exe, 0000000B.00000003.1507842297.0000000001745000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/f49fa1a70b1ea6d80e22bac709b9568a348ca9adec25b3fbf8b44263e4ab627c65d1729cE
Source: axplong.exe, 0000000B.00000003.1507842297.0000000001745000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/f49fa1a70b1ea6d80e22bac709b9568a348ca9adec25b3fbf8b44263e4ab627c65d172:
Source: axplong.exe, 0000000B.00000003.1507842297.0000000001745000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/ferences.SourceAumid/
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507798051.0000000006205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/gateway/api/emoji/
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016C7000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.000000000360C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/m
Source: axplong.exe, 0000000B.00000003.1507842297.0000000001745000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/onal
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/sdgdf/fbghhj/downloads/FILE1.exe
Source: axplong.exe, 0000000B.00000003.1507798051.000000000620C000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000002.3748613213.00000000016E4000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507842297.0000000001745000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.0000000003629000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792182419.0000000003627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/sdgdf/fbghhj/downloads/build.exe
Source: axplong.exe, 0000000B.00000003.1507842297.0000000001745000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/sdgdf/fbghhj/downloads/build.exe3456789
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016E4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.0000000003629000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792182419.0000000003627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/sdgdf/fbghhj/downloads/build.exe8
Source: axplong.exe, 0000000B.00000003.1379772731.0000000001720000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000002.3748613213.00000000016C7000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379772731.0000000001702000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1449527562.0000000001720000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379671397.00000000016FE000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.000000000360C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/sdgdf/fbghhj/downloads/streamer.exe
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016C7000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.000000000360C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.org/sdgdf/fbghhj/downloads/streamer.exe6789
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507798051.0000000006205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bitbucket.status.atlassian.com/
Source: stealc_zov.exe, 0000001E.00000002.3303351548.0000000027402000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1680030212.0000000003715000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.
Source: stealc_zov.exe, 0000001E.00000002.3303351548.0000000027402000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1680030212.0000000003715000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&cta
Source: axplong.exe, 0000000B.00000003.1379772731.0000000001720000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1677103825.000000000621C000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379772731.0000000001702000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507842297.000000000175A000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379671397.00000000016F7000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379671397.00000000016FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.cookielaw.org/
Source: stealc_zov.exe, 0000001E.00000003.3084516926.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1654268126.0000000005988000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1653988672.000000000599F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
Source: stealc_zov.exe, 0000001E.00000003.3084516926.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1654268126.0000000005988000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1653988672.000000000599F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: stealc_zov.exe, 0000001E.00000003.3084516926.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1654268126.0000000005988000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1653988672.000000000599F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: stealc_zov.exe, 0000001E.00000002.3303351548.0000000027402000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1680030212.0000000003715000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: stealc_zov.exe, 0000001E.00000002.3303351548.0000000027402000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1680030212.0000000003715000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: axplong.exe, 0000000B.00000003.1677103825.000000000621C000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507842297.000000000175A000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d136azpfpnge1l.cloudfront.net/
Source: axplong.exe, 0000000B.00000003.1379671397.00000000016FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d136azpfpnge1l.cloudfront.net/;
Source: axplong.exe, 0000000B.00000003.1379671397.00000000016FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d301sr5gafysq2.cloudfront.net/
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507798051.0000000006205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d301sr5gafysq2.cloudfront.net/a022e62940a9/dist/webpack/app.js
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507798051.0000000006205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d301sr5gafysq2.cloudfront.net/a022e62940a9/dist/webpack/aui-8.js
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507798051.0000000006205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d301sr5gafysq2.cloudfront.net/a022e62940a9/dist/webpack/locales/en.js
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507798051.0000000006205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d301sr5gafysq2.cloudfront.net/a022e62940a9/dist/webpack/vendor.js
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507798051.0000000006205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d301sr5gafysq2.cloudfront.net/a022e62940a9/jsi18n/en/djangojs.js
Source: stealc_zov.exe, 0000001E.00000003.3084516926.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1654268126.0000000005988000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1653988672.000000000599F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: stealc_zov.exe, 0000001E.00000003.3084516926.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1654268126.0000000005988000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1653988672.000000000599F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: stealc_zov.exe, 0000001E.00000003.3084516926.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1654268126.0000000005988000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1653988672.000000000599F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: explorer.exe, 00000022.00000000.1702130995.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: streamer.exe, streamer.exe, 0000000E.00000002.1636684412.00007FF7E5C0B000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://github.com/golang/protobuf/issues/1609):
Source: axplong.exe, 0000000B.00000003.1507798051.0000000006205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.atlassian.com/login
Source: axplong.exe, 0000000B.00000003.1507798051.0000000006205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.atlassian.com/logout
Source: axplong.exe, 0000000B.00000003.1507798051.0000000006205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://id.atlassian.com/manage-profile/
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1c9Jin.img
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
Source: BitLockerToGo.exe, 0000001F.00000003.1680030212.0000000003715000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9e
Source: streamer.exe	String found in binary or memory: https://login.chinacloudapi.cn/mergeRuneSets
Source: streamer.exe	String found in binary or memory: https://login.microsoftonline.com/bad
Source: streamer.exe	String found in binary or memory: https://login.microsoftonline.us/too
Source: explorer.exe, 00000022.00000000.1702130995.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: BitLockerToGo.exe, 0000001F.00000002.1788412749.000000000367D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1691672162.00000000036EE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1786290518.000000000367D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1665322987.000000000367D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1786290518.000000000364B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1693084005.00000000036EE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1692548488.00000000036EE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000002.1788412749.000000000364B000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1665322987.00000000036E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://potterryisiw.shop/
Source: BitLockerToGo.exe, 0000001F.00000003.1709677823.00000000036E2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1642251556.00000000036A8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1747890232.00000000036FA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1747224489.00000000036E6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000002.1789130872.00000000036F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000002.1789336555.00000000036FA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1786737002.00000000036F2000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1740077434.00000000036FA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1747513352.00000000036ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000002.1788412749.0000000003672000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1665322987.0000000003672000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1654071650.0000000003698000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1740077434.00000000036F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1786290518.0000000003672000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1787055319.00000000036FA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1653312909.0000000003698000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1665322987.0000000003698000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1665322987.00000000036E3000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1747890232.00000000036F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://potterryisiw.shop/api
Source: BitLockerToGo.exe, 0000001F.00000002.1789336555.00000000036FA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1787055319.00000000036FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://potterryisiw.shop/api1m
Source: BitLockerToGo.exe, 0000001F.00000003.1747890232.00000000036FA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000002.1789336555.00000000036FA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1740077434.00000000036FA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1787055319.00000000036FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://potterryisiw.shop/api4
Source: BitLockerToGo.exe, 0000001F.00000003.1747224489.00000000036E6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1747513352.00000000036ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1740077434.00000000036F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1747890232.00000000036F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://potterryisiw.shop/apiX
Source: BitLockerToGo.exe, 0000001F.00000003.1691672162.00000000036EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://potterryisiw.shop/apia4
Source: BitLockerToGo.exe, 0000001F.00000002.1789130872.00000000036F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1786737002.00000000036F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://potterryisiw.shop/apik
Source: BitLockerToGo.exe, 0000001F.00000003.1642251556.00000000036A8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1654071650.0000000003698000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1653312909.0000000003698000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1665322987.0000000003698000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://potterryisiw.shop/apim
Source: BitLockerToGo.exe, 0000001F.00000002.1788412749.000000000367D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1786290518.000000000367D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://potterryisiw.shop/c
Source: BitLockerToGo.exe, 0000001F.00000002.1788412749.000000000367D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1786290518.000000000367D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://potterryisiw.shop/h
Source: BitLockerToGo.exe, 0000001F.00000003.1786290518.000000000365C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://potterryisiw.shop/l
Source: BitLockerToGo.exe, 0000001F.00000002.1788412749.000000000365C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://potterryisiw.shop/l/
Source: BitLockerToGo.exe, 0000001F.00000003.1665322987.000000000367D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://potterryisiw.shop/m
Source: explorer.exe, 00000022.00000000.1702130995.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.com
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507798051.0000000006205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://preferences.atlassian.com
Source: streamer.exe, streamer.exe, 0000000E.00000002.1636684412.00007FF7E5C0B000.00000002.00000001.01000000.00000009.sdmp	String found in binary or memory: https://protobuf.dev/reference/go/faq#namespace-conflictnot
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1677103825.000000000621C000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379772731.0000000001702000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507842297.000000000175A000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379671397.00000000016F7000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379671397.00000000016FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1677103825.000000000621C000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379772731.0000000001702000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507842297.000000000175A000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379671397.00000000016F7000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379671397.00000000016FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016E4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.0000000003629000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792182419.0000000003627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://solutionhub.cc/
Source: axplong.exe, 0000000B.00000002.3748613213.0000000001745000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.0000000003629000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792182419.0000000003627000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://solutionhub.cc/download/ZharkBOT.exe
Source: BitLockerToGo.exe, 0000001F.00000003.1679591645.0000000005A9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: BitLockerToGo.exe, 0000001F.00000003.1679591645.0000000005A9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: stealc_zov.exe, 0000001E.00000003.3208381329.000000002D4B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000C8E000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1801769575.00000000036F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sylhetvoice.com/
Source: Hkbsse.exe, 00000013.00000003.1609070300.0000000000D13000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792220751.0000000003735000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792220751.000000000372B000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1801769575.0000000003720000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sylhetvoice.com/tmp/1.exe
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000CED000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792220751.000000000372B000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1801769575.0000000003720000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sylhetvoice.com/tmp/1.exe(nmb%
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000CED000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792220751.0000000003735000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sylhetvoice.com/tmp/1.exe4c6d8c1b3aeaJz
Source: Hkbsse.exe, 00000013.00000002.3737039002.0000000000CED000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792220751.0000000003735000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sylhetvoice.com/tmp/1.exeqz
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379772731.0000000001720000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1677103825.000000000621C000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379772731.0000000001702000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507842297.000000000175A000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379671397.00000000016F7000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379671397.00000000016FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000022.00000003.1891078527.00000000090F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000022.00000000.1690337457.00000000090F2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/
Source: explorer.exe, 00000022.00000000.1702130995.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: stealc_zov.exe, 0000001E.00000002.3303351548.0000000027402000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1680030212.0000000003715000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0
Source: axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507798051.0000000006205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.atlassian.com/try/cloud/signup?bundle=bitbucket
Source: stealc_zov.exe, 0000001E.00000003.3084516926.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1654268126.0000000005988000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1653988672.000000000599F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: stealc_zov.exe, 0000001E.00000003.3084516926.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1654268126.0000000005988000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1653988672.000000000599F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: stealc_zov.exe, 0000001E.00000002.3303351548.0000000027402000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1680030212.0000000003715000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: stealc_zov.exe, 0000001E.00000002.3247862322.0000000000716000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: BitLockerToGo.exe, 0000001F.00000003.1679591645.0000000005A9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
Source: stealc_zov.exe, 0000001E.00000002.3247862322.0000000000716000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.mozilla.org/about/t.exe
Source: stealc_zov.exe, 0000001E.00000002.3247862322.0000000000716000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: BitLockerToGo.exe, 0000001F.00000003.1679591645.0000000005A9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
Source: stealc_zov.exe, 0000001E.00000002.3247862322.0000000000716000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/vchost.exe
Source: stealc_zov.exe, 0000001E.00000003.3208381329.000000002D4B8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1679591645.0000000005A9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
Source: BitLockerToGo.exe, 0000001F.00000003.1679591645.0000000005A9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: stealc_zov.exe, 0000001E.00000002.3247862322.00000000007BA000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: stealc_zov.exe, 0000001E.00000003.3208381329.000000002D4B8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1679591645.0000000005A9A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: stealc_zov.exe, 0000001E.00000002.3247862322.00000000007BA000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/music/news/6-rock-ballads-that-tug-at-the-heartstrings/ar-AA1hIdsm
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/here-s-who-could-see-above-average-snowfall-this-winter
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
Source: explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000022.00000000.1685006963.00000000071B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.pollensense.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 0000001D.00000002.1733003318.0000000004751000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2186372317.0000000002DA1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2185877753.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.1731795497.0000000002E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 0000001D.00000002.1733003318.0000000004751000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000001D.00000002.1731585464.0000000002CF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000001D.00000002.1732396588.0000000002E7F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000027.00000002.2186372317.0000000002DA1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000027.00000002.2185619506.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000027.00000002.2185877753.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000027.00000002.2187001287.0000000002F8E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000001D.00000002.1731795497.0000000002E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown

PE file contains section with special chars

Source: setup.exe	Static PE information: section name:
Source: setup.exe	Static PE information: section name: .idata
Source: setup.exe	Static PE information: section name:
Source: axplong.exe.1.dr	Static PE information: section name:
Source: axplong.exe.1.dr	Static PE information: section name: .idata
Source: axplong.exe.1.dr	Static PE information: section name:

PE file has a writeable .text section

Source: stealc_zov[1].exe.11.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: stealc_zov.exe.11.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Windows\explorer.exe	Process Stats: CPU usage > 49%
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process Stats: CPU usage > 49%

Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Code function: 15_2_6CB02630 GetModuleHandleW,GetProcAddress,NtQueryInformationProcess,		15_2_6CB02630
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_0004CA9A NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers,		18_2_0004CA9A

Source: C:\Users\user\Desktop\setup.exe	File created: C:\Windows\Tasks\axplong.job			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	File created: C:\Windows\Tasks\Hkbsse.job			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Code function: 11_2_00D5E410	11_2_00D5E410
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Code function: 11_2_00D54CD0	11_2_00D54CD0
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Code function: 11_2_00D93048	11_2_00D93048
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Code function: 11_2_00D87D63	11_2_00D87D63
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Code function: 11_2_00D54AD0	11_2_00D54AD0
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Code function: 11_2_00D96EE9	11_2_00D96EE9
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Code function: 11_2_00D9763B	11_2_00D9763B
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Code function: 11_2_00D92BB0	11_2_00D92BB0
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Code function: 11_2_00D9775B	11_2_00D9775B
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Code function: 11_2_00D98700	11_2_00D98700
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Code function: 15_2_6CB012D0	15_2_6CB012D0
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Code function: 15_2_6CB02630	15_2_6CB02630
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Code function: 15_2_6CB02F20	15_2_6CB02F20
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Code function: 15_2_6CB165B5	15_2_6CB165B5
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Code function: 15_2_6CB0A9D0	15_2_6CB0A9D0
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Code function: 15_2_6CB02D40	15_2_6CB02D40
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_0003A909	18_2_0003A909
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_00039910	18_2_00039910
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_00073048	18_2_00073048
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_000560A2	18_2_000560A2
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_00051512	18_2_00051512
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_0007763B	18_2_0007763B
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_00078700	18_2_00078700
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_0007775B	18_2_0007775B
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_00034AD0	18_2_00034AD0
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_00072BB0	18_2_00072BB0
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_00034CD0	18_2_00034CD0
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_00053D01	18_2_00053D01
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_00050D23	18_2_00050D23
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_00067D63	18_2_00067D63
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_00076EE9	18_2_00076EE9

Source: Joe Sandbox View

Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA

Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: String function: 0004DE90 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: String function: 0004D852 appears 83 times
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: String function: 00047F00 appears 123 times
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Code function: String function: 6CB0BB30 appears 33 times

Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 312

Source: streamer[1].exe.11.dr	Static PE information: Number of sections : 12 > 10
Source: streamer.exe.11.dr	Static PE information: Number of sections : 12 > 10

Source: setup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0000001D.00000002.1733003318.0000000004751000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000001D.00000002.1731585464.0000000002CF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000001D.00000002.1732396588.0000000002E7F000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000027.00000002.2186372317.0000000002DA1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000027.00000002.2185619506.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000027.00000002.2185877753.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000027.00000002.2187001287.0000000002F8E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000001D.00000002.1731795497.0000000002E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23

Source: whiteheroin[1].exe.11.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: TpWWMUpe0LEV.exe.11.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: setup.exe	Static PE information: Section: ZLIB complexity 0.9984097506830601
Source: setup.exe	Static PE information: Section: vbhkqplo ZLIB complexity 0.9950141504249707
Source: axplong.exe.1.dr	Static PE information: Section: ZLIB complexity 0.9984097506830601
Source: axplong.exe.1.dr	Static PE information: Section: vbhkqplo ZLIB complexity 0.9950141504249707

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@49/64@0/18

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 17_2_00976550 CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,

17_2_00976550

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\streamer[1].exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8000:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Mutant created: \Sessions\1\BaseNamedObjects\07c6bc37dc50874878dcb010336ed906
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1196
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2120:120:WilError_03

Source: C:\Users\user\Desktop\setup.exe

File created: C:\Users\user~1\AppData\Local\Temp\8254624243

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe

File opened: C:\Windows\system32\b5f2b550938247c50a552a9aee8222fc4554bb3927f888f9f3ea73ce6fcb4e3fAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\ProgramData\34vgn892c.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\setup.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\setup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: stealc_zov.exe, 0000001E.00000002.3280954499.000000001B3AA000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3360499356.000000005DCFF000.00000002.00000001.01000000.0000001C.sdmp, stealc_zov.exe, 0000001E.00000002.3365688300.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: stealc_zov.exe, 0000001E.00000002.3280954499.000000001B3AA000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3360499356.000000005DCFF000.00000002.00000001.01000000.0000001C.sdmp, stealc_zov.exe, 0000001E.00000002.3365688300.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: stealc_zov.exe, 0000001E.00000002.3280954499.000000001B3AA000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3360499356.000000005DCFF000.00000002.00000001.01000000.0000001C.sdmp, stealc_zov.exe, 0000001E.00000002.3365688300.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: stealc_zov.exe, 0000001E.00000002.3280954499.000000001B3AA000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3360499356.000000005DCFF000.00000002.00000001.01000000.0000001C.sdmp, stealc_zov.exe, 0000001E.00000002.3365688300.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: stealc_zov.exe, 0000001E.00000002.3280954499.000000001B3AA000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3360499356.000000005DCFF000.00000002.00000001.01000000.0000001C.sdmp, stealc_zov.exe, 0000001E.00000002.3365688300.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: stealc_zov.exe, 0000001E.00000002.3280954499.000000001B3AA000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3365688300.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: stealc_zov.exe, 0000001E.00000002.3280954499.000000001B3AA000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3360499356.000000005DCFF000.00000002.00000001.01000000.0000001C.sdmp, stealc_zov.exe, 0000001E.00000002.3365688300.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: stealc_zov.exe, 0000001E.00000003.3099165661.0000000021316000.00000004.00000020.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003606000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003699000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000036AF000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.000000000361B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: stealc_zov.exe, 0000001E.00000002.3280954499.000000001B3AA000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3365688300.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: stealc_zov.exe, 0000001E.00000002.3280954499.000000001B3AA000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3365688300.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: setup.exe

ReversingLabs: Detection: 68%

Source: setup.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: streamer.exe	String found in binary or memory: lkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlin
Source: streamer.exe	String found in binary or memory: lkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlin
Source: streamer.exe	String found in binary or memory: sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stoppin
Source: streamer.exe	String found in binary or memory: sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stoppin

Source: C:\Users\user\Desktop\setup.exe

File read: C:\Users\user\Desktop\setup.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\setup.exe "C:\Users\user\Desktop\setup.exe"
Source: C:\Users\user\Desktop\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe "C:\Users\user~1\AppData\Local\Temp\8254624243\axplong.exe"
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe "C:\Users\user~1\AppData\Local\Temp\1000111001\streamer.exe"
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe "C:\Users\user~1\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe"
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe "C:\Users\user~1\AppData\Local\Temp\1000125001\Freshbuild.exe"
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Process created: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe "C:\Users\user~1\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe C:\Users\user~1\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe "C:\Users\user~1\AppData\Local\Temp\1000128001\crypt6.exe"
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 312
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe "C:\Users\user~1\AppData\Local\Temp\1000130001\newlogs.exe"
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Process created: C:\Users\user\AppData\Local\Temp\1000030001\1.exe "C:\Users\user~1\AppData\Local\Temp\1000030001\1.exe"
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe "C:\Users\user~1\AppData\Local\Temp\1000131001\stealc_zov.exe"
Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe "C:\Users\user~1\AppData\Local\Temp\1000132001\newbuild.exe"
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe "C:\Users\user~1\AppData\Local\Temp\1000144001\ZharkBOT.exe"
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Process created: C:\ProgramData\34vgn892c.exe "C:\ProgramData\34vgn892c.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\dcbedta C:\Users\user\AppData\Roaming\dcbedta
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe C:\Users\user~1\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe C:\Users\user~1\AppData\Local\Temp\8254624243\axplong.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\50EC.exe C:\Users\user~1\AppData\Local\Temp\50EC.exe
Source: C:\Users\user\Desktop\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe "C:\Users\user~1\AppData\Local\Temp\8254624243\axplong.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe "C:\Users\user~1\AppData\Local\Temp\1000111001\streamer.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe "C:\Users\user~1\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe "C:\Users\user~1\AppData\Local\Temp\1000125001\Freshbuild.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe "C:\Users\user~1\AppData\Local\Temp\1000128001\crypt6.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe "C:\Users\user~1\AppData\Local\Temp\1000130001\newlogs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe "C:\Users\user~1\AppData\Local\Temp\1000131001\stealc_zov.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe "C:\Users\user~1\AppData\Local\Temp\1000132001\newbuild.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe "C:\Users\user~1\AppData\Local\Temp\1000144001\ZharkBOT.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Process created: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe "C:\Users\user~1\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Process created: C:\Users\user\AppData\Local\Temp\1000030001\1.exe "C:\Users\user~1\AppData\Local\Temp\1000030001\1.exe"
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\50EC.exe C:\Users\user~1\AppData\Local\Temp\50EC.exe
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Process created: C:\ProgramData\34vgn892c.exe "C:\ProgramData\34vgn892c.exe"
Source: C:\ProgramData\34vgn892c.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dwrite.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: textshaping.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: textinputframework.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: coremessaging.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: coremessaging.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: mozglue.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: msvcp140.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winhttp.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: webio.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mswsock.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winnsi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sspicli.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dnsapi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: schannel.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ntasn1.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncrypt.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: msasn1.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptsp.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rsaenh.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptbase.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: gpapi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dpapi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: amsi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: userenv.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: profapi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: version.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: uxtheme.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Section loaded: ntasn1.dll
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll
Source: C:\Windows\explorer.exe	Section loaded: webio.dll
Source: C:\Windows\explorer.exe	Section loaded: smartscreenps.dll
Source: C:\Windows\explorer.exe	Section loaded: smartscreenps.dll
Source: C:\Windows\explorer.exe	Section loaded: smartscreenps.dll
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Section loaded: pdh.dll
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Section loaded: perfos.dll
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: pdh.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: powrprof.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: cryptbase.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: umpdc.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: perfos.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: amsi.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: wininet.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: kernel.appcore.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: wbemcomn.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: userenv.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: profapi.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: version.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: wbemcomn.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: wbemcomn.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: sspicli.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: iertutil.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: windows.storage.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: wldp.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: winhttp.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: mswsock.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: iphlpapi.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: winnsi.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: dpapi.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: msasn1.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: cryptsp.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: rsaenh.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: gpapi.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: urlmon.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: srvcli.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: netutils.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: dnsapi.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: rasadhlp.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: fwpuclnt.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: schannel.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: mskeyprotect.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: ntasn1.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: ncrypt.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: ncryptsslp.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: uxtheme.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: propsys.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: edputil.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: wintypes.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: appresolver.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: bcp47langs.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: slc.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: sppc.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\ProgramData\34vgn892c.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\dcbedta	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\dcbedta	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\dcbedta	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Roaming\dcbedta	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Section loaded: dpapi.dll

Source: C:\Users\user\Desktop\setup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Source: setup.exe

Static file information: File size 1949696 > 1048576

Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: setup.exe

Static PE information: Raw size of vbhkqplo is bigger than: 0x100000 < 0x1aa800

Source:	Binary string: C:\Windows\System.ServiceModel.pdbpdbdel.pdb source: newlogs.exe, 0000001C.00000002.3747272466.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdbP source: stealc_zov.exe, 0000001E.00000002.3355489493.000000005DB3D000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: \??\C:\Windows\System.ServiceModel.pdb source: newlogs.exe, 0000001C.00000002.3747272466.0000000000B59000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb@ source: stealc_zov.exe, 0000001E.00000002.3360499356.000000005DCFF000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.ServiceModel.pdbK& source: newlogs.exe, 0000001C.00000002.3747272466.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BitLockerToGo.pdb source: streamer.exe, 0000000E.00000002.1633510777.000000C00029A000.00000004.00001000.00020000.00000000.sdmp, streamer.exe, 0000000E.00000002.1633510777.000000C0001B6000.00000004.00001000.00020000.00000000.sdmp, streamer.exe, 0000000E.00000002.1633510777.000000C00031A000.00000004.00001000.00020000.00000000.sdmp, streamer.exe, 0000000E.00000003.1628415179.000001E9E7300000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb0~ source: newlogs.exe, 0000001C.00000002.3869165497.00000000055D7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ServiceModel.pdb source: newlogs.exe, 0000001C.00000002.3747272466.0000000000B37000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: stealc_zov.exe, 0000001E.00000002.3360499356.000000005DCFF000.00000002.00000001.01000000.0000001C.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.pdb source: newlogs.exe, 0000001C.00000002.3747272466.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: stealc_zov.exe, 0000001E.00000002.3355489493.000000005DB3D000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: streamer.exe, 0000000E.00000002.1633510777.000000C00029A000.00000004.00001000.00020000.00000000.sdmp, streamer.exe, 0000000E.00000002.1633510777.000000C0001B6000.00000004.00001000.00020000.00000000.sdmp, streamer.exe, 0000000E.00000002.1633510777.000000C00031A000.00000004.00001000.00020000.00000000.sdmp, streamer.exe, 0000000E.00000003.1628415179.000001E9E7300000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\setup.exe	Unpacked PE file: 1.2.setup.exe.780000.0.unpack :EW;.rsrc:W;.idata :W; :EW;vbhkqplo:EW;oxgxjklu:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;vbhkqplo:EW;oxgxjklu:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Unpacked PE file: 11.2.axplong.exe.d50000.0.unpack :EW;.rsrc:W;.idata :W; :EW;vbhkqplo:EW;oxgxjklu:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;vbhkqplo:EW;oxgxjklu:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Unpacked PE file: 29.2.1.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\dcbedta	Unpacked PE file: 39.2.dcbedta.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Unpacked PE file: 41.2.axplong.exe.d50000.0.unpack :EW;.rsrc:W;.idata :W; :EW;vbhkqplo:EW;oxgxjklu:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;vbhkqplo:EW;oxgxjklu:EW;.taggant:EW;

Source: newlogs[1].exe.11.dr

Static PE information: 0xB6B5349D [Sat Feb 19 08:13:17 2067 UTC]

Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe

Code function: 18_2_0005BEA9 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

18_2_0005BEA9

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: newlogs[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x53c92
Source: crypt6[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x81a12
Source: crypt6.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x81a12
Source: newbuild[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x59272
Source: stealc_zov[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x30e30
Source: stealc_zov.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x30e30
Source: axplong.exe.1.dr	Static PE information: real checksum: 0x1ea8f3 should be: 0x1e4112
Source: whiteheroin[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x1373ab
Source: setup.exe	Static PE information: real checksum: 0x1ea8f3 should be: 0x1e4112
Source: Freshbuild.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x755f6
Source: Freshbuild[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x755f6
Source: TpWWMUpe0LEV.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x1373ab
Source: ZharkBOT.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x132e9a
Source: ZharkBOT[1].exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x132e9a
Source: newlogs.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x53c92
Source: newbuild.exe.11.dr	Static PE information: real checksum: 0x0 should be: 0x59272

Source: setup.exe	Static PE information: section name:
Source: setup.exe	Static PE information: section name: .idata
Source: setup.exe	Static PE information: section name:
Source: setup.exe	Static PE information: section name: vbhkqplo
Source: setup.exe	Static PE information: section name: oxgxjklu
Source: setup.exe	Static PE information: section name: .taggant
Source: axplong.exe.1.dr	Static PE information: section name:
Source: axplong.exe.1.dr	Static PE information: section name: .idata
Source: axplong.exe.1.dr	Static PE information: section name:
Source: axplong.exe.1.dr	Static PE information: section name: vbhkqplo
Source: axplong.exe.1.dr	Static PE information: section name: oxgxjklu
Source: axplong.exe.1.dr	Static PE information: section name: .taggant
Source: whiteheroin[1].exe.11.dr	Static PE information: section name: ._LW
Source: TpWWMUpe0LEV.exe.11.dr	Static PE information: section name: ._LW
Source: streamer[1].exe.11.dr	Static PE information: section name: .xdata
Source: streamer.exe.11.dr	Static PE information: section name: .xdata

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Code function: 11_2_00D6D82C push ecx; ret	11_2_00D6D83F
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Code function: 15_2_6CB16CE4 push ecx; ret	15_2_6CB16CF7
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Code function: 15_2_6CB362E5 push ecx; ret	15_2_6CB362F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 17_2_00978EE5 push ecx; ret	17_2_00978EF8
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_00041314 push ecx; retn 0000h	18_2_00041315
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_0004064F push ss; iretd	18_2_00040650
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_0004D82C push ecx; ret	18_2_0004D83F
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_0004DED6 push ecx; ret	18_2_0004DEE9

Source: setup.exe	Static PE information: section name: entropy: 7.985661636626442
Source: setup.exe	Static PE information: section name: vbhkqplo entropy: 7.954343379648948
Source: axplong.exe.1.dr	Static PE information: section name: entropy: 7.985661636626442
Source: axplong.exe.1.dr	Static PE information: section name: vbhkqplo entropy: 7.954343379648948
Source: whiteheroin[1].exe.11.dr	Static PE information: section name: .text entropy: 7.945036065819348
Source: TpWWMUpe0LEV.exe.11.dr	Static PE information: section name: .text entropy: 7.945036065819348

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\stealc_zov[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\streamer[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	File created: C:\ProgramData\34vgn892c.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\whiteheroin[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	File created: C:\Users\user\AppData\Roaming\d3d9.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\newbuild[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\newlogs[1].exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\dcbedta	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\1[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\ProgramData\34vgn892c.exe	File created: C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	File created: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\Freshbuild[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\50EC.exe	Jump to dropped file
Source: C:\ProgramData\34vgn892c.exe	File created: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\crypt6[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Jump to dropped file
Source: C:\Users\user\Desktop\setup.exe	File created: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	File created: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\786A.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\ZharkBOT[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\mozglue[1].dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	File created: C:\ProgramData\34vgn892c.exe	Jump to dropped file
Source: C:\ProgramData\34vgn892c.exe	File created: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\ProgramData\34vgn892c.exe	File created: C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe	Jump to dropped file

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\dcbedta

Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\setup.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS

Source: C:\Users\user\Desktop\setup.exe

File created: C:\Windows\Tasks\axplong.job

Jump to behavior

Source: C:\ProgramData\34vgn892c.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 3v82v2vcc2
Source: C:\ProgramData\34vgn892c.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 3v82v2vcc2

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\dcbedta:Zone.Identifier read attributes | delete

Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe

Code function: 18_2_0004C66B GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

18_2_0004C66B

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\ProgramData\34vgn892c.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\34vgn892c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\34vgn892c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\dcbedta	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\dcbedta	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\dcbedta	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\dcbedta	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\dcbedta	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Roaming\dcbedta	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\ProgramData\34vgn892c.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

System information queried: FirmwareTableInformation

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	API/Special instruction interceptor: Address: 7FFB2CECE814
Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	API/Special instruction interceptor: Address: 7FFB2CECD584
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	API/Special instruction interceptor: Address: FA2432
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	API/Special instruction interceptor: Address: FB9E6B
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	API/Special instruction interceptor: Address: 12F7E15
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	API/Special instruction interceptor: Address: E0AA71
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	API/Special instruction interceptor: Address: 1025B80
Source: C:\Users\user\AppData\Local\Temp\50EC.exe	API/Special instruction interceptor: Address: FE8181
Source: C:\Users\user\AppData\Roaming\dcbedta	API/Special instruction interceptor: Address: 7FFB2CECE814
Source: C:\Users\user\AppData\Roaming\dcbedta	API/Special instruction interceptor: Address: 7FFB2CECD584

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\setup.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: ZharkBOT.exe, 00000023.00000003.1842156114.00000000028C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0.EXEHOLLOWS_HUNTER32VGAUTHSERVICE.EXEPROCEXP64.EXEPROCEXP.EXEPROCMON.EXEPROCMON64.EXEPESTUDIO.EXEKSDUMPER.EXEPRL_CC.EXEPRL_TOOLS.EXEPE-SIEVE64.EXEMONETA64.EXEFAKENET.EXEWIRESHARK.EXEVBOXSERVICE.EXEVMWAREUSER.EXEVMTOOLSD.EXEVMWARETRAY.EXEVMSRVC.EXEVBOXTRAY.EXECALLED `OPTION::UNWRAP()` ON A `NONE` VALUEC:\USERS\MAGNU\.CARGO\REGISTRY\SRC\INDEX.CRATES.IO-6F17D22BBA15001F\ANTILYSIS-0.1.2\SRC\LIB.RS
Source: 1.exe, 0000001D.00000002.1731834087.0000000002E6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASWHOOK
Source: ZharkBOT.exe, 00000023.00000003.1842156114.00000000028C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCEXP64.EXEPROCEXP.EXEPROCMON.EXEPROCMON64.EXEPESTUDIO.EXEKSDUMPER.EXEPRL_CC.EXEPRL_TOOLS.EXEPE-SIEVE64.EXEMONETA64.EXEFAKENET.EXEWIRESHARK.EXEVBOXSERVICE.EXEVMWAREUSER.EXEVMTOOLSD.EXEVMWARETRAY.EXEVMSRVC.EXEVBOXTRAY.EXECALLED `OPTION::UNWRAP()` ON A `NONE` VALUEC:\USERS\MAGNU\.CARGO\REGISTRY\SRC\INDEX.CRATES.IO-6F17D22BBA15001F\ANTILYSIS-0.1.2\SRC\LIB.RS

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 7EF41B second address: 7EF425 instructions: 0x00000000 rdtsc 0x00000002 je 00007FC35137F18Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 96FE79 second address: 96FE94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3513526F7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 970197 second address: 9701A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FC35137F186h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9701A1 second address: 9701A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 97356B second address: 973585 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC35137F18Ch 0x00000009 popad 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 973585 second address: 97358B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 97358B second address: 9735B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F197h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d pushad 0x0000000e push edi 0x0000000f push esi 0x00000010 pop esi 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 973600 second address: 97368A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526EAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FC3513526F9h 0x0000000f nop 0x00000010 push 00000000h 0x00000012 mov cx, 5190h 0x00000016 push B3BFDC6Ch 0x0000001b pushad 0x0000001c jmp 00007FC3513526F4h 0x00000021 push ecx 0x00000022 push ecx 0x00000023 pop ecx 0x00000024 pop ecx 0x00000025 popad 0x00000026 add dword ptr [esp], 4C402414h 0x0000002d and ecx, dword ptr [ebp+122D27D5h] 0x00000033 push 00000003h 0x00000035 jno 00007FC3513526ECh 0x0000003b push 00000000h 0x0000003d jmp 00007FC3513526ECh 0x00000042 push 00000003h 0x00000044 pushad 0x00000045 mov esi, dword ptr [ebp+122D2D31h] 0x0000004b popad 0x0000004c push 8E9412B7h 0x00000051 pushad 0x00000052 push ecx 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 97386E second address: 973873 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 973920 second address: 973925 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 973925 second address: 97398A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 2EF1DE6Dh 0x00000010 mov ecx, 4B220AD7h 0x00000015 push 00000003h 0x00000017 mov dx, D290h 0x0000001b push 00000000h 0x0000001d push 00000003h 0x0000001f mov ch, dl 0x00000021 push C0D8C695h 0x00000026 jmp 00007FC35137F194h 0x0000002b xor dword ptr [esp], 00D8C695h 0x00000032 mov ecx, dword ptr [ebp+122D2B6Dh] 0x00000038 movzx esi, dx 0x0000003b lea ebx, dword ptr [ebp+12458475h] 0x00000041 and edi, 701767C8h 0x00000047 xchg eax, ebx 0x00000048 push ebx 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007FC35137F18Bh 0x00000050 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 97398A second address: 97398E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 984CB7 second address: 984CBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 99450C second address: 994516 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FC3513526E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 994516 second address: 994524 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FC35137F186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 994524 second address: 99452A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 962EF0 second address: 962F15 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC35137F18Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC35137F190h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 962F15 second address: 962F19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9924A6 second address: 9924AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9924AC second address: 9924BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9927E2 second address: 9927E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9927E6 second address: 99280A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007FC3513526EEh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 992AC1 second address: 992ADA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FC35137F186h 0x0000000a popad 0x0000000b jmp 00007FC35137F18Eh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 992ADA second address: 992AED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3513526EFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 992AED second address: 992AF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 992DC4 second address: 992DDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FC3513526E6h 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007FC3513526E6h 0x00000012 js 00007FC3513526E6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 992DDC second address: 992E00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jnl 00007FC35137F186h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jp 00007FC35137F192h 0x00000012 popad 0x00000013 push ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 992F81 second address: 992F87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 962EFA second address: 962F15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC35137F190h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 993203 second address: 993209 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 993209 second address: 99320D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 95F856 second address: 95F85A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 993683 second address: 9936A1 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC35137F199h 0x00000008 jng 00007FC35137F186h 0x0000000e jmp 00007FC35137F18Dh 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 994392 second address: 99439C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC3513526F2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 99439C second address: 9943A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 998380 second address: 9983A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F0h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c jg 00007FC3513526E6h 0x00000012 push esi 0x00000013 pop esi 0x00000014 pop esi 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9983A3 second address: 9983AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9983AB second address: 9983BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 je 00007FC3513526F8h 0x0000000c jo 00007FC3513526F2h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 99BC70 second address: 99BCAB instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC35137F190h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007FC35137F18Ch 0x00000011 pushad 0x00000012 jmp 00007FC35137F196h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A1032 second address: 9A1038 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A1038 second address: 9A1056 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007FC35137F188h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FC35137F18Dh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A1056 second address: 9A1064 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC3513526E8h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A0484 second address: 9A048C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A048C second address: 9A0490 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A0490 second address: 9A0494 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A075F second address: 9A076A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jg 00007FC3513526E6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A076A second address: 9A0773 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A0773 second address: 9A07AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F1h 0x00000007 jmp 00007FC3513526F9h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 js 00007FC3513526E6h 0x00000019 pop edi 0x0000001a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A07AD second address: 9A07B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A0E9B second address: 9A0EA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A41C8 second address: 9A41CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A41CE second address: 9A41E3 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC3513526E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A41E3 second address: 9A41E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A41E7 second address: 9A41F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A4811 second address: 9A4815 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A4815 second address: 9A4819 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A4907 second address: 9A490B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A4E26 second address: 9A4E2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A4EBD second address: 9A4EC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A4EC2 second address: 9A4EC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A4EC8 second address: 9A4ECC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A4ECC second address: 9A4EDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b jg 00007FC3513526E6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A615C second address: 9A6162 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A73C7 second address: 9A73E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FC3513526F9h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A6C25 second address: 9A6C29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A7FF5 second address: 9A8008 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526ECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A9E2C second address: 9A9E31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A9E31 second address: 9A9E70 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FC3513526F4h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e mov edi, dword ptr [ebp+122D2323h] 0x00000014 push 00000000h 0x00000016 mov esi, dword ptr [ebp+122D2C5Dh] 0x0000001c push 00000000h 0x0000001e movzx esi, di 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 jno 00007FC3513526ECh 0x0000002a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 955774 second address: 955780 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC35137F186h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 955780 second address: 9557A9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 jo 00007FC3513526E6h 0x0000000b pop edx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jng 00007FC351352700h 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007FC3513526EAh 0x0000001c pushad 0x0000001d popad 0x0000001e pushad 0x0000001f popad 0x00000020 popad 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9ADAE6 second address: 9ADAEC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9ADAEC second address: 9ADB0D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC3513526F4h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9ADB0D second address: 9ADB11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9ADB11 second address: 9ADB17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9AEAD5 second address: 9AEB72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F199h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jl 00007FC35137F19Ah 0x0000000f jmp 00007FC35137F194h 0x00000014 popad 0x00000015 mov dword ptr [esp], eax 0x00000018 push 00000000h 0x0000001a push ebx 0x0000001b call 00007FC35137F188h 0x00000020 pop ebx 0x00000021 mov dword ptr [esp+04h], ebx 0x00000025 add dword ptr [esp+04h], 00000014h 0x0000002d inc ebx 0x0000002e push ebx 0x0000002f ret 0x00000030 pop ebx 0x00000031 ret 0x00000032 mov dword ptr [ebp+122D289Ah], edx 0x00000038 push 00000000h 0x0000003a mov edi, ecx 0x0000003c push 00000000h 0x0000003e jbe 00007FC35137F196h 0x00000044 jmp 00007FC35137F190h 0x00000049 xchg eax, esi 0x0000004a push eax 0x0000004b push edi 0x0000004c pushad 0x0000004d popad 0x0000004e pop edi 0x0000004f pop eax 0x00000050 push eax 0x00000051 push edi 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007FC35137F199h 0x00000059 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9AFA53 second address: 9AFACE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007FC3513526E8h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 00000015h 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 clc 0x00000026 push eax 0x00000027 jmp 00007FC3513526F0h 0x0000002c pop edi 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push ebp 0x00000032 call 00007FC3513526E8h 0x00000037 pop ebp 0x00000038 mov dword ptr [esp+04h], ebp 0x0000003c add dword ptr [esp+04h], 0000001Ch 0x00000044 inc ebp 0x00000045 push ebp 0x00000046 ret 0x00000047 pop ebp 0x00000048 ret 0x00000049 add edi, dword ptr [ebp+122D2D71h] 0x0000004f push 00000000h 0x00000051 mov ebx, edi 0x00000053 add dword ptr [ebp+122D27D0h], edi 0x00000059 xchg eax, esi 0x0000005a pushad 0x0000005b push eax 0x0000005c push edx 0x0000005d jnc 00007FC3513526E6h 0x00000063 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9AFACE second address: 9AFAD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9AB178 second address: 9AB17F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9AFAD2 second address: 9AFB00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jno 00007FC35137F186h 0x0000000d jmp 00007FC35137F198h 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9ADC85 second address: 9ADC93 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526EAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9AB17F second address: 9AB199 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F18Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jno 00007FC35137F186h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9AFB00 second address: 9AFB15 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9AB199 second address: 9AB19F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9ADD34 second address: 9ADD65 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC3513526F3h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9ADD65 second address: 9ADD77 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jng 00007FC35137F188h 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B1DE0 second address: 9B1E07 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F7h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e jne 00007FC3513526E6h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B2394 second address: 9B2415 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F18Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c xor di, 230Bh 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007FC35137F188h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 00000016h 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d jl 00007FC35137F186h 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push eax 0x00000038 call 00007FC35137F188h 0x0000003d pop eax 0x0000003e mov dword ptr [esp+04h], eax 0x00000042 add dword ptr [esp+04h], 00000019h 0x0000004a inc eax 0x0000004b push eax 0x0000004c ret 0x0000004d pop eax 0x0000004e ret 0x0000004f or ebx, dword ptr [ebp+122D2AD5h] 0x00000055 push edx 0x00000056 mov ebx, dword ptr [ebp+122D39E4h] 0x0000005c pop ebx 0x0000005d xchg eax, esi 0x0000005e push eax 0x0000005f push edx 0x00000060 pushad 0x00000061 jmp 00007FC35137F18Dh 0x00000066 pushad 0x00000067 popad 0x00000068 popad 0x00000069 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B2415 second address: 9B2451 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC3513526EFh 0x00000008 jmp 00007FC3513526ECh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FC3513526F6h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B2451 second address: 9B246B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F196h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B4345 second address: 9B434A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B43E5 second address: 9B43E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B534B second address: 9B5350 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B4515 second address: 9B458E instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC35137F186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b mov dword ptr [esp], eax 0x0000000e mov ebx, 772D068Bh 0x00000013 push dword ptr fs:[00000000h] 0x0000001a mov bx, si 0x0000001d mov dword ptr fs:[00000000h], esp 0x00000024 jnc 00007FC35137F18Dh 0x0000002a mov eax, dword ptr [ebp+122D0539h] 0x00000030 mov ebx, 712494A3h 0x00000035 push FFFFFFFFh 0x00000037 push 00000000h 0x00000039 push ecx 0x0000003a call 00007FC35137F188h 0x0000003f pop ecx 0x00000040 mov dword ptr [esp+04h], ecx 0x00000044 add dword ptr [esp+04h], 00000017h 0x0000004c inc ecx 0x0000004d push ecx 0x0000004e ret 0x0000004f pop ecx 0x00000050 ret 0x00000051 movsx edi, cx 0x00000054 mov bx, 578Fh 0x00000058 nop 0x00000059 push eax 0x0000005a jng 00007FC35137F188h 0x00000060 pushad 0x00000061 popad 0x00000062 pop eax 0x00000063 push eax 0x00000064 push edx 0x00000065 push eax 0x00000066 push edx 0x00000067 jnp 00007FC35137F186h 0x0000006d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B633D second address: 9B63A4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jnc 00007FC3513526EEh 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push ebp 0x00000013 call 00007FC3513526E8h 0x00000018 pop ebp 0x00000019 mov dword ptr [esp+04h], ebp 0x0000001d add dword ptr [esp+04h], 00000016h 0x00000025 inc ebp 0x00000026 push ebp 0x00000027 ret 0x00000028 pop ebp 0x00000029 ret 0x0000002a add dword ptr [ebp+122D18D8h], edi 0x00000030 push 00000000h 0x00000032 mov dword ptr [ebp+122D1BB7h], edi 0x00000038 push 00000000h 0x0000003a or edi, 5246F0E6h 0x00000040 xchg eax, esi 0x00000041 pushad 0x00000042 jns 00007FC3513526F5h 0x00000048 push eax 0x00000049 push edx 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B63A4 second address: 9B63A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B552C second address: 9B553F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 ja 00007FC3513526E6h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B553F second address: 9B5543 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B5543 second address: 9B5549 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B5549 second address: 9B554F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B554F second address: 9B5553 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B5553 second address: 9B5617 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F196h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c cmc 0x0000000d push dword ptr fs:[00000000h] 0x00000014 push 00000000h 0x00000016 push edi 0x00000017 call 00007FC35137F188h 0x0000001c pop edi 0x0000001d mov dword ptr [esp+04h], edi 0x00000021 add dword ptr [esp+04h], 0000001Ah 0x00000029 inc edi 0x0000002a push edi 0x0000002b ret 0x0000002c pop edi 0x0000002d ret 0x0000002e call 00007FC35137F191h 0x00000033 mov edi, dword ptr [ebp+122D2C49h] 0x00000039 pop ebx 0x0000003a mov dword ptr fs:[00000000h], esp 0x00000041 jno 00007FC35137F191h 0x00000047 mov eax, dword ptr [ebp+122D0B69h] 0x0000004d sub dword ptr [ebp+1247C85Bh], ecx 0x00000053 push edi 0x00000054 mov bx, di 0x00000057 pop edi 0x00000058 push FFFFFFFFh 0x0000005a push 00000000h 0x0000005c push ecx 0x0000005d call 00007FC35137F188h 0x00000062 pop ecx 0x00000063 mov dword ptr [esp+04h], ecx 0x00000067 add dword ptr [esp+04h], 00000017h 0x0000006f inc ecx 0x00000070 push ecx 0x00000071 ret 0x00000072 pop ecx 0x00000073 ret 0x00000074 movsx ebx, ax 0x00000077 push eax 0x00000078 push eax 0x00000079 push edx 0x0000007a push esi 0x0000007b jmp 00007FC35137F193h 0x00000080 pop esi 0x00000081 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B84F3 second address: 9B84F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9BA581 second address: 9BA585 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B7639 second address: 9B7643 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FC3513526E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B7643 second address: 9B7647 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B7647 second address: 9B7659 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007FC3513526E6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9BB3D9 second address: 9BB3E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jl 00007FC35137F18Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9B97A9 second address: 9B97B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007FC3513526E6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9BC4AF second address: 9BC4B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9BC4B6 second address: 9BC503 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 mov edi, 60131316h 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007FC3513526E8h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 00000014h 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 push ecx 0x0000002a mov di, cx 0x0000002d pop ebx 0x0000002e add edi, 41BE1FE6h 0x00000034 push 00000000h 0x00000036 mov edi, 68E4EC34h 0x0000003b xchg eax, esi 0x0000003c jmp 00007FC3513526EAh 0x00000041 push eax 0x00000042 push eax 0x00000043 pushad 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9BC503 second address: 9BC509 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9BE2F2 second address: 9BE2F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9BE2F7 second address: 9BE2FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9BE2FD second address: 9BE319 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FC3513526F2h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9BD4F8 second address: 9BD512 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC35137F196h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9BD512 second address: 9BD5BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e mov di, 1F95h 0x00000012 push dword ptr fs:[00000000h] 0x00000019 mov edi, esi 0x0000001b mov dword ptr fs:[00000000h], esp 0x00000022 mov dword ptr [ebp+122D28E8h], ecx 0x00000028 mov eax, dword ptr [ebp+122D1621h] 0x0000002e push 00000000h 0x00000030 push ecx 0x00000031 call 00007FC3513526E8h 0x00000036 pop ecx 0x00000037 mov dword ptr [esp+04h], ecx 0x0000003b add dword ptr [esp+04h], 0000001Dh 0x00000043 inc ecx 0x00000044 push ecx 0x00000045 ret 0x00000046 pop ecx 0x00000047 ret 0x00000048 push FFFFFFFFh 0x0000004a mov di, 5000h 0x0000004e nop 0x0000004f pushad 0x00000050 pushad 0x00000051 jmp 00007FC3513526F7h 0x00000056 push esi 0x00000057 pop esi 0x00000058 popad 0x00000059 jmp 00007FC3513526F3h 0x0000005e popad 0x0000005f push eax 0x00000060 push eax 0x00000061 push edx 0x00000062 push ebx 0x00000063 jmp 00007FC3513526F2h 0x00000068 pop ebx 0x00000069 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 967EE6 second address: 967EF4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F18Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9C62D2 second address: 9C62D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9C62D7 second address: 9C62DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9C6548 second address: 9C654E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9CD6E4 second address: 9CD6FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F18Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9CD80E second address: 9CD812 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9CD812 second address: 9CD845 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jbe 00007FC35137F192h 0x00000010 jnc 00007FC35137F18Ch 0x00000016 mov eax, dword ptr [eax] 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FC35137F193h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9CD845 second address: 9CD854 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3513526EBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9CD965 second address: 9CD973 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FC35137F186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9CD973 second address: 9CD977 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9CD977 second address: 9CD999 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F192h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e jnl 00007FC35137F186h 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9CD999 second address: 9CD9FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC3513526F7h 0x00000008 jmp 00007FC3513526F1h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 pushad 0x00000015 je 00007FC3513526E8h 0x0000001b push edx 0x0000001c pop edx 0x0000001d push edi 0x0000001e jmp 00007FC3513526F1h 0x00000023 pop edi 0x00000024 popad 0x00000025 mov eax, dword ptr [eax] 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a jmp 00007FC3513526EEh 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9CD9FD second address: 9CDA02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9CDA02 second address: 9CDA14 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D61D9 second address: 9D61DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D4EED second address: 9D4EF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D54BF second address: 9D54C5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D54C5 second address: 9D54D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007FC3513526ECh 0x0000000c jng 00007FC3513526E6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D54D7 second address: 9D54DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D54DD second address: 9D54E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D5641 second address: 9D564D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FC35137F186h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D590D second address: 9D5911 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D5911 second address: 9D5917 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D5917 second address: 9D591D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D5A6D second address: 9D5A71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D5A71 second address: 9D5A75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D5A75 second address: 9D5A81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D5A81 second address: 9D5A85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D5A85 second address: 9D5A89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D5D42 second address: 9D5D46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D5D46 second address: 9D5D4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D5D4C second address: 9D5D61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC3513526ECh 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D5D61 second address: 9D5D8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC35137F197h 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 jnc 00007FC35137F186h 0x00000016 pop edi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D5D8A second address: 9D5D8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9D6064 second address: 9D608E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 je 00007FC35137F186h 0x00000009 jmp 00007FC35137F192h 0x0000000e pop edi 0x0000000f jne 00007FC35137F192h 0x00000015 jnp 00007FC35137F186h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DF48D second address: 9DF49F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526EEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DDED4 second address: 9DDED8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DE024 second address: 9DE02B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DE186 second address: 9DE18B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DE733 second address: 9DE739 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DE8B0 second address: 9DE8F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FC35137F186h 0x0000000a jl 00007FC35137F186h 0x00000010 popad 0x00000011 jmp 00007FC35137F191h 0x00000016 jnp 00007FC35137F188h 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e pushad 0x0000001f jmp 00007FC35137F192h 0x00000024 pushad 0x00000025 popad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DEBCF second address: 9DEBE1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526EEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DEDC4 second address: 9DEDCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DEEFA second address: 9DEF00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DEF00 second address: 9DEF0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pushad 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DEF0A second address: 9DEF12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DEF12 second address: 9DEF18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DEF18 second address: 9DEF2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jmp 00007FC3513526ECh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 987CDB second address: 987D0C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F18Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FC35137F199h 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 987D0C second address: 987D12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 987D12 second address: 987D16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 987D16 second address: 987D23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 987D23 second address: 987D3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 jbe 00007FC35137F188h 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 js 00007FC35137F186h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DDB8D second address: 9DDB92 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DDB92 second address: 9DDBA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FC35137F186h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DDBA2 second address: 9DDBB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9DDBB0 second address: 9DDBB6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E5F20 second address: 9E5F26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E5F26 second address: 9E5F2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E5F2A second address: 9E5F34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FC3513526E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E4D25 second address: 9E4D44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FC35137F190h 0x0000000b popad 0x0000000c jo 00007FC35137F192h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E4D44 second address: 9E4D4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E4E94 second address: 9E4E9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E4E9E second address: 9E4EAE instructions: 0x00000000 rdtsc 0x00000002 je 00007FC3513526E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E4EAE second address: 9E4EB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E4EB2 second address: 9E4EB8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E4FE7 second address: 9E4FED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E4FED second address: 9E4FF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E571A second address: 9E572D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC35137F18Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E5863 second address: 9E586B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A2B34 second address: 9A2B38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A2B38 second address: 9A2B3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A2B3C second address: 9A2B42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A2B42 second address: 9A2B48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A2B48 second address: 9A2B5E instructions: 0x00000000 rdtsc 0x00000002 ja 00007FC35137F186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edi 0x0000000e jc 00007FC35137F18Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A315F second address: 9A31B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007FC3513526F4h 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push ebx 0x00000015 jmp 00007FC3513526F8h 0x0000001a pop ebx 0x0000001b mov eax, dword ptr [eax] 0x0000001d push edi 0x0000001e pushad 0x0000001f pushad 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A31B3 second address: 9A31D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007FC35137F195h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A31D8 second address: 9A31DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A31DF second address: 9A3254 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop eax 0x00000008 push 00000000h 0x0000000a push edx 0x0000000b call 00007FC35137F188h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], edx 0x00000015 add dword ptr [esp+04h], 0000001Bh 0x0000001d inc edx 0x0000001e push edx 0x0000001f ret 0x00000020 pop edx 0x00000021 ret 0x00000022 mov edi, 60D96B26h 0x00000027 call 00007FC35137F199h 0x0000002c add dword ptr [ebp+122D17D4h], eax 0x00000032 pop ecx 0x00000033 push CA6D4DAAh 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b jmp 00007FC35137F18Dh 0x00000040 jmp 00007FC35137F18Fh 0x00000045 popad 0x00000046 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A33D2 second address: 9A33D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A33D6 second address: 9A33EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC35137F192h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A33EC second address: 9A3419 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ecx 0x0000000a jg 00007FC3513526F9h 0x00000010 pop ecx 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 push edi 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A35F4 second address: 9A366A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push edx 0x0000000e call 00007FC35137F188h 0x00000013 pop edx 0x00000014 mov dword ptr [esp+04h], edx 0x00000018 add dword ptr [esp+04h], 00000015h 0x00000020 inc edx 0x00000021 push edx 0x00000022 ret 0x00000023 pop edx 0x00000024 ret 0x00000025 stc 0x00000026 push 00000004h 0x00000028 push 00000000h 0x0000002a push ebx 0x0000002b call 00007FC35137F188h 0x00000030 pop ebx 0x00000031 mov dword ptr [esp+04h], ebx 0x00000035 add dword ptr [esp+04h], 0000001Bh 0x0000003d inc ebx 0x0000003e push ebx 0x0000003f ret 0x00000040 pop ebx 0x00000041 ret 0x00000042 mov ecx, dword ptr [ebp+122D1BE6h] 0x00000048 sub cx, 430Ch 0x0000004d nop 0x0000004e jmp 00007FC35137F196h 0x00000053 push eax 0x00000054 pushad 0x00000055 push eax 0x00000056 push edx 0x00000057 push eax 0x00000058 push edx 0x00000059 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A366A second address: 9A366E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A366E second address: 9A3681 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F18Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A3681 second address: 9A3685 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A39ED second address: 9A39F3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A39F3 second address: 9A39F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A39F9 second address: 9A39FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E9E88 second address: 9E9E8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E9E8C second address: 9E9EE5 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC35137F186h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jbe 00007FC35137F188h 0x00000012 pushad 0x00000013 popad 0x00000014 pop esi 0x00000015 pushad 0x00000016 jmp 00007FC35137F195h 0x0000001b jmp 00007FC35137F193h 0x00000020 jmp 00007FC35137F198h 0x00000025 push ebx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9E9EE5 second address: 9E9EEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9EA1E6 second address: 9EA1EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9EA34E second address: 9EA357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9EA357 second address: 9EA35D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9EFB45 second address: 9EFB67 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FC3513526F6h 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9EFB67 second address: 9EFB6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9612AD second address: 9612B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9612B6 second address: 9612BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9F2CE7 second address: 9F2D16 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC3513526EBh 0x00000008 push edi 0x00000009 pop edi 0x0000000a popad 0x0000000b je 00007FC3513526F2h 0x00000011 jne 00007FC3513526E6h 0x00000017 jo 00007FC3513526E6h 0x0000001d pop edx 0x0000001e pop eax 0x0000001f push eax 0x00000020 push edx 0x00000021 jp 00007FC3513526E8h 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9F2D16 second address: 9F2D31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC35137F18Ch 0x00000009 jmp 00007FC35137F18Bh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9F2893 second address: 9F28A7 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC3513526E6h 0x00000008 jmp 00007FC3513526EAh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9F28A7 second address: 9F28B4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 je 00007FC35137F186h 0x00000009 pop esi 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9F8CF9 second address: 9F8D0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3513526F0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9F92E6 second address: 9F92EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9FE125 second address: 9FE157 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d jmp 00007FC3513526F6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9FE157 second address: 9FE17B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC35137F199h 0x0000000b popad 0x0000000c push edx 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9FE17B second address: 9FE181 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9FD64C second address: 9FD652 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9FD652 second address: 9FD656 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9FD656 second address: 9FD65A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9FD65A second address: 9FD667 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9FD667 second address: 9FD670 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9FD670 second address: 9FD674 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9FD674 second address: 9FD678 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9FDC0F second address: 9FDC13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9FDC13 second address: 9FDC27 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC35137F186h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FC35137F18Ah 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A03EB4 second address: A03EBA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A03EBA second address: A03EC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A03EC4 second address: A03EC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A02A2F second address: A02A35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A02E6E second address: A02E72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 9A3896 second address: 9A38B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC35137F196h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A0329F second address: A032A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A03BDD second address: A03BE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A03BE1 second address: A03BEA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A09EFA second address: A09F00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A09F00 second address: A09F04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A0A209 second address: A0A223 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FC35137F18Dh 0x0000000a jnc 00007FC35137F186h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A0A4DD second address: A0A4E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A0A765 second address: A0A76A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A0AA61 second address: A0AA78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC3513526F2h 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A0ACE6 second address: A0ACED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A0ACED second address: A0ACF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FC3513526E6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 958C38 second address: 958C60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC35137F193h 0x00000009 jo 00007FC35137F186h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 ja 00007FC35137F186h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 958C60 second address: 958C64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A0F767 second address: A0F76D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A0F76D second address: A0F771 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A0F771 second address: A0F777 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A0F8E9 second address: A0F905 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526ECh 0x00000007 jns 00007FC3513526F2h 0x0000000d jg 00007FC3513526E6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A0FB8D second address: A0FB92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A0FB92 second address: A0FB9D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007FC3513526E6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A0FE27 second address: A0FE2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A0FE2D second address: A0FE36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A10132 second address: A1013C instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC35137F18Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A1013C second address: A10147 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A10147 second address: A10154 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FC35137F186h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A10154 second address: A1015C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A1015C second address: A10160 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A1D167 second address: A1D16D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A1D16D second address: A1D179 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FC35137F186h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A1D179 second address: A1D17D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A1BAFD second address: A1BB15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007FC35137F18Eh 0x0000000a popad 0x0000000b pushad 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A1BB15 second address: A1BB22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 js 00007FC3513526ECh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A1AF58 second address: A1AF81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FC35137F198h 0x0000000f jc 00007FC35137F186h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A260D9 second address: A260F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A260F4 second address: A260F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A260F8 second address: A260FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A25AC9 second address: A25ADA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FC35137F186h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pop edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A25ADA second address: A25B0D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a ja 00007FC3513526E8h 0x00000010 push ecx 0x00000011 jbe 00007FC3513526E6h 0x00000017 pushad 0x00000018 popad 0x00000019 pop ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c jc 00007FC3513526E6h 0x00000022 push edx 0x00000023 pop edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A25B0D second address: A25B11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A25C30 second address: A25C54 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FC3513526E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jbe 00007FC3513526EAh 0x00000013 push esi 0x00000014 pop esi 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007FC3513526EDh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A25E39 second address: A25E3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A25E3F second address: A25E45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A3D4A9 second address: A3D4B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FC35137F186h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A3D4B3 second address: A3D4B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A3D4B7 second address: A3D4C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A3D4C1 second address: A3D517 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F2h 0x00000007 jmp 00007FC3513526F5h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jns 00007FC3513526E8h 0x00000014 pushad 0x00000015 popad 0x00000016 jp 00007FC3513526ECh 0x0000001c popad 0x0000001d push edi 0x0000001e push eax 0x0000001f push edx 0x00000020 push edx 0x00000021 pop edx 0x00000022 jmp 00007FC3513526F1h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A3D672 second address: A3D6A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jnc 00007FC35137F186h 0x0000000c popad 0x0000000d jne 00007FC35137F192h 0x00000013 jmp 00007FC35137F18Ch 0x00000018 pushad 0x00000019 jmp 00007FC35137F18Fh 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A3D6A3 second address: A3D6A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A3D6A9 second address: A3D6B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 jg 00007FC35137F186h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A424FE second address: A42504 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A42504 second address: A4250A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A4250A second address: A42510 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A42510 second address: A4251A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FC35137F186h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A4251A second address: A4251E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A4251E second address: A42524 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A43B27 second address: A43B2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A43B2D second address: A43B33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A43B33 second address: A43B3A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A5560A second address: A55610 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A5534B second address: A55354 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A55354 second address: A5535E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FC35137F186h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A58F2E second address: A58F50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3513526F8h 0x00000009 jno 00007FC3513526E6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A58C3A second address: A58C5B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 ja 00007FC35137F1AFh 0x0000000d jmp 00007FC35137F190h 0x00000012 push eax 0x00000013 push edx 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A67B73 second address: A67B77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A67B77 second address: A67B9D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FC35137F18Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c jmp 00007FC35137F18Fh 0x00000011 pushad 0x00000012 popad 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A67B9D second address: A67BB0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526EDh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A67BB0 second address: A67BB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A67A07 second address: A67A0D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A6B6D9 second address: A6B6E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jnp 00007FC35137F186h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A6B6E6 second address: A6B6EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A6B6EC second address: A6B6FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC35137F18Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A6D047 second address: A6D04E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A6D04E second address: A6D05A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A6CF06 second address: A6CF0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A6CF0A second address: A6CF0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A65779 second address: A6577F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A6577F second address: A6579D instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC35137F186h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FC35137F18Bh 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A6579D second address: A657A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A657A2 second address: A657AC instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC35137F192h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A657AC second address: A657B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A7A171 second address: A7A177 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A7A177 second address: A7A17B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A962B8 second address: A962BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A96594 second address: A965A4 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC3513526E6h 0x00000008 jnl 00007FC3513526E6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A965A4 second address: A965B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F18Dh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A965B6 second address: A965EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC3513526EFh 0x00000009 push edi 0x0000000a pop edi 0x0000000b jne 00007FC3513526E6h 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jne 00007FC3513526F2h 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A965EC second address: A965F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A965F2 second address: A965F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A965F6 second address: A965FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A965FA second address: A96600 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A96600 second address: A96606 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A96606 second address: A96610 instructions: 0x00000000 rdtsc 0x00000002 je 00007FC3513526ECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A96A0B second address: A96A11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A96A11 second address: A96A16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A96A16 second address: A96A1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A96A1C second address: A96A20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A96D04 second address: A96D1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F195h 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A96D1E second address: A96D24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A9A1A6 second address: A9A1E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F196h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b push esi 0x0000000c jmp 00007FC35137F190h 0x00000011 pop esi 0x00000012 pop ebx 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 push eax 0x00000018 push edx 0x00000019 jng 00007FC35137F18Ch 0x0000001f rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A9A1E7 second address: A9A1ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A9A1ED second address: A9A1F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A9CF4A second address: A9CF52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A9F080 second address: A9F08A instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FC35137F18Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A9F08A second address: A9F0A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pushad 0x00000006 popad 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC3513526EAh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: A9F0A2 second address: A9F0B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC35137F191h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F0013C second address: 4F00142 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F00142 second address: 4F00146 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F00146 second address: 4F0014A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F0014A second address: 4F001A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007FC35137F18Fh 0x00000010 adc al, FFFFFFAEh 0x00000013 jmp 00007FC35137F199h 0x00000018 popfd 0x00000019 mov esi, 15016337h 0x0000001e popad 0x0000001f mov ebp, esp 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FC35137F199h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F001A4 second address: 4F001E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov al, bh 0x00000005 pushfd 0x00000006 jmp 00007FC3513526F8h 0x0000000b adc al, FFFFFFB8h 0x0000000e jmp 00007FC3513526EBh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pop ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b jmp 00007FC3513526EBh 0x00000020 mov dx, ax 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE0E88 second address: 4EE0EA3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov dl, ch 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FC35137F18Ch 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE0EA3 second address: 4EE0EA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE0EA7 second address: 4EE0EAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE0EAD second address: 4EE0EBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3513526EDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE0EBE second address: 4EE0EC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE0EC2 second address: 4EE0EE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b pushad 0x0000000c movsx ebx, ax 0x0000000f mov ebx, eax 0x00000011 popad 0x00000012 mov ebp, esp 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FC3513526EDh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F3000E second address: 4F3003A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F191h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov edi, eax 0x0000000d mov di, ax 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov esi, 7BD47A9Dh 0x0000001a mov eax, 4E032399h 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F3003A second address: 4F30050 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3513526F2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F30050 second address: 4F30054 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F30054 second address: 4F3009C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007FC3513526F7h 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 movsx edx, ax 0x00000016 pushfd 0x00000017 jmp 00007FC3513526ECh 0x0000001c and ecx, 105714B8h 0x00000022 jmp 00007FC3513526EBh 0x00000027 popfd 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC00EC second address: 4EC00F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC00F0 second address: 4EC00F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC00F6 second address: 4EC00FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC00FC second address: 4EC0100 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0100 second address: 4EC0114 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e movsx edi, si 0x00000011 mov al, BFh 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0114 second address: 4EC011A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC011A second address: 4EC011E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC011E second address: 4EC0136 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d call 00007FC3513526EAh 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0136 second address: 4EC015C instructions: 0x00000000 rdtsc 0x00000002 movsx edx, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ax, 3463h 0x0000000b popad 0x0000000c push dword ptr [ebp+04h] 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FC35137F195h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC015C second address: 4EC017A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+0Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC017A second address: 4EC017E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC017E second address: 4EC0182 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0182 second address: 4EC0188 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC020A second address: 4EC0219 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE0B85 second address: 4EE0BEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FC35137F194h 0x0000000a jmp 00007FC35137F195h 0x0000000f popfd 0x00000010 popad 0x00000011 popad 0x00000012 push ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov si, bx 0x00000019 pushfd 0x0000001a jmp 00007FC35137F18Bh 0x0000001f sbb eax, 0F0A105Eh 0x00000025 jmp 00007FC35137F199h 0x0000002a popfd 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE0730 second address: 4EE0734 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE0734 second address: 4EE073A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE073A second address: 4EE07AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC3513526F8h 0x00000008 pushfd 0x00000009 jmp 00007FC3513526F2h 0x0000000e add ah, 00000078h 0x00000011 jmp 00007FC3513526EBh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b pushad 0x0000001c mov bl, 2Dh 0x0000001e pushfd 0x0000001f jmp 00007FC3513526F0h 0x00000024 jmp 00007FC3513526F5h 0x00000029 popfd 0x0000002a popad 0x0000002b xchg eax, ebp 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE07AD second address: 4EE07B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE07B1 second address: 4EE07B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE07B7 second address: 4EE07BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE07BD second address: 4EE07C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE07C1 second address: 4EE0808 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F18Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007FC35137F190h 0x00000012 pop ebp 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushfd 0x00000017 jmp 00007FC35137F18Ch 0x0000001c or eax, 3CCA55C8h 0x00000022 jmp 00007FC35137F18Bh 0x00000027 popfd 0x00000028 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE0647 second address: 4EE065B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3513526F0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE065B second address: 4EE065F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE065F second address: 4EE0685 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jmp 00007FC3513526ECh 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FC3513526EAh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE0685 second address: 4EE0689 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE0689 second address: 4EE068F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE068F second address: 4EE0695 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE0695 second address: 4EE06BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007FC3513526F4h 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE06BA second address: 4EE06BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE06BE second address: 4EE06C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE0412 second address: 4EE0458 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 62F2356Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007FC35137F190h 0x00000010 xchg eax, ebp 0x00000011 jmp 00007FC35137F190h 0x00000016 mov ebp, esp 0x00000018 jmp 00007FC35137F190h 0x0000001d pop ebp 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 mov ax, 72D3h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EF01ED second address: 4EF01F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EF01F1 second address: 4EF020E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F199h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F004FC second address: 4F00585 instructions: 0x00000000 rdtsc 0x00000002 mov edx, 30DC8F50h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FC3513526F9h 0x0000000e popad 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 mov ecx, edx 0x00000013 popad 0x00000014 mov ebp, esp 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007FC3513526EBh 0x0000001d and si, 6C5Eh 0x00000022 jmp 00007FC3513526F9h 0x00000027 popfd 0x00000028 jmp 00007FC3513526F0h 0x0000002d popad 0x0000002e mov eax, dword ptr [ebp+08h] 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 mov eax, ebx 0x00000036 jmp 00007FC3513526F9h 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F00585 second address: 4F0058B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F0058B second address: 4F005B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b and dword ptr [eax], 00000000h 0x0000000e pushad 0x0000000f mov al, 00h 0x00000011 popad 0x00000012 and dword ptr [eax+04h], 00000000h 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F005B5 second address: 4F005B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F005B9 second address: 4F005CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F005CD second address: 4F005DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC35137F18Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F005DF second address: 4F005F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC3513526EAh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F005F4 second address: 4F005FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F005FA second address: 4F005FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE0600 second address: 4EE0606 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EE0606 second address: 4EE060A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F0000D second address: 4F00013 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F00013 second address: 4F00017 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F00312 second address: 4F00365 instructions: 0x00000000 rdtsc 0x00000002 call 00007FC35137F192h 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FC35137F193h 0x00000015 xor si, CBDEh 0x0000001a jmp 00007FC35137F199h 0x0000001f popfd 0x00000020 mov di, si 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F00365 second address: 4F00397 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526EDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c jmp 00007FC3513526EEh 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FC3513526EAh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F00397 second address: 4F0039B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F0039B second address: 4F003A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F003A1 second address: 4F003B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC35137F18Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F205C3 second address: 4F205C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F205C8 second address: 4F205CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F205CE second address: 4F205D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F205D2 second address: 4F205D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F205D6 second address: 4F205E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F205E7 second address: 4F205EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F205EB second address: 4F205F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F205F1 second address: 4F206AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx ecx, bx 0x00000006 pushfd 0x00000007 jmp 00007FC35137F195h 0x0000000c sub ecx, 1B426C96h 0x00000012 jmp 00007FC35137F191h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov ebp, esp 0x0000001d pushad 0x0000001e jmp 00007FC35137F193h 0x00000023 popad 0x00000024 xchg eax, ecx 0x00000025 pushad 0x00000026 mov edi, eax 0x00000028 popad 0x00000029 push eax 0x0000002a jmp 00007FC35137F18Dh 0x0000002f xchg eax, ecx 0x00000030 pushad 0x00000031 pushfd 0x00000032 jmp 00007FC35137F18Ch 0x00000037 adc esi, 11321648h 0x0000003d jmp 00007FC35137F18Bh 0x00000042 popfd 0x00000043 pushfd 0x00000044 jmp 00007FC35137F198h 0x00000049 adc al, FFFFFFA8h 0x0000004c jmp 00007FC35137F18Bh 0x00000051 popfd 0x00000052 popad 0x00000053 mov eax, dword ptr [778165FCh] 0x00000058 push eax 0x00000059 push edx 0x0000005a pushad 0x0000005b mov edx, 7E919216h 0x00000060 mov esi, edx 0x00000062 popad 0x00000063 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F206AC second address: 4F206B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F206B2 second address: 4F206B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F206B6 second address: 4F206FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test eax, eax 0x0000000a jmp 00007FC3513526EEh 0x0000000f je 00007FC3C3BC597Eh 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007FC3513526EEh 0x0000001c add ax, ED68h 0x00000021 jmp 00007FC3513526EBh 0x00000026 popfd 0x00000027 mov ch, 37h 0x00000029 popad 0x0000002a mov ecx, eax 0x0000002c pushad 0x0000002d push eax 0x0000002e push edx 0x0000002f push edi 0x00000030 pop eax 0x00000031 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F206FF second address: 4F20748 instructions: 0x00000000 rdtsc 0x00000002 mov ax, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov edi, 4F5611BAh 0x0000000c popad 0x0000000d xor eax, dword ptr [ebp+08h] 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007FC35137F193h 0x00000019 adc cx, 860Eh 0x0000001e jmp 00007FC35137F199h 0x00000023 popfd 0x00000024 push eax 0x00000025 pop edi 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F20748 second address: 4F2077A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526EDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and ecx, 1Fh 0x0000000c jmp 00007FC3513526EEh 0x00000011 ror eax, cl 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FC3513526EAh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F2077A second address: 4F2077E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F2077E second address: 4F20784 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F20784 second address: 4F2078A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F2078A second address: 4F2078E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F2078E second address: 4F207C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 leave 0x00000009 jmp 00007FC35137F194h 0x0000000e retn 0004h 0x00000011 nop 0x00000012 mov esi, eax 0x00000014 lea eax, dword ptr [ebp-08h] 0x00000017 xor esi, dword ptr [007E2014h] 0x0000001d push eax 0x0000001e push eax 0x0000001f push eax 0x00000020 lea eax, dword ptr [ebp-10h] 0x00000023 push eax 0x00000024 call 00007FC355AFF964h 0x00000029 push FFFFFFFEh 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007FC35137F197h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F207C9 second address: 4F20862 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FC3513526ECh 0x00000011 sbb si, 9E08h 0x00000016 jmp 00007FC3513526EBh 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007FC3513526F8h 0x00000022 adc cl, 00000068h 0x00000025 jmp 00007FC3513526EBh 0x0000002a popfd 0x0000002b popad 0x0000002c ret 0x0000002d nop 0x0000002e push eax 0x0000002f call 00007FC355AD2F3Fh 0x00000034 mov edi, edi 0x00000036 jmp 00007FC3513526F6h 0x0000003b xchg eax, ebp 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007FC3513526F7h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F20862 second address: 4F2086A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4F2086A second address: 4F2091A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushfd 0x0000000a jmp 00007FC3513526EDh 0x0000000f jmp 00007FC3513526EBh 0x00000014 popfd 0x00000015 mov ah, 99h 0x00000017 popad 0x00000018 xchg eax, ebp 0x00000019 pushad 0x0000001a call 00007FC3513526F1h 0x0000001f call 00007FC3513526F0h 0x00000024 pop ecx 0x00000025 pop edi 0x00000026 pushfd 0x00000027 jmp 00007FC3513526F0h 0x0000002c jmp 00007FC3513526F5h 0x00000031 popfd 0x00000032 popad 0x00000033 mov ebp, esp 0x00000035 jmp 00007FC3513526EEh 0x0000003a pop ebp 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e mov ecx, ebx 0x00000040 pushfd 0x00000041 jmp 00007FC3513526F9h 0x00000046 jmp 00007FC3513526EBh 0x0000004b popfd 0x0000004c popad 0x0000004d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED001F second address: 4ED0025 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED0025 second address: 4ED0058 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FC3513526F5h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED0058 second address: 4ED0075 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F191h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED0075 second address: 4ED0079 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED0079 second address: 4ED007F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED007F second address: 4ED0094 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, 6017h 0x00000007 mov al, E6h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c and esp, FFFFFFF8h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED0094 second address: 4ED00A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F18Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED00A4 second address: 4ED00E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushfd 0x0000000e jmp 00007FC3513526F2h 0x00000013 jmp 00007FC3513526F5h 0x00000018 popfd 0x00000019 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED00E0 second address: 4ED0137 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FC35137F190h 0x00000008 xor cl, 00000078h 0x0000000b jmp 00007FC35137F18Bh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushfd 0x00000014 jmp 00007FC35137F198h 0x00000019 add eax, 11007BD8h 0x0000001f jmp 00007FC35137F18Bh 0x00000024 popfd 0x00000025 popad 0x00000026 push eax 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED0137 second address: 4ED013B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED013B second address: 4ED0141 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED0141 second address: 4ED0154 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 62B7CE9Eh 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f movsx edi, ax 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED0154 second address: 4ED015A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED015A second address: 4ED015E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED015E second address: 4ED0178 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC35137F18Fh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED0178 second address: 4ED019C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, bx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC3513526F6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED019C second address: 4ED01AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F18Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED01AB second address: 4ED01E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b mov ebx, esi 0x0000000d mov ecx, 3FB294FFh 0x00000012 popad 0x00000013 mov ebx, dword ptr [ebp+10h] 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FC3513526F1h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED01E8 second address: 4ED023A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F191h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007FC35137F18Eh 0x0000000f push eax 0x00000010 pushad 0x00000011 jmp 00007FC35137F191h 0x00000016 call 00007FC35137F190h 0x0000001b mov ch, 36h 0x0000001d pop edx 0x0000001e popad 0x0000001f xchg eax, esi 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED023A second address: 4ED0240 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED0240 second address: 4ED028E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, B533h 0x00000007 pushfd 0x00000008 jmp 00007FC35137F198h 0x0000000d adc ax, D938h 0x00000012 jmp 00007FC35137F18Bh 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov esi, dword ptr [ebp+08h] 0x0000001e pushad 0x0000001f mov esi, 67C1478Bh 0x00000024 push eax 0x00000025 push edx 0x00000026 call 00007FC35137F18Eh 0x0000002b pop ecx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED028E second address: 4ED02DC instructions: 0x00000000 rdtsc 0x00000002 mov bh, CFh 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, edi 0x00000008 jmp 00007FC3513526EAh 0x0000000d push eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushfd 0x00000012 jmp 00007FC3513526F7h 0x00000017 add ecx, 5F25F10Eh 0x0000001d jmp 00007FC3513526F9h 0x00000022 popfd 0x00000023 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED02DC second address: 4ED035E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bl, F2h 0x00000006 popad 0x00000007 xchg eax, edi 0x00000008 jmp 00007FC35137F196h 0x0000000d test esi, esi 0x0000000f jmp 00007FC35137F190h 0x00000014 je 00007FC3C3C3D48Fh 0x0000001a jmp 00007FC35137F190h 0x0000001f cmp dword ptr [esi+08h], DDEEDDEEh 0x00000026 pushad 0x00000027 mov eax, 795F45ADh 0x0000002c call 00007FC35137F18Ah 0x00000031 mov dh, cl 0x00000033 pop ebx 0x00000034 popad 0x00000035 je 00007FC3C3C3D474h 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007FC35137F199h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED035E second address: 4ED0385 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [esi+44h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC3513526EDh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED0385 second address: 4ED03D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F191h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 or edx, dword ptr [ebp+0Ch] 0x0000000c jmp 00007FC35137F18Eh 0x00000011 test edx, 61000000h 0x00000017 pushad 0x00000018 mov eax, 007936BDh 0x0000001d mov eax, 7F0781B9h 0x00000022 popad 0x00000023 jne 00007FC3C3C3D451h 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FC35137F18Bh 0x00000030 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED03D0 second address: 4ED03F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC3513526EFh 0x00000008 mov ah, 2Fh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d test byte ptr [esi+48h], 00000001h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED03F1 second address: 4ED040D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F198h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED040D second address: 4ED042F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC3513526ECh 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007FC3C3C10968h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov dx, 72A0h 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED042F second address: 4ED044F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop ebx 0x00000005 call 00007FC35137F18Eh 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e test bl, 00000007h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED044F second address: 4ED0453 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED0453 second address: 4ED0457 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4ED0457 second address: 4ED045D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0778 second address: 4EC077D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC077D second address: 4EC0783 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0783 second address: 4EC07E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push esp 0x00000008 pushad 0x00000009 pushfd 0x0000000a jmp 00007FC35137F18Ch 0x0000000f or ch, 00000008h 0x00000012 jmp 00007FC35137F18Bh 0x00000017 popfd 0x00000018 mov si, 827Fh 0x0000001c popad 0x0000001d mov dword ptr [esp], ebp 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007FC35137F190h 0x00000027 add cx, 0E68h 0x0000002c jmp 00007FC35137F18Bh 0x00000031 popfd 0x00000032 mov eax, 6AF42C5Fh 0x00000037 popad 0x00000038 mov ebp, esp 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f popad 0x00000040 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC07E1 second address: 4EC07E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC07E7 second address: 4EC0823 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FC35137F18Bh 0x00000009 adc ax, 325Eh 0x0000000e jmp 00007FC35137F199h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 and esp, FFFFFFF8h 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d push edx 0x0000001e pop eax 0x0000001f push edx 0x00000020 pop ecx 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0823 second address: 4EC0907 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, 39EDh 0x00000007 mov edi, eax 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebx 0x0000000d pushad 0x0000000e mov ax, 4B21h 0x00000012 pushfd 0x00000013 jmp 00007FC3513526EEh 0x00000018 xor eax, 70BD70B8h 0x0000001e jmp 00007FC3513526EBh 0x00000023 popfd 0x00000024 popad 0x00000025 push eax 0x00000026 jmp 00007FC3513526F9h 0x0000002b xchg eax, ebx 0x0000002c jmp 00007FC3513526EEh 0x00000031 xchg eax, esi 0x00000032 jmp 00007FC3513526F0h 0x00000037 push eax 0x00000038 pushad 0x00000039 call 00007FC3513526F1h 0x0000003e pushfd 0x0000003f jmp 00007FC3513526F0h 0x00000044 add ch, FFFFFFD8h 0x00000047 jmp 00007FC3513526EBh 0x0000004c popfd 0x0000004d pop eax 0x0000004e mov ebx, 44F86D1Ch 0x00000053 popad 0x00000054 xchg eax, esi 0x00000055 pushad 0x00000056 push eax 0x00000057 push edx 0x00000058 pushfd 0x00000059 jmp 00007FC3513526F7h 0x0000005e xor esi, 485E6F4Eh 0x00000064 jmp 00007FC3513526F9h 0x00000069 popfd 0x0000006a rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0907 second address: 4EC094C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov bh, ah 0x00000008 popad 0x00000009 mov esi, dword ptr [ebp+08h] 0x0000000c pushad 0x0000000d mov dx, E5BAh 0x00000011 pushfd 0x00000012 jmp 00007FC35137F18Bh 0x00000017 or ax, 9D5Eh 0x0000001c jmp 00007FC35137F199h 0x00000021 popfd 0x00000022 popad 0x00000023 sub ebx, ebx 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC094C second address: 4EC0950 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0950 second address: 4EC0954 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0954 second address: 4EC095A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC095A second address: 4EC095F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC095F second address: 4EC09F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FC3513526F7h 0x0000000a add cl, 0000001Eh 0x0000000d jmp 00007FC3513526F9h 0x00000012 popfd 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 test esi, esi 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007FC3513526F3h 0x00000021 sub eax, 11F2822Eh 0x00000027 jmp 00007FC3513526F9h 0x0000002c popfd 0x0000002d pushfd 0x0000002e jmp 00007FC3513526F0h 0x00000033 adc ch, FFFFFFA8h 0x00000036 jmp 00007FC3513526EBh 0x0000003b popfd 0x0000003c popad 0x0000003d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC09F5 second address: 4EC0A7D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F199h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FC3C3C44B02h 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FC35137F18Ch 0x00000016 adc cx, 8D38h 0x0000001b jmp 00007FC35137F18Bh 0x00000020 popfd 0x00000021 popad 0x00000022 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c pushfd 0x0000002d jmp 00007FC35137F18Eh 0x00000032 xor eax, 7D880798h 0x00000038 jmp 00007FC35137F18Bh 0x0000003d popfd 0x0000003e call 00007FC35137F198h 0x00000043 pop esi 0x00000044 popad 0x00000045 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0A7D second address: 4EC0A99 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC3513526F0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0A99 second address: 4EC0A9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0A9D second address: 4EC0AA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0AA1 second address: 4EC0AA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0AA7 second address: 4EC0AB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC3513526EBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0AB6 second address: 4EC0ABA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0ABA second address: 4EC0AEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007FC3C3C17FC7h 0x0000000e jmp 00007FC3513526F5h 0x00000013 test byte ptr [77816968h], 00000002h 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d mov dh, AFh 0x0000001f mov dl, ah 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0AEC second address: 4EC0B16 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, dx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FC3C3C44A47h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FC35137F197h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0B16 second address: 4EC0B1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0B1A second address: 4EC0B20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0B20 second address: 4EC0B26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0B26 second address: 4EC0B4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edx, dword ptr [ebp+0Ch] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC35137F199h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0B4C second address: 4EC0B52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0B52 second address: 4EC0B56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0B56 second address: 4EC0B5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0B5A second address: 4EC0BA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007FC35137F192h 0x0000000f popad 0x00000010 mov dword ptr [esp], ebx 0x00000013 pushad 0x00000014 mov esi, edi 0x00000016 mov si, bx 0x00000019 popad 0x0000001a push ebx 0x0000001b pushad 0x0000001c jmp 00007FC35137F18Eh 0x00000021 popad 0x00000022 mov dword ptr [esp], ebx 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 mov edi, esi 0x0000002a mov ecx, 6C7B2A6Bh 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0BA0 second address: 4EC0BDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 mov esi, 5084F33Fh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push dword ptr [ebp+14h] 0x00000011 jmp 00007FC3513526F2h 0x00000016 push dword ptr [ebp+10h] 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FC3513526F7h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0BDF second address: 4EC0BE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0BE5 second address: 4EC0BE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0C05 second address: 4EC0C09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0C09 second address: 4EC0C0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0C0F second address: 4EC0C47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC35137F18Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a jmp 00007FC35137F190h 0x0000000f pop ebx 0x00000010 jmp 00007FC35137F190h 0x00000015 mov esp, ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\setup.exe	RDTSC instruction interceptor: First address: 4EC0C47 second address: 4EC0C4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\setup.exe	Special instruction interceptor: First address: 99A9CF instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\setup.exe	Special instruction interceptor: First address: A28DCE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Special instruction interceptor: First address: F6A9CF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Special instruction interceptor: First address: FF8DCE instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Memory allocated: 30A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Memory allocated: 3220000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Memory allocated: 5220000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 1520000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2F70000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2DB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Memory allocated: 8D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Memory allocated: 2590000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Memory allocated: 4590000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Memory allocated: 1450000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Memory allocated: 3120000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Memory allocated: 2F20000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Users\user\Desktop\setup.exe

Code function: 1_2_04F40C63 rdtsc

1_2_04F40C63

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Thread delayed: delay time: 180000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window / User API: threadDelayed 745	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window / User API: threadDelayed 718	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window / User API: threadDelayed 783	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window / User API: threadDelayed 843	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window / User API: threadDelayed 789	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Window / User API: threadDelayed 3452	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Window / User API: threadDelayed 9620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 1644
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 6490
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Window / User API: threadDelayed 9999
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Window / User API: threadDelayed 2175
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 4949
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 743
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 734
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 701

Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\ProgramData\34vgn892c.exe	Dropped PE file which has not been started: C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\d3d9.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\786A.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\mozglue[1].dll	Jump to dropped file
Source: C:\ProgramData\34vgn892c.exe	Dropped PE file which has not been started: C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\vcruntime140[1].dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe

API coverage: 3.2 %

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7564	Thread sleep count: 41 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7564	Thread sleep time: -82041s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7548	Thread sleep count: 745 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7548	Thread sleep time: -1490745s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7524	Thread sleep count: 269 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7524	Thread sleep time: -8070000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7540	Thread sleep count: 718 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7540	Thread sleep time: -1436718s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7648	Thread sleep time: -720000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7556	Thread sleep count: 783 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7556	Thread sleep time: -1566783s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7544	Thread sleep count: 843 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7544	Thread sleep time: -1686843s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7552	Thread sleep count: 789 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7552	Thread sleep time: -1578789s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7544	Thread sleep count: 3452 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe TID: 7544	Thread sleep time: -6907452s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe TID: 8048	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe TID: 8188	Thread sleep count: 9620 > 30
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe TID: 8188	Thread sleep time: -288600000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe TID: 6696	Thread sleep time: -180000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2860	Thread sleep time: -26747778906878833s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1228	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe TID: 4016	Thread sleep time: -35000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe TID: 2864	Thread sleep time: -59994000s >= -30000s
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 3260	Thread sleep time: -240000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe TID: 5664	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe TID: 2168	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\explorer.exe TID: 5576	Thread sleep time: -494900s >= -30000s
Source: C:\Windows\explorer.exe TID: 4580	Thread sleep time: -74300s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe TID: 2348	Thread sleep time: -60000s >= -30000s
Source: C:\ProgramData\34vgn892c.exe TID: 4512	Thread sleep time: -30000s >= -30000s
Source: C:\ProgramData\34vgn892c.exe TID: 4512	Thread sleep time: -1380000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\50EC.exe TID: 7508	Thread sleep time: -30000s >= -30000s

Source: C:\ProgramData\34vgn892c.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\ProgramData\34vgn892c.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Last function: Thread delayed
Source: C:\ProgramData\34vgn892c.exe	Last function: Thread delayed
Source: C:\ProgramData\34vgn892c.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\setup.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Code function: 15_2_6CB10008 FindFirstFileExW,		15_2_6CB10008
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_0006DAAD FindFirstFileExW,		18_2_0006DAAD

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 17_2_00975DA0 GetSystemInfo,

17_2_00975DA0

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Thread delayed: delay time: 180000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Thread delayed: delay time: 30000
Source: C:\ProgramData\34vgn892c.exe	Thread delayed: delay time: 30000
Source: C:\ProgramData\34vgn892c.exe	Thread delayed: delay time: 60000

Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior

Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V kwcbewswwrbpkye Bus Pipes
Source: explorer.exe, 00000022.00000000.1680381654.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000I
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Virtual ProcessorQ!
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Service
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016A0000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792182419.00000000035E3000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1800626038.00000000035E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: explorer.exe, 00000022.00000000.1690337457.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 2Hyper-V VM Vid Partitioni
Source: ZharkBOT.exe, 00000023.00000003.1842156114.00000000028C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0.exehollows_hunter32VGAuthService.exeprocexp64.exeprocexp.exeProcmon.exeProcmon64.exepestudio.exeKsDumper.exeprl_cc.exeprl_tools.exepe-sieve64.exeMoneta64.exefakenet.exeWireshark.exeVBoxService.exeVMwareUser.exevmtoolsd.exeVMwareTray.exevmsrvc.exeVBoxTray.execalled `Option::unwrap()` on a `None` valueC:\Users\Magnu\.cargo\registry\src\index.crates.io-6f17d22bba15001f\antilysis-0.1.2\src\lib.rs
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Partition
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Service
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696492231
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V VM Vid Partitionq+
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: ZharkBOT.exe, 00000023.00000003.1842156114.00000000028C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: procexp64.exeprocexp.exeProcmon.exeProcmon64.exepestudio.exeKsDumper.exeprl_cc.exeprl_tools.exepe-sieve64.exeMoneta64.exefakenet.exeWireshark.exeVBoxService.exeVMwareUser.exevmtoolsd.exeVMwareTray.exevmsrvc.exeVBoxTray.execalled `Option::unwrap()` on a `None` valueC:\Users\Magnu\.cargo\registry\src\index.crates.io-6f17d22bba15001f\antilysis-0.1.2\src\lib.rs
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AlDHyper-V Virtual Machine Bus PipesN
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: explorer.exe, 00000022.00000003.1889937978.0000000003269000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIES1371
Source: explorer.exe, 00000022.00000003.1889937978.0000000003269000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM
Source: explorer.exe, 00000022.00000003.1889937978.0000000003269000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: explorer.exe, 00000022.00000000.1690337457.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: setup.exe, setup.exe, 00000001.00000002.1335849425.0000000000977000.00000040.00000001.01000000.00000003.sdmp, axplong.exe, axplong.exe, 0000000B.00000002.3727570665.0000000000F47000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Virtual Processor
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: ZharkBOT.exe, 00000023.00000003.1752091611.0000000000A81000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: e9574Retrieval: Bytes served9576Discovery: Weighted average discovery time9578SMB: Bytes from cache9580SMB: Bytes from server9582BITS: Bytes from cache9584BITS: Bytes from server9586WININET: Bytes from cache9588WININET: Bytes from server9590WINHTTP: Bytes from cache9592WINHTTP: Bytes from server9594OTHER: Bytes from cache9596OTHER: Bytes from server9598Discovery: Attempted discoveries9600Local Cache: Cache complete file segments9602Local Cache: Cache partial file segments9604Hosted Cache: Client file segment offers made9606Retrieval: Average branch rate9608Discovery: Successful discoveries9610Hosted Cache: Segment offers queue size9612Publication Cache: Published contents9614Local Cache: Average access time3432WSMan Quota Statistics3434Total Requests/Second3436User Quota Violations/Second3438System Quota Violations/Second3440Active Shells3442Active Operations3444Active Users3446Process ID1914Hyper-V VM Vid Partition1916Physical Pages Allocated1918Preferred NUMA Node Index1920Remote Physical Pages1922ClientHandles1924CompressPackTimeInUs1926CompressUnpackTimeInUs1928CompressPackInputSizeInBytes1930CompressUnpackInputSizeInBytes1932CompressPackOutputSizeInBytes1934CompressUnpackOutputSizeInBytes1936CompressUnpackUncompressedInputSizeInBytes1938CompressPackDiscardedSizeInBytes1940CompressWorkspaceSizeInBytes1942CompressScratchPoolSizeInBytes1944CryptPackTimeInUs1946CryptUnpackTimeInUs1948CryptPackInputSizeInBytes1950CryptUnpackInputSizeInBytes1952CryptPackOutputSizeInBytes1954CryptUnpackOutputSizeInBytes1956CryptScratchPoolSizeInBytes}
Source: ZharkBOT.exe, 00000023.00000002.1897190904.00000000009AE000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.00000000038D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical Processor
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: ZharkBOT.exe, 00000023.00000003.1803784360.00000000028CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwarex
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V Hypervisor Root Partition
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Hypervisor
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: explorer.exe, 00000022.00000003.1889937978.0000000003269000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9dVMware20,1
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: explorer.exe, 00000022.00000003.1889937978.0000000003269000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Logical ProcessorR
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Pipesl
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696492231
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Logical Processor
Source: ZharkBOT.exe, 00000023.00000002.1897190904.00000000009AE000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.00000000038D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor
Source: ZharkBOT.exe, 00000023.00000003.1760923673.0000000002817000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1761418251.0000000002817000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1752850595.0000000002817000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1756025079.0000000002817000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1756297161.0000000002817000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1
Source: setup.exe, 00000001.00000002.1335849425.0000000000977000.00000040.00000001.01000000.00000003.sdmp, axplong.exe, 0000000B.00000002.3727570665.0000000000F47000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V VM Vid Partitionty
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: ZharkBOT.exe, 00000023.00000003.1754530285.00000000027E1000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1755563652.00000000027E1000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1755254416.00000000027E1000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1754015437.00000000027E1000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1755213622.00000000027E1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumula
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: newbuild.exe, 00000021.00000002.1833633665.0000000003305000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,1169649
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696492231
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: axplong.exe, 0000000B.00000002.3748613213.00000000016E4000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DB5000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp, Hkbsse.exe, 00000013.00000002.3737039002.0000000000CED000.00000004.00000020.00020000.00000000.sdmp, Hkbsse.exe, 00000013.00000002.3737039002.0000000000C8E000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000002.1788412749.000000000367D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000002.1788268061.0000000003638000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1786290518.000000000367D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1654071650.0000000003698000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: DHyper-V Virtual Machine Bus Pipes
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Hypervisor Root Partitionl\|"
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696492231
Source: explorer.exe, 00000022.00000003.1889937978.0000000003269000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.VMW201.00V.20829224.B64.221121184211/21/2022
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696492231f
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: explorer.exe, 00000022.00000000.1690337457.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: ZharkBOT.exe, 00000023.00000003.1795914074.0000000002A11000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware`
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Virtual Machine Bus Pipes
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: explorer.exe, 00000022.00000000.1690337457.0000000009052000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000}io
Source: explorer.exe, 00000022.00000000.1690337457.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000I}~"
Source: explorer.exe, 00000022.00000000.1690337457.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: explorer.exe, 00000022.00000003.1889937978.0000000003269000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware20,1
Source: ZharkBOT.exe, 00000023.00000003.1803784360.00000000028CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: explorer.exe, 00000022.00000000.1685006963.0000000007306000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 00000022.00000000.1690337457.0000000008F27000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWT`
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JHyper-V Hypervisor Logical ProcessorH
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: explorer.exe, 00000022.00000000.1680381654.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: X2Hyper-V VM Vid Partition
Source: explorer.exe, 00000022.00000003.1889937978.0000000003269000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: ZharkBOT.exe, 00000023.00000003.1761590219.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1753483411.0000000000A5F000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1760636118.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1754102657.0000000000A5F000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1750635652.0000000000A5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor
Source: ZharkBOT.exe, 00000023.00000002.1897190904.00000000009AE000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.00000000038D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V kwcbewswwrbpkye Bus
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sWDHyper-V Hypervisor Root Partition
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Hyper-V Hypervisor_:
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VHyper-V Dynamic Memory Integration Service]#
Source: BitLockerToGo.exe, 0000001F.00000003.1666459560.00000000059CA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696492231p
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: explorer.exe, 00000022.00000000.1685006963.0000000007306000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_xU1
Source: streamer.exe, 0000000E.00000002.1635498473.000001E9A1CEF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1752632375.000000000591F000.00000004.00000020.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3747272466.0000000000B46000.00000004.00000020.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1832430992.000000000164C000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1801728831.000000000369C000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1801837427.0000000003878000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792258046.0000000003888000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: ZharkBOT.exe, 00000023.00000003.1756999496.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1757735413.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1757542291.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1757481376.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count SnapshotH
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696492231f
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW\
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: explorer.exe, 00000022.00000000.1690337457.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en-US\machine.inf_loc5
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: explorer.exe, 00000022.00000003.1889937978.0000000003269000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0RAM slot #0
Source: explorer.exe, 00000022.00000000.1690337457.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMWare
Source: aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1803784360.000000000290C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH
Source: explorer.exe, 00000022.00000000.1690337457.0000000009052000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000'
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration ServiceF
Source: newbuild.exe, 00000021.00000002.1842548900.0000000004582000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: newbuild.exe, 00000021.00000002.1842548900.000000000451E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: ZharkBOT.exe, 00000023.00000003.1807297488.00000000009F4000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000002.1897190904.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792319654.0000000003922000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1798941137.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Dynamic Memory Integration Service%!
Source: explorer.exe, 00000022.00000000.1680381654.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: ZharkBOT.exe, 00000023.00000003.1754102657.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1753543275.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost

Source: C:\Users\user\Desktop\setup.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\setup.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	System information queried: CodeIntegrityInformation
Source: C:\Users\user\AppData\Roaming\dcbedta	System information queried: CodeIntegrityInformation

Hides threads from debuggers

Source: C:\Users\user\Desktop\setup.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\setup.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\setup.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\dcbedta	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\setup.exe

Code function: 1_2_04F40C63 rdtsc

1_2_04F40C63

Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe

Code function: 15_2_6CB0B9BA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

15_2_6CB0B9BA

Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe

Code function: 18_2_0005BEA9 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

18_2_0005BEA9

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Code function: 11_2_00D8643B mov eax, dword ptr fs:[00000030h]	11_2_00D8643B
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Code function: 11_2_00D8A1A2 mov eax, dword ptr fs:[00000030h]	11_2_00D8A1A2
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Code function: 15_2_6CB349D0 mov eax, dword ptr fs:[00000030h]	15_2_6CB349D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 17_2_009775D0 mov eax, dword ptr fs:[00000030h]	17_2_009775D0
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_0006A1A2 mov eax, dword ptr fs:[00000030h]	18_2_0006A1A2
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_0006643B mov eax, dword ptr fs:[00000030h]	18_2_0006643B

Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe

Code function: 15_2_6CB1172D GetProcessHeap,

15_2_6CB1172D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Code function: 15_2_6CB0B4E1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	15_2_6CB0B4E1
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Code function: 15_2_6CB0B9BA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_6CB0B9BA
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Code function: 15_2_6CB0F957 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_6CB0F957
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_0004D0ED SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_2_0004D0ED
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_000669BE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_000669BE
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_0004DAB5 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_0004DAB5
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_0004DC1A SetUnhandledExceptionFilter,	18_2_0004DC1A

Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: dcbedta.34.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 176.29.154.25 80
Source: C:\Windows\explorer.exe	Network Connect: 127.0.0.127 80
Source: C:\Windows\explorer.exe	Network Connect: 141.8.192.6 80
Source: C:\Windows\explorer.exe	Network Connect: 102.187.252.37 80
Source: C:\Windows\explorer.exe	Network Connect: 188.114.96.3 80

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 32E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 960000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe

Code function: 15_2_6CB02F20 HonorInc,GetConsoleWindow,ShowWindow,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,ReadProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,CloseHandle,CloseHandle,GetConsoleWindow,ShowWindow,VirtualAlloc,WriteProcessMemory,SetThreadContext,ResumeThread,

15_2_6CB02F20

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Thread created: C:\Windows\explorer.exe EIP: 86E19D0
Source: C:\Users\user\AppData\Roaming\dcbedta	Thread created: unknown EIP: F519D0

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 32E0000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 960000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

LummaC encrypted strings found

Source: streamer.exe, 0000000E.00000003.1632231684.000001E9E72A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: pedestriankodwu.xyz
Source: streamer.exe, 0000000E.00000003.1632231684.000001E9E72A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: towerxxuytwi.xyzi
Source: streamer.exe, 0000000E.00000003.1632231684.000001E9E72A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: ellaboratepwsz.xyz
Source: streamer.exe, 0000000E.00000003.1632231684.000001E9E72A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: penetratedpoopp.xyz
Source: streamer.exe, 0000000E.00000003.1632231684.000001E9E72A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: swellfrrgwwos.xyze
Source: streamer.exe, 0000000E.00000003.1632231684.000001E9E72A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: contintnetksows.shop
Source: streamer.exe, 0000000E.00000003.1632231684.000001E9E72A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: foodypannyjsud.shop
Source: streamer.exe, 0000000E.00000003.1632231684.000001E9E72A0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: potterryisiw.shop

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write
Source: C:\Users\user\AppData\Local\Temp\1000030001\1.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read
Source: C:\Users\user\AppData\Roaming\dcbedta	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write
Source: C:\Users\user\AppData\Roaming\dcbedta	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 32E0000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 3106008	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 960000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 961000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 97C000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 984000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: B97000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 7A4008	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 430000
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44E000
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: F66008

Source: C:\Users\user\Desktop\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe "C:\Users\user~1\AppData\Local\Temp\8254624243\axplong.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe "C:\Users\user~1\AppData\Local\Temp\1000111001\streamer.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe "C:\Users\user~1\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe "C:\Users\user~1\AppData\Local\Temp\1000125001\Freshbuild.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe "C:\Users\user~1\AppData\Local\Temp\1000128001\crypt6.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe "C:\Users\user~1\AppData\Local\Temp\1000130001\newlogs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe "C:\Users\user~1\AppData\Local\Temp\1000131001\stealc_zov.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe "C:\Users\user~1\AppData\Local\Temp\1000132001\newbuild.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe "C:\Users\user~1\AppData\Local\Temp\1000144001\ZharkBOT.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Process created: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe "C:\Users\user~1\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Process created: C:\Users\user\AppData\Local\Temp\1000030001\1.exe "C:\Users\user~1\AppData\Local\Temp\1000030001\1.exe"
Source: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe	Process created: C:\ProgramData\34vgn892c.exe "C:\ProgramData\34vgn892c.exe"
Source: C:\ProgramData\34vgn892c.exe	Process created: unknown unknown

Source: explorer.exe, 00000022.00000000.1684732430.0000000004880000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000022.00000000.1680896082.0000000001440000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000022.00000003.1891078527.0000000009013000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000022.00000000.1680896082.0000000001440000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000022.00000000.1680896082.0000000001440000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: ?Program Manager
Source: explorer.exe, 00000022.00000000.1680381654.0000000000C59000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman
Source: setup.exe, setup.exe, 00000001.00000002.1335849425.0000000000977000.00000040.00000001.01000000.00000003.sdmp, axplong.exe, axplong.exe, 0000000B.00000002.3727570665.0000000000F47000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: MProgram Manager
Source: explorer.exe, 00000022.00000000.1680896082.0000000001440000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe

Code function: 11_2_00D6D2E8 cpuid

11_2_00D6D2E8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: GetLocaleInfoA,

17_2_00975A60

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000115001\build.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000115001\build.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000116001\FILE1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Queries volume information: C:\Windows VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Queries volume information: C:\Windows\AppReadiness VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000030001\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000030001\1.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe

Code function: 11_2_00D6CAED GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

11_2_00D6CAED

Source: C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe

Code function: 11_2_00D56590 LookupAccountNameA,

11_2_00D56590

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 17_2_00975900 GetTimeZoneInformation,

17_2_00975900

Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe

Code function: 18_2_00037CE0 GetVersionExW,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,

18_2_00037CE0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: ZharkBOT.exe, 00000023.00000003.1801837427.0000000003803000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: RegAsm.exe, 00000017.00000002.1729603408.0000000001365000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fender\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Amadey

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 40.0.Hkbsse.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Freshbuild.exe.30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.Hkbsse.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.Hkbsse.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.Freshbuild.exe.30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.0.Hkbsse.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.Hkbsse.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.axplong.exe.d50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Hkbsse.exe.a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.axplong.exe.d50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.setup.exe.780000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000028.00000000.1918746786.00000000000A1000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.3721434800.00000000000A1000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.1558483602.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1335718111.0000000000781000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000003.1949201156.0000000005430000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3724885507.0000000000D51000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1340637010.0000000005450000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.1931585603.00000000000A1000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.1571924265.00000000000A1000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1591289151.00000000000A1000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.1990646891.0000000000D51000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.1580634291.00000000000A1000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1295247202.0000000004D30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000001.1558636048.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\Freshbuild[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe, type: DROPPED

Yara detected LummaC Stealer

Source: Yara match

File source: Process Memory Space: BitLockerToGo.exe PID: 1504, type: MEMORYSTR

Yara detected Mars stealer

Source: Yara match	File source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.aspnet_regiis.exe.960000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.stealc_zov.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.aspnet_regiis.exe.960000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.stealc_zov.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.TpWWMUpe0LEV.exe.6cb00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2975005911.0000000000960000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.3246282241.0000000000671000.00000080.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.1626680891.0000000000671000.00000080.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1489172260.000000006CB1E000.00000004.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\stealc_zov[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: 23.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.crypt6.exe.950000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.0.newbuild.exe.e30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.newlogs.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.1766982252.0000000000984000.00000004.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.1604424609.0000000000242000.00000002.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1725978010.0000000000421000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: crypt6.exe PID: 1196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newlogs.exe PID: 6184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newbuild.exe PID: 316, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\newlogs[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\newbuild[1].exe, type: DROPPED

Yara detected SmokeLoader

Source: Yara match	File source: 0000001D.00000002.1733003318.0000000004751000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2186372317.0000000002DA1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2185877753.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.1731795497.0000000002E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match	File source: 00000011.00000002.2985442915.0000000000D97000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.2053180664.00000000032CD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1790275554.00000000028D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.2065808485.00000000032CD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1803784360.00000000028CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.3253196332.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2979412810.00000000009A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 8052, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: stealc_zov.exe PID: 1272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZharkBOT.exe PID: 2908, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.aspnet_regiis.exe.960000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.stealc_zov.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.aspnet_regiis.exe.960000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.stealc_zov.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.TpWWMUpe0LEV.exe.6cb00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2975005911.0000000000960000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.3246282241.0000000000671000.00000080.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.1626680891.0000000000671000.00000080.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1489172260.000000006CB1E000.00000004.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: stealc_zov.exe PID: 1272, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\stealc_zov[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe, type: DROPPED

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ElectrumE#
Source: stealc_zov.exe, 0000001E.00000002.3247862322.00000000007BA000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: allets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000017.00000002.1730701339.000000000320C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q5C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: RegAsm.exe, 00000017.00000002.1730701339.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: cjelfplplebdjjenllpjcblmjkfcffne\|JaxxxLiberty
Source: stealc_zov.exe, 0000001E.00000002.3247862322.00000000007BA000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: allets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_zov.exe, 0000001E.00000002.3247862322.00000000007BA000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: allets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000017.00000002.1730701339.000000000320C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.walletLR
Source: stealc_zov.exe, 0000001E.00000002.3247862322.00000000007BA000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: allets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_zov.exe, 0000001E.00000002.3247862322.00000000007BA000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: allets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_zov.exe, 0000001E.00000002.3247862322.00000000007BA000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: allets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_zov.exe, 0000001E.00000002.3247862322.00000000007BA000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: allets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000017.00000002.1730701339.000000000320C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum\walletsLR
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ExodusE#
Source: RegAsm.exe, 00000017.00000002.1730701339.000000000320C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: qdC:\Users\user\AppData\Roaming\Binance
Source: RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: EthereumE#
Source: stealc_zov.exe, 0000001E.00000002.3247862322.00000000007BA000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: allets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: RegAsm.exe, 00000017.00000002.1730701339.000000000320C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q&%localappdata%\Coinomi\Coinomi\walletsLR
Source: RegAsm.exe, 00000017.00000002.1730701339.000000000320C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q9C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
Source: stealc_zov.exe, 0000001E.00000002.3247862322.00000000007BA000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: allets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_zov.exe, 0000001E.00000002.3247862322.00000000007BA000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: allets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_zov.exe, 0000001E.00000002.3247862322.00000000007BA000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: allets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_zov.exe, 0000001E.00000002.3247862322.00000000007BA000.00000004.00000001.01000000.00000014.sdmp	String found in binary or memory: allets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\.Lk

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\formhistory.sqlite
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.js
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-shm
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite-wal
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cert9.db
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite-shm
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-wal
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\logins.json
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg

Tries to harvest and steal ftp login credentials

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla\Notes9.db
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\LFOPODGVOH
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\LFOPODGVOH
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\WSHEJMDVQC
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Directory queried: C:\Users\user\Documents\WSHEJMDVQC

Source: Yara match	File source: 0000001F.00000003.1709677823.00000000036E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.1653312909.00000000036E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.1710428950.00000000036E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000003.1665322987.00000000036E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1730701339.000000000320C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: stealc_zov.exe PID: 1272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: BitLockerToGo.exe PID: 1504, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newbuild.exe PID: 316, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match

File source: Process Memory Space: BitLockerToGo.exe PID: 1504, type: MEMORYSTR

Yara detected Mars stealer

Source: Yara match	File source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.aspnet_regiis.exe.960000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.stealc_zov.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.aspnet_regiis.exe.960000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.stealc_zov.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.TpWWMUpe0LEV.exe.6cb00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2975005911.0000000000960000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.3246282241.0000000000671000.00000080.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.1626680891.0000000000671000.00000080.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1489172260.000000006CB1E000.00000004.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\stealc_zov[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: 23.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.crypt6.exe.950000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.0.newbuild.exe.e30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.0.newlogs.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000015.00000002.1766982252.0000000000984000.00000004.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000000.1604424609.0000000000242000.00000002.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.1725978010.0000000000421000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: crypt6.exe PID: 1196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7444, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newlogs.exe PID: 6184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: newbuild.exe PID: 316, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\newlogs[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\newbuild[1].exe, type: DROPPED

Yara detected SmokeLoader

Source: Yara match	File source: 0000001D.00000002.1733003318.0000000004751000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2186372317.0000000002DA1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2185877753.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.1731795497.0000000002E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match	File source: 00000011.00000002.2985442915.0000000000D97000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.2053180664.00000000032CD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1790275554.00000000028D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.2065808485.00000000032CD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1803784360.00000000028CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.3253196332.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2979412810.00000000009A5000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 8052, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: stealc_zov.exe PID: 1272, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ZharkBOT.exe PID: 2908, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.TpWWMUpe0LEV.exe.6cb1e000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.aspnet_regiis.exe.960000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.0.stealc_zov.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.aspnet_regiis.exe.960000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.stealc_zov.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.TpWWMUpe0LEV.exe.6cb00000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2975005911.0000000000960000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.3246282241.0000000000671000.00000080.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000000.1626680891.0000000000671000.00000080.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1489172260.000000006CB1E000.00000004.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: stealc_zov.exe PID: 1272, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\stealc_zov[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe, type: DROPPED

Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_0005EB58 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext,		18_2_0005EB58
Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	Code function: 18_2_0005DE61 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,		18_2_0005DE61

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	231 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 Scheduled Task/Job	712 Process Injection	11 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	41 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Exploitation for Client Execution	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	3 Obfuscated Files or Information	Security Account Manager	13 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Command and Scripting Interpreter	Login Hook	1 Registry Run Keys / Startup Folder	13 Software Packing	NTDS	459 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 Scheduled Task/Job	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	1 Query Registry	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	1 PowerShell	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1491 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Masquerading	DCSync	671 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	671 Virtualization/Sandbox Evasion	Proc Filesystem	3 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	712 Process Injection	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Hidden Files and Directories	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
setup.exe	68%	ReversingLabs	Win32.Trojan.Amadey
setup.exe	100%	Avira	TR/Crypt.TPM.Gen
setup.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\stealc_zov[1].exe	100%	Avira	TR/Crypt.ZPACK.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\crypt6[1].exe	100%	Avira	HEUR/AGEN.1317026
C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\crypt6[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\1000030001\1.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\whiteheroin[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\Freshbuild[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\newlogs[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\1[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\newbuild[1].exe	100%	Joe Sandbox ML
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\nss3.dll	0%	ReversingLabs
C:\ProgramData\softokn3.dll	0%	ReversingLabs
C:\ProgramData\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\crypt6[1].exe	100%	ReversingLabs	Win32.Trojan.Leonem
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\newlogs[1].exe	88%	ReversingLabs	ByteCode-MSIL.Trojan.RedLine
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\Freshbuild[1].exe	96%	ReversingLabs	Win32.Trojan.Amadey
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\freebl3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\mozglue[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\msvcp140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\newbuild[1].exe	76%	ReversingLabs	ByteCode-MSIL.Trojan.RedLine
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\nss3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\softokn3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\vcruntime140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\stealc_zov[1].exe	88%	ReversingLabs	Win32.Trojan.Stealerc
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\whiteheroin[1].exe	92%	ReversingLabs	ByteCode-MSIL.Trojan.RedLine
C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe	92%	ReversingLabs	ByteCode-MSIL.Trojan.RedLine
C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe	96%	ReversingLabs	Win32.Trojan.Amadey
C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe	100%	ReversingLabs	Win32.Trojan.Leonem
C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe	88%	ReversingLabs	ByteCode-MSIL.Trojan.RedLine
C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe	88%	ReversingLabs	Win32.Trojan.Stealerc
C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe	76%	ReversingLabs	ByteCode-MSIL.Trojan.RedLine
C:\Users\user\AppData\Local\Temp\50EC.exe	50%	ReversingLabs	Win32.Trojan.Smokeloader
C:\Users\user\AppData\Local\Temp\786A.exe	21%	ReversingLabs
C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe	68%	ReversingLabs	Win32.Trojan.Amadey
C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe	96%	ReversingLabs	Win32.Trojan.Amadey
C:\Users\user\AppData\Roaming\d3d9.dll	92%	ReversingLabs	Win32.Trojan.LummaStealer

Source	Detection	Scanner	Label
http://tempuri.org/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	0%	URL Reputation	safe
https://api.ip.sb/ip	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2004/08/addressing	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id23ResponseD	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id24LR	0%	Avira URL Cloud	safe
http://40.86.87.10/108e010e8f91c38c.php#	100%	Avira URL Cloud	malware
http://tempuri.org/Entity/Id20ResponsehM	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/02/sc/sct	0%	Avira URL Cloud	safe
http://65.21.175.0	100%	Avira URL Cloud	malware
http://77.91.77.81/Kiru9gu/index.phpX	100%	Avira URL Cloud	phishing
https://api.msn.com:443/v1/news/Feed/Windows?t	0%	Avira URL Cloud	safe
https://api.msn.com:443/v1/news/Feed/Windows?	0%	Avira URL Cloud	safe
http://40.86.87.10/b13597c85f807692/vcruntime140.dllqk	100%	Avira URL Cloud	malware
http://40.86.87.10/108e010e8f91c38c.php:	100%	Avira URL Cloud	malware
http://40.86.87.10/108e010e8f91c38c.php=	100%	Avira URL Cloud	malware
http://40.86.87.10/108e010e8f91c38c.php9	100%	Avira URL Cloud	malware
http://tempuri.org/Entity/Id2Response	0%	Avira URL Cloud	safe
http://40.86.87.10/b13597c85f807692/freebl3.dll	100%	Avira URL Cloud	malware
http://40.86.87.10/108e010e8f91c38c.php7	100%	Avira URL Cloud	malware
http://tempuri.org/Entity/Id21Response	0%	Avira URL Cloud	safe
http://77.91.77.81/Kiru9gu/index.phpo	100%	Avira URL Cloud	phishing
http://77.91.77.81/Kiru9gu/index.phpl	100%	Avira URL Cloud	phishing
http://77.91.77.81/Kiru9gu/index.phpd	100%	Avira URL Cloud	phishing
http://40.86.87.10/108e010e8f91c38c.php4	100%	Avira URL Cloud	malware
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap	0%	Avira URL Cloud	safe
https://login.chinacloudapi.cn/mergeRuneSets	0%	Avira URL Cloud	safe
http://40.86.87.10	100%	Avira URL Cloud	malware
http://77.91.77.81/lend/stealc_zov.exeu	100%	Avira URL Cloud	phishing
http://65.21.175.0/b13597c85f807692/sqlite3.dllen-GB	100%	Avira URL Cloud	malware
http://tempuri.org/Entity/Id13LR	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id13ResponsehM	0%	Avira URL Cloud	safe
http://40.86.87.10/b13597c85f807692/msvcp140.dllGIECBGHIJEHIIDGD4	100%	Avira URL Cloud	malware
https://bitbucket.org/sdgdf/fbghhj/downloads/build.exe3456789	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id5LR	0%	Avira URL Cloud	safe
http://77.91.77.81/Kiru9gu/index.php~1	100%	Avira URL Cloud	phishing
http://cx5519.com/tmp/index.php	100%	Avira URL Cloud	malware
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/10/wsat	0%	Avira URL Cloud	safe
http://40.86.87.10/b13597c85f807692/vcruntime140.dll	100%	Avira URL Cloud	malware
https://wns.windows.com/	0%	Avira URL Cloud	safe
https://bitbucket.org	0%	Avira URL Cloud	safe
http://evilos.cc/tmp/index.php	100%	Avira URL Cloud	malware
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey	0%	Avira URL Cloud	safe
https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id4ResponsehM	0%	Avira URL Cloud	safe
http://40.86.87.10/108e010e8f91c38c.phps	100%	Avira URL Cloud	malware
http://40.86.87.10/108e010e8f91c38c.phpg	100%	Avira URL Cloud	malware
https://id.atlassian.com/manage-profile/	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id24Response	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1	0%	Avira URL Cloud	safe
https://sylhetvoice.com/tmp/1.exe4c6d8c1b3aeaJz	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego	0%	Avira URL Cloud	safe
https://potterryisiw.shop/apim	100%	Avira URL Cloud	malware
http://40.86.87.10/108e010e8f91c38c.phpL	100%	Avira URL Cloud	malware
http://40.86.87.10/108e010e8f91c38c.phpM	100%	Avira URL Cloud	malware
http://40.86.87.10/108e010e8f91c38c.phpD	100%	Avira URL Cloud	malware
https://cdn.cookielaw.org/	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id6LR	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id14LR	0%	Avira URL Cloud	safe
http://65.21.175.0/108e010e8f91c38c.	100%	Avira URL Cloud	malware
https://potterryisiw.shop/apik	100%	Avira URL Cloud	malware
http://tempuri.org/Entity/Id10ResponseD	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id11ResponsehM	0%	Avira URL Cloud	safe
https://d136azpfpnge1l.cloudfront.net/	0%	Avira URL Cloud	safe
http://40.86.87.d	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse	0%	Avira URL Cloud	safe
http://40.86.87.10/108e010e8f91c38c.phpU	100%	Avira URL Cloud	malware
https://bitbucket.org/sdgdf/fbghhj/downloads/FILE1.exe	0%	Avira URL Cloud	safe
http://40.86.87.10/108e010e8f91c38c.phpR	100%	Avira URL Cloud	malware
https://potterryisiw.shop/apiX	100%	Avira URL Cloud	malware
http://tempuri.org/Entity/Id5Response	0%	Avira URL Cloud	safe
http://crl.micros8i	0%	Avira URL Cloud	safe
http://40.86.87.10/108e010e8f91c38c.phpO	100%	Avira URL Cloud	malware
http://tempuri.org/Entity/Id15ResponseD	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id10Response	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id22LR	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id8Response	0%	Avira URL Cloud	safe
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id6ResponsehM	0%	Avira URL Cloud	safe
http://65.21.175.0/b13597c85f807692/sqlite3.dll$	100%	Avira URL Cloud	malware
https://admin.atlassian.com	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id15ResponsehM	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2006/02/addressingidentity	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id7LR	0%	Avira URL Cloud	safe
http://tempuri.org/Entity/Id11LR	0%	Avira URL Cloud	safe
https://bitbucket.org/709b9568a348ca9adec25b3fbf8b44263e4ab627c65d1729	0%	Avira URL Cloud	safe
http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce	0%	Avira URL Cloud	safe
https://potterryisiw.shop/api4	100%	Avira URL Cloud	malware
https://sylhetvoice.com/tmp/1.exe	0%	Avira URL Cloud	safe
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
http://cx5519.com/tmp/index.php	true	Avira URL Cloud: malware	unknown
http://evilos.cc/tmp/index.php	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text	RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/sc/sct	RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id24LR	newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id20ResponsehM	newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id23ResponseD	RegAsm.exe, 00000017.00000002.1730701339.00000000030C9000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003479000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com:443/v1/news/Feed/Windows?t	explorer.exe, 00000022.00000000.1685006963.0000000007276000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://40.86.87.10/108e010e8f91c38c.php#	stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F50000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://65.21.175.0	aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000D97000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1790275554.00000000028CB000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1803784360.00000000028CB000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://77.91.77.81/Kiru9gu/index.phpX	axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://40.86.87.10/b13597c85f807692/vcruntime140.dllqk	stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F50000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://40.86.87.10/108e010e8f91c38c.php=	stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F50000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://40.86.87.10/108e010e8f91c38c.php:	stealc_zov.exe, 0000001E.00000003.3084792585.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000003.3084847184.0000000000F96000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://77.91.77.81/Kiru9gu/index.phpo	axplong.exe, 0000000B.00000002.3817129052.000000000623B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://40.86.87.10/b13597c85f807692/freebl3.dll	stealc_zov.exe, 0000001E.00000002.3253196332.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://tempuri.org/	RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id2Response	RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://40.86.87.10/108e010e8f91c38c.php9	stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://tempuri.org/Entity/Id21Response	RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://40.86.87.10/108e010e8f91c38c.php7	stealc_zov.exe, 0000001E.00000003.3084792585.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000003.3084847184.0000000000F96000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://77.91.77.81/Kiru9gu/index.phpl	axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap	RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://40.86.87.10/108e010e8f91c38c.php4	stealc_zov.exe, 0000001E.00000002.3253196332.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID	RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://40.86.87.10	stealc_zov.exe, 0000001E.00000002.3253196332.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://77.91.77.81/Kiru9gu/index.phpd	axplong.exe, 0000000B.00000003.2144035484.000000000623B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://login.chinacloudapi.cn/mergeRuneSets	streamer.exe	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id13LR	newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://77.91.77.81/lend/stealc_zov.exeu	axplong.exe, 0000000B.00000002.3817129052.000000000623B000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000623B000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1677103825.000000000623B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://tempuri.org/Entity/Id13ResponsehM	newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://65.21.175.0/b13597c85f807692/sqlite3.dllen-GB	aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://bitbucket.org/sdgdf/fbghhj/downloads/build.exe3456789	axplong.exe, 0000000B.00000003.1507842297.0000000001745000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://40.86.87.10/b13597c85f807692/msvcp140.dllGIECBGHIJEHIIDGD4	stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F50000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://77.91.77.81/Kiru9gu/index.php~1	axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://tempuri.org/Entity/Id5LR	newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault	RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat	RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://40.86.87.10/b13597c85f807692/vcruntime140.dll	stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F50000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://wns.windows.com/	explorer.exe, 00000022.00000003.1891078527.00000000090F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000022.00000000.1690337457.00000000090F2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bitbucket.org	axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507798051.0000000006205000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK	stealc_zov.exe, 0000001E.00000003.3208381329.000000002D4B8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey	RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ip.sb/ip	crypt6.exe, 00000015.00000002.1766982252.0000000000984000.00000004.00000001.01000000.00000010.sdmp, RegAsm.exe, 00000017.00000002.1725978010.0000000000421000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000000.1604424609.0000000000242000.00000002.00000001.01000000.00000012.sdmp, newbuild.exe, 00000021.00000000.1648456279.0000000000E55000.00000002.00000001.01000000.00000015.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id4ResponsehM	newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://40.86.87.10/108e010e8f91c38c.phpg	stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F50000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1	RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id24Response	RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	stealc_zov.exe, 0000001E.00000003.3084516926.0000000000FB1000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1654268126.0000000005988000.00000004.00000800.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1653988672.000000000599F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://40.86.87.10/108e010e8f91c38c.phps	stealc_zov.exe, 0000001E.00000002.3253196332.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://id.atlassian.com/manage-profile/	axplong.exe, 0000000B.00000003.1507798051.0000000006205000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sylhetvoice.com/tmp/1.exe4c6d8c1b3aeaJz	Hkbsse.exe, 00000013.00000002.3737039002.0000000000CED000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792220751.0000000003735000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego	RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://40.86.87.10/108e010e8f91c38c.phpL	stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://40.86.87.10/108e010e8f91c38c.phpM	stealc_zov.exe, 0000001E.00000003.3084792585.0000000000F91000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000003.3084847184.0000000000F96000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://potterryisiw.shop/apim	BitLockerToGo.exe, 0000001F.00000003.1642251556.00000000036A8000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1654071650.0000000003698000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1653312909.0000000003698000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1665322987.0000000003698000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://tempuri.org/Entity/Id14LR	newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id6LR	newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing	RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://40.86.87.10/108e010e8f91c38c.phpD	stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cdn.cookielaw.org/	axplong.exe, 0000000B.00000003.1379772731.0000000001720000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1677103825.000000000621C000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379772731.0000000001702000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507842297.000000000175A000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379671397.00000000016F7000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1379671397.00000000016FE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://potterryisiw.shop/apik	BitLockerToGo.exe, 0000001F.00000002.1789130872.00000000036F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1786737002.00000000036F2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://65.21.175.0/108e010e8f91c38c.	aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DF0000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1790275554.0000000002926000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1803784360.000000000290C000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://tempuri.org/Entity/Id10ResponseD	RegAsm.exe, 00000017.00000002.1730701339.00000000033AB000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id11ResponsehM	newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://d136azpfpnge1l.cloudfront.net/	axplong.exe, 0000000B.00000003.1677103825.000000000621C000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507842297.000000000175A000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://40.86.87.d	stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse	RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://40.86.87.10/108e010e8f91c38c.phpU	stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F50000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://40.86.87.10/108e010e8f91c38c.phpR	stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://bitbucket.org/sdgdf/fbghhj/downloads/FILE1.exe	axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.2144035484.000000000620A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://potterryisiw.shop/apiX	BitLockerToGo.exe, 0000001F.00000003.1747224489.00000000036E6000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1747513352.00000000036ED000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1740077434.00000000036F5000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1747890232.00000000036F4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://40.86.87.10/108e010e8f91c38c.phpS	stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F50000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://tempuri.org/Entity/Id5Response	RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://40.86.87.10/108e010e8f91c38c.phpO	stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F50000.00000004.00000020.00020000.00000000.sdmp, stealc_zov.exe, 0000001E.00000002.3253196332.0000000000F5C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://tempuri.org/Entity/Id15ResponseD	RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.1730701339.000000000320C000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.micros8i	ZharkBOT.exe, 00000023.00000003.1789825008.00000000035AF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id10Response	RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id8Response	RegAsm.exe, 00000017.00000002.1730701339.0000000002F71000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.0000000003121000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id22LR	newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id6ResponsehM	newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://65.21.175.0/b13597c85f807692/sqlite3.dll$	aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DB5000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000011.00000002.2985442915.0000000000DD8000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID	RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://admin.atlassian.com	axplong.exe, 0000000B.00000002.3817129052.0000000006200000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000B.00000003.1507798051.0000000006205000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2006/02/addressingidentity	RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.micro	explorer.exe, 00000022.00000000.1687380427.0000000007C70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000022.00000000.1688702793.0000000008810000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000022.00000000.1688737269.0000000008820000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/Entity/Id15ResponsehM	newlogs.exe, 0000001C.00000002.3755454848.00000000026F6000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.000000000269D000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002591000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002794000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.00000000027E2000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002745000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT	RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id7LR	newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Entity/Id11LR	newlogs.exe, 0000001C.00000002.3755454848.0000000002831000.00000004.00000800.00020000.00000000.sdmp, newlogs.exe, 0000001C.00000002.3755454848.0000000002883000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bitbucket.org/709b9568a348ca9adec25b3fbf8b44263e4ab627c65d1729	axplong.exe, 0000000B.00000003.1507842297.0000000001745000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce	RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://potterryisiw.shop/api4	BitLockerToGo.exe, 0000001F.00000003.1747890232.00000000036FA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000002.1789336555.00000000036FA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1740077434.00000000036FA000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000001F.00000003.1787055319.00000000036FA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://x1.c.lencr.org/0	BitLockerToGo.exe, 0000001F.00000003.1677630665.0000000005995000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	BitLockerToGo.exe, 0000001F.00000003.1677630665.0000000005995000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510	RegAsm.exe, 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, newbuild.exe, 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sylhetvoice.com/tmp/1.exe	Hkbsse.exe, 00000013.00000003.1609070300.0000000000D13000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792220751.0000000003735000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1792220751.000000000372B000.00000004.00000020.00020000.00000000.sdmp, ZharkBOT.exe, 00000023.00000003.1801769575.0000000003720000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it	explorer.exe, 00000022.00000000.1685006963.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.172.128.116	unknown	Russian Federation	50916	NADYMSS-ASRU	true
4.185.56.82	unknown	United States	3356	LEVEL3US	true
43.153.49.49	unknown	Japan	4249	LILLY-ASUS	false
65.21.175.0	unknown	United States	199592	CP-ASDE	true
176.29.154.25	unknown	Jordan	20773	GODADDYDE	true
185.215.113.67	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
20.189.173.20	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
104.192.141.1	unknown	United States	16509	AMAZON-02US	false
188.114.97.3	unknown	European Union	13335	CLOUDFLARENETUS	false
141.8.192.6	unknown	Russian Federation	35278	SPRINTHOSTRU	true
40.86.87.10	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
77.91.77.81	unknown	Russian Federation	42861	FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU	false
16.182.97.49	unknown	United States	unknown	unknown	false
102.187.252.37	unknown	Egypt	24835	RAYA-ASEG	true
188.114.96.3	unknown	European Union	13335	CLOUDFLARENETUS	true
85.28.47.7	unknown	Russian Federation	31643	GES-ASRU	false
62.171.132.76	unknown	United Kingdom	51167	CONTABODE	false

Private

IP
127.0.0.127

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1465696
Start date and time:	2024-07-02 00:18:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 15m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	44
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	setup.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@49/64@0/18
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, dllhost.exe, WerFault.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, svchost.exe
Execution Graph export aborted for target setup.exe, PID 5368 because it is empty
Execution Graph export aborted for target streamer.exe, PID 7864 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Skipping network analysis since amount of network traffic is too extensive
VT rate limit hit for: setup.exe

Simulations

Behavior and APIs

Time	Type	Description
00:19:04	Task Scheduler	Run new task: axplong path: C:\Users\user~1\AppData\Local\Temp\8254624243\axplong.exe
01:50:26	Task Scheduler	Run new task: Hkbsse path: C:\Users\user~1\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
01:50:59	Task Scheduler	Run new task: Firefox Default Browser Agent 0D73CD8172BE1B4D path: C:\Users\user\AppData\Roaming\dcbedta
01:51:16	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 3v82v2vcc2 C:\ProgramData\34vgn892c.exe
01:51:36	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Uqwgg C:\Users\user\AppData\Local\Uqwgg.exe
01:51:45	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 3v82v2vcc2 C:\ProgramData\34vgn892c.exe
01:52:05	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Uqwgg C:\Users\user\AppData\Local\Uqwgg.exe
01:53:04	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run GamePall C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
01:53:12	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run GamePall C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
18:19:09	API Interceptor	2698824x Sleep call for process: axplong.exe modified
19:50:26	API Interceptor	97330x Sleep call for process: Hkbsse.exe modified
19:50:30	API Interceptor	69128x Sleep call for process: stealc_zov.exe modified
19:50:31	API Interceptor	10x Sleep call for process: BitLockerToGo.exe modified
19:50:35	API Interceptor	41x Sleep call for process: RegAsm.exe modified
19:50:36	API Interceptor	2x Sleep call for process: ZharkBOT.exe modified
19:50:44	API Interceptor	1x Sleep call for process: WerFault.exe modified
19:50:45	API Interceptor	98667x Sleep call for process: explorer.exe modified
19:50:49	API Interceptor	13x Sleep call for process: newbuild.exe modified
19:50:57	API Interceptor	24x Sleep call for process: 34vgn892c.exe modified
19:51:13	API Interceptor	1x Sleep call for process: 50EC.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.172.128.116	1Vkf7silOj.exe	Get hash	malicious	LummaC, Amadey, Mars Stealer, PureLog Stealer, RedLine, SmokeLoader, Stealc	Browse	185.172.128.116/Mb3GvQs8/index.php
	hsRju5CPK2.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, RedLine, zgRAT	Browse	185.172.128.116/Mb3GvQs8/index.php
	mCTacyNuyM.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, PureLog Stealer, RedLine	Browse	185.172.128.116/Mb3GvQs8/index.php
	setup.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, PureLog Stealer, RedLine	Browse	185.172.128.116/Mb3GvQs8/index.php
	0DHrPD3miS.exe	Get hash	malicious	Amadey	Browse	185.172.128.116/Mb3GvQs8/index.php
4.185.56.82	TRpzlFYVr3.exe	Get hash	malicious	RedLine	Browse
43.153.49.49	1Vkf7silOj.exe	Get hash	malicious	LummaC, Amadey, Mars Stealer, PureLog Stealer, RedLine, SmokeLoader, Stealc	Browse	43.153.49.49:8888/down/TpWWMUpe0LEV.exe
65.21.175.0	1Vkf7silOj.exe	Get hash	malicious	LummaC, Amadey, Mars Stealer, PureLog Stealer, RedLine, SmokeLoader, Stealc	Browse	65.21.175.0/108e010e8f91c38c.php
65.21.175.0	AADJTHAWWR.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	65.21.175.0/108e010e8f91c38c.php
176.29.154.25	qoe1X4ig0N.exe	Get hash	malicious	LummaC, AsyncRAT, DarkTortilla, LummaC Stealer, Njrat, SmokeLoader, StormKitty	Browse	movlat.com/tmp/
176.29.154.25	doTtQFWKly.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Glupteba, SmokeLoader, Vidar, Xehook Stealer	Browse	sajdfue.com/files/1/build3.exe

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NADYMSS-ASRU	setup.exe	Get hash	malicious	RedLine	Browse	185.172.128.33
	1Vkf7silOj.exe	Get hash	malicious	LummaC, Amadey, Mars Stealer, PureLog Stealer, RedLine, SmokeLoader, Stealc	Browse	185.172.128.33
	X8ljh02lU9.exe	Get hash	malicious	PureLog Stealer, RedLine, zgRAT	Browse	185.172.128.33
	file.exe	Get hash	malicious	RedLine	Browse	185.172.128.33
	35WqOa1tGb.exe	Get hash	malicious	GCleaner, Nymaim	Browse	185.172.128.90
	DXe9Ayi7uC.exe	Get hash	malicious	GCleaner, Nymaim	Browse	185.172.128.69
	hsRju5CPK2.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, RedLine, zgRAT	Browse	185.172.128.116
	mCTacyNuyM.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, PureLog Stealer, RedLine	Browse	185.172.128.116
	file.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, Monster Stealer, PureLog Stealer, RedLine, SmokeLoader	Browse	185.172.128.116
	setup.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, PureLog Stealer, RedLine	Browse	185.172.128.33
LEVEL3US	16bfcGvz5N.elf	Get hash	malicious	Unknown	Browse	217.163.239.197
	o85sjrF5oi.elf	Get hash	malicious	Unknown	Browse	69.45.209.225
	jew.x86.elf	Get hash	malicious	Unknown	Browse	198.113.9.32
	jew.mpsl.elf	Get hash	malicious	Unknown	Browse	9.96.85.159
	jew.mips.elf	Get hash	malicious	Unknown	Browse	8.57.139.183
	jew.arm7.elf	Get hash	malicious	Mirai	Browse	4.77.145.202
	https://url7304.disco-mailer.net/ls/click?upn=u001.DWLeRfOXStcSaUNphm6ZnGquuezyvOF0FIuLMCSCrIQ9t3e8n3fjexKHJjVTV-2BQUFT1dnxR3BcyXaxz-2BblhjX71zswvTIlAGm31luuFhJgeOGXb3dn9Itq74-2Fe-2BlKg-2BsifZ0P3LuL0HqpFUcy5KfK9QeOmqsfmIEc7vCi5RUNYAmHuUkmPbyWNQo21wM4ryo-2FADTfkOHCFzQz9AfxslydM-2BQsZbYdRmEOsrKC6-2BHKIs-3DDCG-_5KlZmZKASPtIpYbHU6HHQmxS-2FHe3g010GX01BBBmlalJnMdBClXoEYQADKPWInqgHw-2B5921oa-2Fum9DxIHV8wgOarlsOnYJwzp6I2lNDfeCSZBLYE5encCC3TGSWK2LST4tKK1uZVi4Xb22gSLa7ZYTGX5jE2xI-2FJGPm05-2FCw7wD7pg9S-2BMlyoLVyYYI8XzxlbyIibtSxK5W34N4zUZcdEdWsHl9BgrHyN42GvxqNWNxOcvycXMS4jIOdp4d6ScmDF-2BS6MhsBDgIQSJ8ghxJEmce30vrIXxr7TL-2BhC3-2BvVpeuPaT49M08MEQU3810FxWnRV-2Fb0eBiTGYcXY48d1SDaE1rDl8oYsyAd2YQadCaGkdgfEKfDLAyjoaWqdQQl4JU	Get hash	malicious	HTMLPhisher	Browse	4.155.237.33
	ikFn0h3xhF.elf	Get hash	malicious	Mirai	Browse	9.207.125.108
	0wVYV60JHd.elf	Get hash	malicious	Mirai	Browse	8.71.117.234
	Lu4qSit8YR.elf	Get hash	malicious	Unknown	Browse	63.38.205.190
LILLY-ASUS	https://www.exactcollisionllc.com/	Get hash	malicious	Unknown	Browse	43.175.135.229
	16bfcGvz5N.elf	Get hash	malicious	Unknown	Browse	40.165.120.84
	o85sjrF5oi.elf	Get hash	malicious	Unknown	Browse	42.173.108.47
	jew.x86.elf	Get hash	malicious	Unknown	Browse	43.97.36.22
	jew.mpsl.elf	Get hash	malicious	Unknown	Browse	40.242.250.133
	jew.mips.elf	Get hash	malicious	Unknown	Browse	40.249.12.208
	jew.arm7.elf	Get hash	malicious	Mirai	Browse	43.142.24.226
	ikFn0h3xhF.elf	Get hash	malicious	Mirai	Browse	43.200.165.99
	lQC7IiMNX1.elf	Get hash	malicious	Mirai	Browse	43.150.238.177
	yJgVAg26w0.elf	Get hash	malicious	Mirai	Browse	43.213.253.54
CP-ASDE	http://Ipscanadvsf.com	Get hash	malicious	Unknown	Browse	65.21.119.50
	http://ipscanadvsf.com	Get hash	malicious	Unknown	Browse	65.21.119.50
	1Vkf7silOj.exe	Get hash	malicious	LummaC, Amadey, Mars Stealer, PureLog Stealer, RedLine, SmokeLoader, Stealc	Browse	65.21.175.0
	AADJTHAWWR.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	65.21.175.0
	http://ipscanadvsf.com	Get hash	malicious	Unknown	Browse	65.21.119.50
	http://65.21.119.50:443	Get hash	malicious	Unknown	Browse	65.21.119.50
	YOkLx2A3A7.elf	Get hash	malicious	Mirai, Moobot	Browse	65.21.220.241
	https://dty1k.asd6t.my.id/	Get hash	malicious	Unknown	Browse	65.21.235.194
	Leprechaun Hvnc.bin.exe	Get hash	malicious	Unknown	Browse	65.20.106.109
	https://wd21.privrendom.com/	Get hash	malicious	Unknown	Browse	65.21.235.194

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\freebl3.dll	1719859269.0326595_setup.exe	Get hash	malicious	LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, Xmrig	Browse
	jlO7971vUz.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	Rnteb46TuM.exe	Get hash	malicious	Amadey, Mars Stealer, Stealc, Vidar	Browse
	1jPL5zru3u.exe	Get hash	malicious	Amadey, Mars Stealer, Stealc, Vidar	Browse
	Zachv5lCuu.exe	Get hash	malicious	Amadey, Mars Stealer, Stealc, Vidar	Browse
	1719520929.094843_setup.exe	Get hash	malicious	LummaC Stealer, Mars Stealer, PrivateLoader, PureLog Stealer, Socks5Systemz, Stealc, Vidar	Browse
	j7iUba2bki.exe	Get hash	malicious	Amadey, Mars Stealer, Stealc, Vidar	Browse
	9444f34a94d494a78e19e19f4e1615744e500aca97a56.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse
	1Cvd8TyYPm.exe	Get hash	malicious	LummaC, Mars Stealer, PureLog Stealer, Stealc, Vidar, Xmrig, zgRAT	Browse
	ukuWaeRgPR.exe	Get hash	malicious	Amadey, Mars Stealer, Stealc, Vidar	Browse

Created / dropped Files

C:\ProgramData\34vgn892c.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1221120
Entropy (8bit):	7.7257485313997885
Encrypted:	false
SSDEEP:	24576:EMcb8rNUYzf9lve3wiDzVT7BzSxISSAyDtZE/TDV3VqML8ldnoasAvK1:E4jiPGIT/DtZKqMaoasr1
MD5:	339271AF2BBDAD0395A479C3EF2A714A
SHA1:	4F38B94FDB7F3CC4CF9F79BBB4D4311B85F0E14B
SHA-256:	71769EBF723749783F5E79F7B8A43D6EF03582FCA2D1D26CAD69157B73004F2B
SHA-512:	B93D038FD8159CF46F9568F60A22080B0A6E7B383028B47983465DD0C5FE1611A0E0EB99E141C2EE1604B29DF6530605F489E05389904EFF51048BD9D2E4EB0E
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>..W_.W_.W_.^'V.Y_..#..p_..#..G_..#.\_..-.T_.W_.A^.W_.:_..".V_.RichW_.........PE..L...?..f.........."....#.$...................@....@.......................................@.....................................T...............................\%..pW.......................W.......V..@............@...............................text...[#.......$.................. ..`.rdata...Q...@...R...(..............@..@.data...\|............z..............@....reloc..\%.......&...\|..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\AAKKECFBGIIIEBGDGDAK

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\AEBAFBGI

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.137181696973627
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cR/k4:MnlyfnGtxnfVuSVumEHRM4
MD5:	2D903A087A0C793BDB82F6426B1E8EFB
SHA1:	E7872CC094C598B104DA25AC6C8BEB82DAB3F08F
SHA-256:	AD67ADF2D572EF49DC95FD1A879F3AD3E0F4103DD563E713C466A1F02D57ED9A
SHA-512:	90080A361F04158C4E1CCBB3DE653FFF742C29A49523B6143B0047930FC34DC0F1D043D3C1B2B759933E1685A4CB382FD9E41B7ACDD362A2217C3810AEF95E65
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\AEBAFBGIDHCBFHIECFCB

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\EHCFBFBAEBKJKEBGCAEHCFCBAE

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.848598812124929
Encrypted:	false
SSDEEP:	24:TLVF1kwNbXYFpFNYcw+6UwcQVXH5fBODYfOg1ZAJFF0DiUhQ5de5SjhXE1:ThFawNLopFgU10XJBODqzqFF0DYde5P
MD5:	9664DAA86F8917816B588C715D97BE07
SHA1:	FAD9771763CD861ED8F3A57004C4B371422B7761
SHA-256:	8FED359D88F0588829BA60D236269B2528742F7F66DF3ACF22B32B8F883FE785
SHA-512:	E551D5CC3D5709EE00F85BB92A25DDC96112A4357DFEA3D859559D47DB30FEBD2FD36BDFA2BEC6DCA63D3E233996E9FCD2237F92CEE5B32BA8D7F2E1913B2DA9
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\FRaqbC8wSA1XvpFVjCRGryWt.exe

Download File

Process:	C:\ProgramData\34vgn892c.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	303488
Entropy (8bit):	6.205570113076238
Encrypted:	false
SSDEEP:	6144:DTAUza35lJUH517di5OSfu4n9hceZUc95f:3Gl417d5ohctcLf
MD5:	4DE07FA106D917B74E44BD624F3EEAEF
SHA1:	DACE1725097A94F1FDFAD54F0EB2A2FBEAB13A72
SHA-256:	99F566B150282334D980BA5D41138FF81B88375CCAC6A0AD366B3DE194C63053
SHA-512:	0C4524E7EE31D4EF11FD8A954E0FF02BE57DEF4DC9C5550232338A07F7D27E3F8219D45B6E230F963CCDCD9B7B7DAAB5E0E3B60B45F8CAB143159672398181C4
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.................p............... ........@.. ....................................`.................................L...W.......h............\|...%........................................................... ............... ..H............text....o... ...p.................. ..`.rsrc...h............r..............@..@.reloc...............z..............@..B........................H.......,... .......N....u..p.............................................(2....00...............-..(.....(...+uG.....(...+..({.....o4.....9............o....,5........o5.........(6....o7....(~.......(8....o9...+>......(}...........o5.........(6....o7....(~.......(8....o9...........o....-.............o....,A........o5........(6............o:...(.....(~.......(8....o9...+G.d.(}...........o5........(6............o:...(.....(~.......(8....o9...........o....-...........o......(

C:\ProgramData\GIIIIJDHJEGIECBGHIJEHIIDGD

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\HJDHCFCBGIDGHJJKJJDGHDGDHI

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.03786218306281921
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWB2IGKhNbxrO3Dpvu2HI:58r54w0VW3xWB2ohFQ3Y2
MD5:	4BB4A37B8E93E9B0F5D3DF275799D45E
SHA1:	E27DF7CC49B0D145140C119A99C1BBAA9ECCE8F7
SHA-256:	89BC0F21671C244C40A9EA42893B508858AD6E1E26AC16F2BD507C3E8CBB3CF7
SHA-512:	F2FC9067EF11DC3B719507B97C76A19B9E976D143A2FD11474B8D2A2848A706AFCA316A95FEEBA644099497A95E1C426CDAB923D5A70619018E1543FEF3182DB
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\HJJEHJJK

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1215420383712111
Encrypted:	false
SSDEEP:	384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
MD5:	9A809AD8B1FDDA60760BB6253358A1DB
SHA1:	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
SHA-256:	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
SHA-512:	2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\IIZS2TRqf69aZbLAX3cf3edn.exe

Download File

Process:	C:\ProgramData\34vgn892c.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	modified
Size (bytes):	1581056
Entropy (8bit):	6.22026361757481
Encrypted:	false
SSDEEP:	12288:CSJKnQl2Fq1r9Fx5IHh4Ex5ZX+okg9mN3HEsMtNOjVByMe8Asz8rqO9pop5kK0:CfnyDIHhT5YlN3HE5NOjXyMHRArqkpp
MD5:	B232A68A0B596FCE92BE1FF29276BF90
SHA1:	8DD98D5CEDBF5E8BE8C8D570DC7FB66136EDF723
SHA-256:	EB7CFBA2AA1E9B00A5762141022001C6A9AA86F5578F299E823E45708D79E2AD
SHA-512:	35473AE2C70A580F478A54B607D922A3D29F99433DF8824113C59562075F345C3236D979C19AE2D8451A9D94AC73A552B926562458E03A0E650F1E48D20B8890
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................$.....T.................@..........................................`... ......................................@..N....P..........U.....\|..<............................................{.(...................\|T..@............................text...............................`.``.data....H.......J..................@.`..rdata..0.I..@2...I.. 2.............@.`@.pdata...<....\|..>....{.............@.0@.xdata..D....P}......$}.............@.0@.bss.... ....`}.......................`..edata..N....@.......2}.............@.0@.idata.......P.......4}.............@.0..CRT....p....p.......H}.............@.@..tls.................J}.............@.@..rsrc...U............L}.............@.0..reloc...............d~.............@.0B................................................................................................................................

C:\ProgramData\IJKJDAFHJDHIEBGCFIDB

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe
File Type:	ASCII text, with very long lines (1769), with CRLF line terminators
Category:	dropped
Size (bytes):	9370
Entropy (8bit):	5.514140640374404
Encrypted:	false
SSDEEP:	192:lLnSRkPYbBp6tqUCaXr6V6kHNBw8D3nSl:NeqqUWpPwK0
MD5:	7E44458E0A8A3A7D10875BC3B7AE72D1
SHA1:	E5E6AC8676EE3761DAB13A10EB7573C19F48D297
SHA-256:	21A04E176A9CEBDA60AE6FD82A7495C6E0867ED02B8009A44DDC9863E14D8753
SHA-512:	012ED6CDC0802AA1063EFE841549341CC86EB626A26FC4BDC509598D8E33093296510344A2CC4419B007F6191F3445DA8F0AAE3B1626E54C1EF66DDDF3FA59B1
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "27fb6245-bd08-4de6-8f4d-2ece3f597752");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696491690);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696491694);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

C:\ProgramData\JJJEGHDAECBFHJKEGIJKKJKKKF

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_crypt6.exe_cd17514591b3bc37d71eaa3f790d8eca63aa32e_82e71a1c_2df57086-53da-4793-9d55-300da09beec2\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7194562112591065
Encrypted:	false
SSDEEP:	96:K5FVoRu4evs/hqj1yDfRgBQXIDcQvc6QcEVcw3cE/daO+HbHg/8BRTf3Oy1H3a9F:y/Lv5Q0BU/Ra/juGzuiFvZ24IO8LZ3R
MD5:	932A3DEE27E3833FEAD6ABD51A3CF33C
SHA1:	88B6C20D149091ACDA03DCFBE0DD124014C7F80D
SHA-256:	C7309883C11664B40F0CF83AC4C1A97EA9507A9F4B46E08C17855F1E7E4F9154
SHA-512:	17C62056E40F10445E7CA4A9A12B02C447E09552DEE16C044316439118B01EFAD3E765267E3CCA3141E205ECBFB12CF97DBC36FAAFFDC125DCEF5496796EE0AD
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.4.3.5.1.4.2.7.1.2.9.8.2.4.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.4.3.5.1.4.2.7.7.2.3.5.4.9.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.d.f.5.7.0.8.6.-.5.3.d.a.-.4.7.9.3.-.9.d.5.5.-.3.0.0.d.a.0.9.b.e.e.c.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.7.1.d.8.8.d.1.-.4.0.5.0.-.4.8.8.0.-.a.c.0.3.-.a.8.e.5.8.c.4.e.a.9.3.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.c.r.y.p.t.6...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.4.a.c.-.0.0.0.1.-.0.0.1.4.-.4.a.3.1.-.2.5.7.2.1.1.c.c.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.2.2.4.c.9.4.8.0.2.e.d.7.0.3.8.f.f.b.2.4.d.a.b.9.7.8.3.8.e.d.9.0.0.0.0.f.f.f.f.!.0.0.0.0.2.0.c.7.3.c.c.f.d.b.a.1.3.f.d.9.b.7.9.c.9.e.0.2.4.3.2.b.e.3.9.e.4.8.e.4.b.3.7.d.!.c.r.y.p.t.6...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA616.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Mon Jul 1 23:50:27 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	47352
Entropy (8bit):	1.7332906292584889
Encrypted:	false
SSDEEP:	192:omtuYwjOkX67BeCjVSuTMVMlUcxvhZvgPTL2Yseof:IYTi67BeCjVSuT9vHvgPTqY8
MD5:	02A38674217C6FF2F933F14A4DAA7D42
SHA1:	58748F8A19A8CBA2850837B019DBCFF4D31A9C29
SHA-256:	E2D039D1A53A89056BCF709CE57FCBBC92724B3454609D263DECAD9BDA990B73
SHA-512:	94F6D611392899011099247B97932F2BFE668F728AAA2B82736E3C36A4375CA390062D2353D72A550BA8F6AC9D1488F2AA7CD40B7D83DB45CDE9C3278836B964
Malicious:	false
Preview:	MDMP..a..... ........@.f........................0...........t...f$..........T.......8...........T...........@...............,...........................................................................................eJ..............GenuineIntel............T............@.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA6E2.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8278
Entropy (8bit):	3.6936117221841123
Encrypted:	false
SSDEEP:	192:R6l7wVeJ0E6u6Yya6ivgmfEJDspr789bxdsfa7m:R6lXJH6u6YH6cgmfEJD1xWfP
MD5:	BB4788F304EB28634C5E4B4EEE92CFB4
SHA1:	4C155A200B366782BB07BBB96D080045F860010A
SHA-256:	513E56E356557D0DBA565641ADF1B2B95205DF71039ADC72FE59AAD40761D20D
SHA-512:	8A04B013305A5467C2BC0429E8641C0AACEDF4E827CC5086E26EBF9A1C948DF49D45F9C2D0304D6E943CC0CE68CD95B2C3E6AE8AEBF190F35C4CE5C91F2EA039
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.1.9.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA721.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4565
Entropy (8bit):	4.434013879746169
Encrypted:	false
SSDEEP:	48:cvIwWl8zshJg77aI9HUWpW8VYfWS0Ym8M4JjiFM+q8nS5ax35Rdg2d:uIjfzI7hN7VYWAJjz5axJRW2d
MD5:	013E2F5A7618FE7C8B04054B2E0B5170
SHA1:	31E0E98AB35813830348DD69FA94FC1384B44277
SHA-256:	C66FFDE20A9FC65B2A7B17614FEB18069A4331CFC1D5E431E3FBB2471743021A
SHA-512:	0E08E99E0C737E68A5B3B54194FB23A75615150D2F3FFAEA1501CF21BB198B135ECF451609E5854EC178383CF6DA99617026830A39D1A3E27D2E9655C09755B6
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="392573" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\freebl3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 1719859269.0326595_setup.exe, Detection: malicious, Browse Filename: jlO7971vUz.exe, Detection: malicious, Browse Filename: Rnteb46TuM.exe, Detection: malicious, Browse Filename: 1jPL5zru3u.exe, Detection: malicious, Browse Filename: Zachv5lCuu.exe, Detection: malicious, Browse Filename: 1719520929.094843_setup.exe, Detection: malicious, Browse Filename: j7iUba2bki.exe, Detection: malicious, Browse Filename: 9444f34a94d494a78e19e19f4e1615744e500aca97a56.exe, Detection: malicious, Browse Filename: 1Cvd8TyYPm.exe, Detection: malicious, Browse Filename: ukuWaeRgPR.exe, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\mozglue.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\msvcp140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\ProgramData\nss3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\softokn3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\vcruntime140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3094
Entropy (8bit):	5.33145931749415
Encrypted:	false
SSDEEP:	96:Pq5qHwCYqh3oPtI6eqzxP0aymTqdqlq7qqjqc85VD:Pq5qHwCYqh3qtI6eqzxP0atTqdqlq7qV
MD5:	2A56468A7C0F324A42EA599BF0511FAF
SHA1:	404B343A86EDEDF5B908D7359EB8AA957D1D4333
SHA-256:	6398E0BD46082BBC30008BC72A2BA092E0A1269052153D343AA40F935C59957C
SHA-512:	19B79181C40AA51C7ECEFCD4C9ED42D5BA19EA493AE99654D3A763EA9B21B1ABE5B5739AAC425E461609E1165BCEA749CFB997DE0D35303B4CF2A29BDEF30B17
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TpWWMUpe0LEV.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.360398796477698
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:	3A8957C6382192B71471BD14359D0B12
SHA1:	71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:	282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:	76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\newbuild.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3094
Entropy (8bit):	5.33145931749415
Encrypted:	false
SSDEEP:	96:Pq5qHwCYqh3oPtI6eqzxP0aymTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0atTqdqlq7qV
MD5:	3FD5C0634443FB2EF2796B9636159CB6
SHA1:	366DDE94AEFCFFFAB8E03AD8B448E05D7489EB48
SHA-256:	58307E94C67E2348F5A838DE4FF668983B38B7E9A3B1D61535D3A392814A57D6
SHA-512:	8535E7C0777C6B0876936D84BDE2BDC59963CF0954D4E50D65808E6E806E8B131DF5DB8FA0E030FAE2702143A7C3A70698A2B9A80519C9E2FFC286A71F0B797C
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat

Download File

Process:	C:\Windows\explorer.exe
File Type:	JSON data
Category:	modified
Size (bytes):	1016
Entropy (8bit):	5.238672058107617
Encrypted:	false
SSDEEP:	24:YqHZ6T06Mhmp1m/ib0O0bihmeF1m/i6CUXyhmjX1m/ibxdB6hm9sH1m/iz0JahmU:YqHZ6T06Mce/ib0O0bicD/iDUXycjo/v
MD5:	0CCB0B4AB6E8E3307FCC6A6CFA34AB9B
SHA1:	522BA4650CA18795F9357495BB07D5E67AB183F3
SHA-256:	FA88B5C21FF7E85D75DFB5DFC8598D09F03D0205D6C67FF1661BFB571D14181B
SHA-512:	4256925C2CAE6F4E5F73128C213B86C29DF269142B6C56BCFF21A6D53AB8137A795F2C0F83C6554EBC1EB9B5E3B9AEC1B943FE2B714ECA78A809ECB9D88B699F
Malicious:	false
Preview:	{"RecentItems":[{"AppID":"Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge","PenUsageSec":15,"LastSwitchedLowPart":847405920,"LastSwitchedHighPart":31061855,"PrePopulated":true},{"AppID":"Microsoft.WindowsCommunicationsApps_8wekyb3d8bbwe!Microsoft.WindowsLive.Mail","PenUsageSec":15,"LastSwitchedLowPart":837405920,"LastSwitchedHighPart":31061855,"PrePopulated":true},{"AppID":"Microsoft.Office.OneNote_8wekyb3d8bbwe!microsoft.onenoteim","PenUsageSec":15,"LastSwitchedLowPart":827405920,"LastSwitchedHighPart":31061855,"PrePopulated":true},{"AppID":"Microsoft.Windows.Photos_8wekyb3d8bbwe!App","PenUsageSec":15,"LastSwitchedLowPart":817405920,"LastSwitchedHighPart":31061855,"PrePopulated":true},{"AppID":"Microsoft.MSPaint_8wekyb3d8bbwe!Microsoft.MSPaint","PenUsageSec":15,"LastSwitchedLowPart":807405920,"LastSwitchedHighPart":31061855,"PrePopulated":true},{"AppID":"Microsoft.WindowsMaps_8wekyb3d8bbwe!App","PenUsageSec":15,"LastSwitchedLowPart":797405920,"LastSwitchedHighPart":31061855,"PrePo

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\ZharkBOT[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	1221120
Entropy (8bit):	7.7257485313997885
Encrypted:	false
SSDEEP:	24576:EMcb8rNUYzf9lve3wiDzVT7BzSxISSAyDtZE/TDV3VqML8ldnoasAvK1:E4jiPGIT/DtZKqMaoasr1
MD5:	339271AF2BBDAD0395A479C3EF2A714A
SHA1:	4F38B94FDB7F3CC4CF9F79BBB4D4311B85F0E14B
SHA-256:	71769EBF723749783F5E79F7B8A43D6EF03582FCA2D1D26CAD69157B73004F2B
SHA-512:	B93D038FD8159CF46F9568F60A22080B0A6E7B383028B47983465DD0C5FE1611A0E0EB99E141C2EE1604B29DF6530605F489E05389904EFF51048BD9D2E4EB0E
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>..W_.W_.W_.^'V.Y_..#..p_..#..G_..#.\_..-.T_.W_.A^.W_.:_..".V_.RichW_.........PE..L...?..f.........."....#.$...................@....@.......................................@.....................................T...............................\%..pW.......................W.......V..@............@...............................text...[#.......$.................. ..`.rdata...Q...@...R...(..............@..@.data...\|............z..............@....reloc..\%.......&...\|..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\crypt6[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	524288
Entropy (8bit):	7.635654081763349
Encrypted:	false
SSDEEP:	12288:4iFfKsLIh/4hBNR3lfo4T4A1i5g70dbRFpJtRSfF:40iP/E/pigb1i5Q0dbLLWf
MD5:	A957DC16D684FBD7E12FC87E8EE12FEA
SHA1:	20C73CCFDBA13FD9B79C9E02432BE39E48E4B37D
SHA-256:	071B6C448D2546DEA8CAED872FCA0D002F59A6B9849F0DE2A565FC74B487FA37
SHA-512:	FD6982587FBA779D6FEBB84DFA65EC3E048E17733C2F01B61996BEDB170BB4BB1CBB822C0DD2CF44A7E601373ABAF499885B13B7957DD2A307BBD8F2120E9B3B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........._.._.._....N.........I..q.M..q.J....X.._.....q....r.^..r.^..r..^..Rich_..................PE..L...;.~f...............'.j.......................@..........................0............@.........................0..P......<...............................@.......................................@...............h............................text...WX.......Z.................. ..`.BsS....m....p.......^.............. ..`.rdata...............n..............@..@.data........@......."..............@....reloc..@........ ..................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\newlogs[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	304128
Entropy (8bit):	5.028173843086833
Encrypted:	false
SSDEEP:	3072:nqFFrqwIOGNTypEmz07s3WxL9z8b5bOMhd7ETZUf5IfcZqf7D34deqiOLCbBOa:qBIOGqDZOqdITZC4cZqf7DInL
MD5:	0970456D2E2BCB36F49D23F5F2EEC4CE
SHA1:	1E427BBEB209B636371D17801B14FABFF87921BE
SHA-256:	264DB4D677606C95912A93A457675D5EBAA24DC886DA8BBCB800FE831C540A54
SHA-512:	43C233E6C6FB20EE5830672F68EEC2A1930AFF6C3DA185B7AF56EDE90970041157755B8893A86336711C8BA8CBE3F22818DE8DDC1789ED65A7AACD596771909E
Malicious:	true
Yara Hits:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\newlogs[1].exe, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....4................0................. ........@.. ....................................@.................................p...O...................................T................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\streamer[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	8077824
Entropy (8bit):	6.5009378741766355
Encrypted:	false
SSDEEP:	49152:P8FC9tZ1LK9QkVNdZEOto3XOREES2CG9LlPJHzPihufFRDiLYDEwjB5EtC0D4DAh:UuG9QcnhnLxHmhYFBEtCHi1mK
MD5:	2BC0DB539A8FAB08BF4104EB7F2DE7E7
SHA1:	FF4A5DEFEDB18C93EF815434B40E19B9452CA410
SHA-256:	EC84EC11567566DB3BA9096DF164F0B7A8217D50FFAB16FA3642F8F12D759B04
SHA-512:	FFAEB6C876D2AEDA75B6576D2B307964A7B5330A0AB73352A4C95EF18AC3B1B1BFFF350805553833A754582ED54215337C376BCE0ABD44C117B5D8A0E1468D71
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................$."...>{................@.....................................p{...`... .........................................N.... ..X....`...&....w..+.......................................... .w.(....................$..X............................text... !......."..................`.``.data...0g...@...h...&..............@.`..rdata..P.D...3...D...3.............@.`@.pdata...+....w..,....w.............@.0@.xdata..P.....y.......x.............@.0@.bss..........y.......................`..edata..N.............x.............@.0@.idata..X.... ........x.............@.0..CRT....p....@........x.............@.@..tls.........P........x.............@.@..rsrc....&...`...(....y.............@.0..reloc...............(z.............@.0B................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\Freshbuild[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	424960
Entropy (8bit):	6.516408105291076
Encrypted:	false
SSDEEP:	12288:5fSPtGpmLb84Jjzo6yrBuKuJ+ITOC0Ud:UtGpmf8edykhV0Ud
MD5:	07101CAC5B9477BA636CD8CA7B9932CB
SHA1:	59EA7FD9AE6DED8C1B7240A4BF9399B4EB3849F1
SHA-256:	488385CD54D14790B03FA7C7DC997EBEA3F7B2A8499E5927EB437A3791102A77
SHA-512:	02240FF51A74966BC31CFCC901105096EB871F588EFAA9BE1A829B4EE6F245BD9DCA37BE7E2946BA6315FEEA75C3DCE5F490847250E62081445CD25B0F406887
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\Freshbuild[1].exe, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 96%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>.................PE..L...).nf..........................................@.......................................@.................................,....................................K......8...................l..........@............................................text............................... ..`.rdata..:...........................@..@.data....e... ...4..................@....rsrc...............................@..@.reloc...K.......L...0..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\freebl3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\mozglue[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\msvcp140[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\newbuild[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	304128
Entropy (8bit):	5.030912824090733
Encrypted:	false
SSDEEP:	3072:KqFFrqwIOGTNyHESF9D4XpeSQ2BXUhdT5TZboHIrcZqf7D34NeqiOLCbBO1:JBIOG6CpcdlTZEmcZqf7DI3L
MD5:	9AB4DE8B2F2B99F009D32AA790CD091B
SHA1:	A86B16EE4676850BAC14C50EE698A39454D0231E
SHA-256:	8A254344702DC6560312A8028E08F844B16804B1FBF4C438C3CA5058D7B65EA1
SHA-512:	A79341EC3407529DAA0384DE4CAC25B665D3B0CB81E52ECADA0EBFE37D7616B16DA96B47B04F50CE0A6E46D5FCED3298A459F78A087C6B6EAC4ED444434C5FBE
Malicious:	true
Yara Hits:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\newbuild[1].exe, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 76%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r................0................. ........@.. ....................................@.....................................O...................................h................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\nss3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\softokn3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\vcruntime140[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\1[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	242688
Entropy (8bit):	6.222777587114456
Encrypted:	false
SSDEEP:	3072:cWUzbZ7SFvfCoR4ouq8i2OO3hfcCGmmoXxqXB1TB:c9bFSFvfCauqR2OOR0CPmoAXB1T
MD5:	5AB7C9BADBFDAB65FBC3E519BDB81235
SHA1:	C1CD2290478686E4CF2909F4A0A3153D10CA562A
SHA-256:	F49A9EAC84CBCAAC8B34D5E66E4679183E6A610EB1CDAC699E4E7151A816559F
SHA-512:	CA89E499B791E80596D6C7E3C38F22C5C37ACDC8E704CD2DB01F2D2B11E142F40CC6E85DA0EDE9D7577764BB6DEF2930FF15BB21E3F1E98D0654B6D155EB579D
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........d..............................................................Rich....................PE..L...H..c.................2...b}.....F'.......P....@..........................P..............................................4\|..x.....~..............................\|...............................u..@............P...............................text...01.......2.................. ..`.rdata...5...P...6...6..............@..@.data.....\|..........l..............@....rsrc.........~......"..............@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\stealc_zov[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	161792
Entropy (8bit):	6.198135315600075
Encrypted:	false
SSDEEP:	3072:ed5iO3xGNftsLz4oPNKMQgC6OFr41uIG5RaopW:ej3xGNVwlJ7OF08IQRa
MD5:	253CCAC8A47B80287F651987C0C779EA
SHA1:	11DB405849DBAA9B3759DE921835DF20FAB35BC3
SHA-256:	262A400B339DEEA5089433709CE559D23253E23D23C07595B515755114147E2F
SHA-512:	AF40E01BC3D36BAF47EBA1D5D6406220DFBCC52C6123DD8450E709FED3E72BED82AAC6257FA7BDF7DD774F182919A5051E9712B2E7F1329DEFD0B159CB08385D
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\stealc_zov[1].exe, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\stealc_zov[1].exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J.dZ............a.......a.......a...5...............................Z...a.......a.......Rich............................PE..L......f......................!..... I............@...........................#...........@.................................p4..<............................p#.."...................................................................................text...:........................... ....rdata..>y.......z..................@..@.data...,+!..@.......*..............@....reloc...A...p#..B...6..............@..B........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\whiteheroin[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1228288
Entropy (8bit):	7.788501679241677
Encrypted:	false
SSDEEP:	24576:vjOwtWBrHdDD2PVc1ZQBQkoTjPCpKTbzMxaZc+zrUmz:vCwtW9dDyPyz6DMPCMTbzdZc+kmz
MD5:	242214131486132E33CEDA794D66CA1F
SHA1:	4CE34FD91F5C9E35B8694007B286635663EF9BF2
SHA-256:	BAC402B5749B2DA2211DB6D2404C1C621CCD0C2E5D492EB6F973B3E2D38DD361
SHA-512:	031E0904D949CEC515F2D6F2B5E4B9C0DF03637787FF14F20C58E711C54EEC77D1F22AA0CF0F6EFD65362C1FC0066645D5D005C6A77FE5B169427CDD42555D29
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....N\|f................................. ... ....@.. ....................... ............@.....................................K.................................................................................... ..................H............text........ ...................... ..`._LW......... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000030001\1.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	242688
Entropy (8bit):	6.222777587114456
Encrypted:	false
SSDEEP:	3072:cWUzbZ7SFvfCoR4ouq8i2OO3hfcCGmmoXxqXB1TB:c9bFSFvfCauqR2OOR0CPmoAXB1T
MD5:	5AB7C9BADBFDAB65FBC3E519BDB81235
SHA1:	C1CD2290478686E4CF2909F4A0A3153D10CA562A
SHA-256:	F49A9EAC84CBCAAC8B34D5E66E4679183E6A610EB1CDAC699E4E7151A816559F
SHA-512:	CA89E499B791E80596D6C7E3C38F22C5C37ACDC8E704CD2DB01F2D2B11E142F40CC6E85DA0EDE9D7577764BB6DEF2930FF15BB21E3F1E98D0654B6D155EB579D
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........d..............................................................Rich....................PE..L...H..c.................2...b}.....F'.......P....@..........................P..............................................4\|..x.....~..............................\|...............................u..@............P...............................text...01.......2.................. ..`.rdata...5...P...6...6..............@..@.data.....\|..........l..............@....rsrc.........~......"..............@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe
File Type:	PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	8077824
Entropy (8bit):	6.5009378741766355
Encrypted:	false
SSDEEP:	49152:P8FC9tZ1LK9QkVNdZEOto3XOREES2CG9LlPJHzPihufFRDiLYDEwjB5EtC0D4DAh:UuG9QcnhnLxHmhYFBEtCHi1mK
MD5:	2BC0DB539A8FAB08BF4104EB7F2DE7E7
SHA1:	FF4A5DEFEDB18C93EF815434B40E19B9452CA410
SHA-256:	EC84EC11567566DB3BA9096DF164F0B7A8217D50FFAB16FA3642F8F12D759B04
SHA-512:	FFAEB6C876D2AEDA75B6576D2B307964A7B5330A0AB73352A4C95EF18AC3B1B1BFFF350805553833A754582ED54215337C376BCE0ABD44C117B5D8A0E1468D71
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......................$."...>{................@.....................................p{...`... .........................................N.... ..X....`...&....w..+.......................................... .w.(....................$..X............................text... !......."..................`.``.data...0g...@...h...&..............@.`..rdata..P.D...3...D...3.............@.`@.pdata...+....w..,....w.............@.0@.xdata..P.....y.......x.............@.0@.bss..........y.......................`..edata..N.............x.............@.0@.idata..X.... ........x.............@.0..CRT....p....@........x.............@.@..tls.........P........x.............@.@..rsrc....&...`...(....y.............@.0..reloc...............(z.............@.0B................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1228288
Entropy (8bit):	7.788501679241677
Encrypted:	false
SSDEEP:	24576:vjOwtWBrHdDD2PVc1ZQBQkoTjPCpKTbzMxaZc+zrUmz:vCwtW9dDyPyz6DMPCMTbzdZc+kmz
MD5:	242214131486132E33CEDA794D66CA1F
SHA1:	4CE34FD91F5C9E35B8694007B286635663EF9BF2
SHA-256:	BAC402B5749B2DA2211DB6D2404C1C621CCD0C2E5D492EB6F973B3E2D38DD361
SHA-512:	031E0904D949CEC515F2D6F2B5E4B9C0DF03637787FF14F20C58E711C54EEC77D1F22AA0CF0F6EFD65362C1FC0066645D5D005C6A77FE5B169427CDD42555D29
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 92%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....N\|f................................. ... ....@.. ....................... ............@.....................................K.................................................................................... ..................H............text........ ...................... ..`._LW......... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000115001\build.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe
File Type:	HTML document, ASCII text, with very long lines (13449)
Category:	dropped
Size (bytes):	26780
Entropy (8bit):	5.242262032896143
Encrypted:	false
SSDEEP:	768:zV8c5cmH5459H989pcYi59L9J989J9C9a9R9n94QpZcy:hP5cU5adyO35nynw4/94QTcy
MD5:	C58242B221EDA3A476EDDC9910B21E12
SHA1:	A465856326061BC019BFE279270EFA1E25EC4E4F
SHA-256:	FD9FB6EBDCE4471ECFE2EE2FD6A8EC70979E6A9D657C770BEB71C9EFDB07D5C2
SHA-512:	1E9CC7AD87FB23B6E322DEAC4D8E42DBEE4239A6254612E55C1BA4ECC74FB0F97DA79863D6D055739FC08D8E3D20B1E0A277027BB8F0A2CDAB49E9F112BF19D0
Malicious:	false
Preview:	<!DOCTYPE html>.<html lang="en">.<head>. <meta id="bb-bootstrap" data-current-user="{"isAuthenticated": false, "isKbdShortcutsEnabled": true, "isSshEnabled": false}"... data-target-workspace-uuid="fb83dd9a-6600-46cd-b25f-7b5decba6275". />. <script nonce="8ABFFGxj3poq2PNgBJTasw==">..if (window.performance) {.. . window.performance.okayToSendMetrics = !document.hidden && 'onvisibilitychange' in document;.. if (window.performance.okayToSendMetrics) {.. . window.addEventListener('visibilitychange', function () {. if (document.hidden) {. window.performance.okayToSendMetrics = false;. }. });. }.. . .}.</script>. <meta http-equiv="X-UA-Compatible" content="IE=edge" />. <meta name="viewport" content="width=device-width, initial-scale=1">. <meta charset="utf-8">. <title>404 — Bitbucket</title>. . ...<meta name="bb-env" content="production" />.<meta id="bb-canon-url" name="bb-canon-url" content="https://bitbucket.org"

C:\Users\user\AppData\Local\Temp\1000116001\FILE1.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe
File Type:	HTML document, ASCII text, with very long lines (13449)
Category:	dropped
Size (bytes):	26780
Entropy (8bit):	5.242463188774418
Encrypted:	false
SSDEEP:	768:jVIc5cmH5wS9H989pcYi59L9J989J9C9a9R9n94Qphca:RT5cU5BdyO35nynw4/94QLca
MD5:	607338356F28E30BCA904F8083A7B2C5
SHA1:	DDC30111CB7CA9B455D4FA5C456739278FE795E9
SHA-256:	490773DF270E8E889C744DC00E3D956FB57CE7FA7ADC089E609E36A823FE6A84
SHA-512:	AB6EC0DBE95654E7AEE7D546437D0D7F88EEA496B629C36D446BB02997C89FF6CAAB51A6688071C104CFD0050C8EA4BEF6753F6E2BA51D8460802E1D875FB749
Malicious:	false
Preview:	<!DOCTYPE html>.<html lang="en">.<head>. <meta id="bb-bootstrap" data-current-user="{"isAuthenticated": false, "isKbdShortcutsEnabled": true, "isSshEnabled": false}"... data-target-workspace-uuid="fb83dd9a-6600-46cd-b25f-7b5decba6275". />. <script nonce="wbkeb7PhxsNWTD6gWDKlCg==">..if (window.performance) {.. . window.performance.okayToSendMetrics = !document.hidden && 'onvisibilitychange' in document;.. if (window.performance.okayToSendMetrics) {.. . window.addEventListener('visibilitychange', function () {. if (document.hidden) {. window.performance.okayToSendMetrics = false;. }. });. }.. . .}.</script>. <meta http-equiv="X-UA-Compatible" content="IE=edge" />. <meta name="viewport" content="width=device-width, initial-scale=1">. <meta charset="utf-8">. <title>404 — Bitbucket</title>. . ...<meta name="bb-env" content="production" />.<meta id="bb-canon-url" name="bb-canon-url" content="https://bitbucket.org"

C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	424960
Entropy (8bit):	6.516408105291076
Encrypted:	false
SSDEEP:	12288:5fSPtGpmLb84Jjzo6yrBuKuJ+ITOC0Ud:UtGpmf8edykhV0Ud
MD5:	07101CAC5B9477BA636CD8CA7B9932CB
SHA1:	59EA7FD9AE6DED8C1B7240A4BF9399B4EB3849F1
SHA-256:	488385CD54D14790B03FA7C7DC997EBEA3F7B2A8499E5927EB437A3791102A77
SHA-512:	02240FF51A74966BC31CFCC901105096EB871F588EFAA9BE1A829B4EE6F245BD9DCA37BE7E2946BA6315FEEA75C3DCE5F490847250E62081445CD25B0F406887
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 96%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>.................PE..L...).nf..........................................@.......................................@.................................,....................................K......8...................l..........@............................................text............................... ..`.rdata..:...........................@..@.data....e... ...4..................@....rsrc...............................@..@.reloc...K.......L...0..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	524288
Entropy (8bit):	7.635654081763349
Encrypted:	false
SSDEEP:	12288:4iFfKsLIh/4hBNR3lfo4T4A1i5g70dbRFpJtRSfF:40iP/E/pigb1i5Q0dbLLWf
MD5:	A957DC16D684FBD7E12FC87E8EE12FEA
SHA1:	20C73CCFDBA13FD9B79C9E02432BE39E48E4B37D
SHA-256:	071B6C448D2546DEA8CAED872FCA0D002F59A6B9849F0DE2A565FC74B487FA37
SHA-512:	FD6982587FBA779D6FEBB84DFA65EC3E048E17733C2F01B61996BEDB170BB4BB1CBB822C0DD2CF44A7E601373ABAF499885B13B7957DD2A307BBD8F2120E9B3B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........._.._.._....N.........I..q.M..q.J....X.._.....q....r.^..r.^..r..^..Rich_..................PE..L...;.~f...............'.j.......................@..........................0............@.........................0..P......<...............................@.......................................@...............h............................text...WX.......Z.................. ..`.BsS....m....p.......^.............. ..`.rdata...............n..............@..@.data........@......."..............@....reloc..@........ ..................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	304128
Entropy (8bit):	5.028173843086833
Encrypted:	false
SSDEEP:	3072:nqFFrqwIOGNTypEmz07s3WxL9z8b5bOMhd7ETZUf5IfcZqf7D34deqiOLCbBOa:qBIOGqDZOqdITZC4cZqf7DInL
MD5:	0970456D2E2BCB36F49D23F5F2EEC4CE
SHA1:	1E427BBEB209B636371D17801B14FABFF87921BE
SHA-256:	264DB4D677606C95912A93A457675D5EBAA24DC886DA8BBCB800FE831C540A54
SHA-512:	43C233E6C6FB20EE5830672F68EEC2A1930AFF6C3DA185B7AF56EDE90970041157755B8893A86336711C8BA8CBE3F22818DE8DDC1789ED65A7AACD596771909E
Malicious:	true
Yara Hits:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....4................0................. ........@.. ....................................@.................................p...O...................................T................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	161792
Entropy (8bit):	6.198135315600075
Encrypted:	false
SSDEEP:	3072:ed5iO3xGNftsLz4oPNKMQgC6OFr41uIG5RaopW:ej3xGNVwlJ7OF08IQRa
MD5:	253CCAC8A47B80287F651987C0C779EA
SHA1:	11DB405849DBAA9B3759DE921835DF20FAB35BC3
SHA-256:	262A400B339DEEA5089433709CE559D23253E23D23C07595B515755114147E2F
SHA-512:	AF40E01BC3D36BAF47EBA1D5D6406220DFBCC52C6123DD8450E709FED3E72BED82AAC6257FA7BDF7DD774F182919A5051E9712B2E7F1329DEFD0B159CB08385D
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......J.dZ............a.......a.......a...5...............................Z...a.......a.......Rich............................PE..L......f......................!..... I............@...........................#...........@.................................p4..<............................p#.."...................................................................................text...:........................... ....rdata..>y.......z..................@..@.data...,+!..@.......*..............@....reloc...A...p#..B...6..............@..B........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	304128
Entropy (8bit):	5.030912824090733
Encrypted:	false
SSDEEP:	3072:KqFFrqwIOGTNyHESF9D4XpeSQ2BXUhdT5TZboHIrcZqf7D34NeqiOLCbBO1:JBIOG6CpcdlTZEmcZqf7DI3L
MD5:	9AB4DE8B2F2B99F009D32AA790CD091B
SHA1:	A86B16EE4676850BAC14C50EE698A39454D0231E
SHA-256:	8A254344702DC6560312A8028E08F844B16804B1FBF4C438C3CA5058D7B65EA1
SHA-512:	A79341EC3407529DAA0384DE4CAC25B665D3B0CB81E52ECADA0EBFE37D7616B16DA96B47B04F50CE0A6E46D5FCED3298A459F78A087C6B6EAC4ED444434C5FBE
Malicious:	true
Yara Hits:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 76%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....r................0................. ........@.. ....................................@.....................................O...................................h................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1221120
Entropy (8bit):	7.7257485313997885
Encrypted:	false
SSDEEP:	24576:EMcb8rNUYzf9lve3wiDzVT7BzSxISSAyDtZE/TDV3VqML8ldnoasAvK1:E4jiPGIT/DtZKqMaoasr1
MD5:	339271AF2BBDAD0395A479C3EF2A714A
SHA1:	4F38B94FDB7F3CC4CF9F79BBB4D4311B85F0E14B
SHA-256:	71769EBF723749783F5E79F7B8A43D6EF03582FCA2D1D26CAD69157B73004F2B
SHA-512:	B93D038FD8159CF46F9568F60A22080B0A6E7B383028B47983465DD0C5FE1611A0E0EB99E141C2EE1604B29DF6530605F489E05389904EFF51048BD9D2E4EB0E
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>..W_.W_.W_.^'V.Y_..#..p_..#..G_..#.\_..-.T_.W_.A^.W_.:_..".V_.RichW_.........PE..L...?..f.........."....#.$...................@....@.......................................@.....................................T...............................\%..pW.......................W.......V..@............@...............................text...[#.......$.................. ..`.rdata...Q...@...R...(..............@..@.data...\|............z..............@....reloc..\%.......&...\|..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\50EC.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6642176
Entropy (8bit):	7.866419732571782
Encrypted:	false
SSDEEP:	98304:LqhZ67opwYckx35SF2XKgxVvHuCPU8GSbO3JAXV1LrA+ZlL9CxpzTp2:LgErupSgKORuCT43JeV1LE+/s3p
MD5:	BD2EAC64CBDED877608468D86786594A
SHA1:	778AD44AFD5629F0A5B3B7DF9D6F02522AE94D91
SHA-256:	CAE992788853230AF91501546F6EAD07CFD767CB8429C98A273093A90BBCB5AD
SHA-512:	3C8F43045F27ADDCB5FB23807C2CE1D3F247CC30DD1596134A141B0BBC7FA4D30D138791214D939DC4F34FD925B9EC450EA340E5871E2F4F64844226ED394312
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....U~f..............................M...........@...................................e...@..................................O......P......................@.......................................................@3..............................text...+........................... ..`.rdata...*..........................@..@.data.... ..........................@....vmpL.p.....0...................... ..`.vmpL.p@....@3.....................@....vmpL.p..]..P3...]................. ..`.reloc.......@........].............@..@.rsrc.......P...f....].............@..@........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\786A.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	293869
Entropy (8bit):	5.61569579822855
Encrypted:	false
SSDEEP:	3072:lFi6z/VXzAf3ocMNqB3r1Josf+OMhERMlm+twHBumSYyDgIoIPM7l0UGHM7:lxFSIjs+OM2eLFmSFgIZk7+HM7
MD5:	60172CA946DE57C3529E9F05CC502870
SHA1:	DE8F59D6973A5811BB10A9A4410801FA63BC8B56
SHA-256:	42CEB2252FEC41FD0ACC6874B41C91E0BA07C367045D6A9A7850D59781C2584C
SHA-512:	15D37AF3CAB96FC9026A1898E09C775FE0D277098A3FE20C2E591272DE996A243850D43F3B48B4C037C5FED359E57795A7CF1652547D7AD8B16B186AB9508792
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG._...PG..PF.IPG._...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................d...........4............@.......................................@.................................8........`..X............................................................................................................text....c.......d.................. ..`.rdata..v............h..............@..@.data...X............\|..............@....ndata.......P...........................rsrc...X....`......................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe

Download File

Process:	C:\Users\user\Desktop\setup.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1949696
Entropy (8bit):	7.949882497026309
Encrypted:	false
SSDEEP:	49152:izPvPgeS5GaqaHrxCTZtEsO/kLMUunFvGA0WyUAD:YfgbNHrxCTkRWunZRyUA
MD5:	5AD5E4F1F3126C5D6CFDBFBBE5597C84
SHA1:	47B46CBE987E0E33C9D23F4C6CC304D116E5E80F
SHA-256:	E5170B080959816E3A0911125D5DE97BD4DE77574B091646A681D65CB5BC04E0
SHA-512:	8C58379F3107CC67944D003DF964F123848C9E7B55EDBDA3D256915CBBF666FA62E8878BB0C091C84E0057FE5097FEF8E3EB49F2382519DC4A06F31A4C37B163
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 68%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>.................PE..L...*.^f.............................PM...........@...........................M..........@.................................X...l...........................@6M..............................5M..................................................... . ............................@....rsrc...............................@....idata ............................@... ..+.........................@...vbhkqplo......2.....................@...oxgxjklu.....@M.....................@....taggant.0...PM.."..................@...........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\setup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	424960
Entropy (8bit):	6.516408105291076
Encrypted:	false
SSDEEP:	12288:5fSPtGpmLb84Jjzo6yrBuKuJ+ITOC0Ud:UtGpmf8edykhV0Ud
MD5:	07101CAC5B9477BA636CD8CA7B9932CB
SHA1:	59EA7FD9AE6DED8C1B7240A4BF9399B4EB3849F1
SHA-256:	488385CD54D14790B03FA7C7DC997EBEA3F7B2A8499E5927EB437A3791102A77
SHA-512:	02240FF51A74966BC31CFCC901105096EB871F588EFAA9BE1A829B4EE6F245BD9DCA37BE7E2946BA6315FEEA75C3DCE5F490847250E62081445CD25B0F406887
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 96%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>.................PE..L...).nf..........................................@.......................................@.................................,....................................K......8...................l..........@............................................text............................... ..`.rdata..:...........................@..@.data....e... ...4..................@....rsrc...............................@..@.reloc...K.......L...0..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite-shm

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-shm

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\d3d9.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	286208
Entropy (8bit):	6.802631681931599
Encrypted:	false
SSDEEP:	6144:NsxKq9ZI3iaQalU4db+ovNiEcze7mxwChUTocD/5UR:StZILdb+ovNHcWk+tRUR
MD5:	8FA26F1E37D3FF7F736FC93D520BC8AB
SHA1:	AD532E1CB4A1B3CD82C7A85647F8F6DD99833BB1
SHA-256:	6C47DA8FBD12F22D7272FBF223E054BF5093C0922D0E8FB7D6289A5913C2E45D
SHA-512:	8A0B53CBC3A20E2F0FD41C486B1AF1FBBCF7F2FED9F7368B672A07F25FAAA2568BBDBCF0841233AC8C473A4D1DEE099E90BF6098A6FA15E44B8526EFDAFC1287
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 92%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C.)...GQ..GQ..GQL.DP..GQL.BP..GQL.CP..GQL.FP..GQ z<Q..GQ..FQe.GQ.=BP..GQ.=CP..GQ.=DP..GQ..GQ..GQj=GP..GQj=EP..GQRich..GQ........................PE..L....N\|f...........!...&.`...................p............................................@.............................T...T...<............................p..P... ...............................`...@............p..P............................text...3_.......`.................. ..`.rdata...c...p...d...d..............@..@.data...\...........................@....reloc..P....p.......J..............@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\dcbedta

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	242688
Entropy (8bit):	6.222777587114456
Encrypted:	false
SSDEEP:	3072:cWUzbZ7SFvfCoR4ouq8i2OO3hfcCGmmoXxqXB1TB:c9bFSFvfCauqR2OOR0CPmoAXB1T
MD5:	5AB7C9BADBFDAB65FBC3E519BDB81235
SHA1:	C1CD2290478686E4CF2909F4A0A3153D10CA562A
SHA-256:	F49A9EAC84CBCAAC8B34D5E66E4679183E6A610EB1CDAC699E4E7151A816559F
SHA-512:	CA89E499B791E80596D6C7E3C38F22C5C37ACDC8E704CD2DB01F2D2B11E142F40CC6E85DA0EDE9D7577764BB6DEF2930FF15BB21E3F1E98D0654B6D155EB579D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........d..............................................................Rich....................PE..L...H..c.................2...b}.....F'.......P....@..........................P..............................................4\|..x.....~..............................\|...............................u..@............P...............................text...01.......2.................. ..`.rdata...5...P...6...6..............@..@.data.....\|..........l..............@....rsrc.........~......"..............@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Tasks\Hkbsse.job

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe
File Type:	data
Category:	dropped
Size (bytes):	306
Entropy (8bit):	3.475485327931845
Encrypted:	false
SSDEEP:	6:4JsqDZXUKJUEZ+lX1K+EetcVAkXIEZ8MlW8+y0l1sMct0:4JblvJQ1FjkXd8kX+V1sMct0
MD5:	F78C1CD25C8504EFE890BB196FA9CD41
SHA1:	070D236EE052119FB82FB941534781B2AB0B19E8
SHA-256:	3E7CDF126E8755D222F663AE29380BBF425BDB497537BDDE270A40152DF00008
SHA-512:	38F6F128E8A05E14CC728173A470FB616B8EF0803961A0A936D1662F0AEBC68C36D1ECAC22FF313171151FAF4F8C1E63F3465801F9990B854E9174348789FC7E
Malicious:	false
Preview:	......i..A.e.."w+qF.......<... .....s.......... ....................;.C.:.\.U.s.e.r.s.\.F.R.O.N.T.D.~.1.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.b.6.6.a.8.a.e.0.7.6.\.H.k.b.s.s.e...e.x.e.........F.R.O.N.T.D.E.S.K.-.P.C.\.f.r.o.n.t.d.e.s.k...................0.................3.@3P.........................

C:\Windows\Tasks\axplong.job

Download File

Process:	C:\Users\user\Desktop\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	308
Entropy (8bit):	3.524879780907104
Encrypted:	false
SSDEEP:	6:7Tj32rZX2JUEZ+lX1YC7UPelkDdtcVAkXIEZ8MlW8+y0l1sS1ut0:qrl2JQ1h7keeDhkXd8kX+V1sPt0
MD5:	B3252C897220F5415281719460C7003C
SHA1:	FB9438C4F4A17493E34FFA417A47137C1DE29771
SHA-256:	6BBC017BE7E25E64703CAE9D521F93ADCC5FAAC84FEA3B1B7A45C8FF59F6FFE1
SHA-512:	C35C5CCC978DE47621C2EB9109D06ED767776119ED8A859FA3AFA753AEB460B91648B44064790D8369528B6D76148508531BA8DB4577A524B8B5204C46BA98B4
Malicious:	false
Preview:	......7H.S.J.l6...7.F.......<... .....s.......... ....................<.C.:.\.U.s.e.r.s.\.F.R.O.N.T.D.~.1.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.8.2.5.4.6.2.4.2.4.3.\.a.x.p.l.o.n.g...e.x.e.........F.R.O.N.T.D.E.S.K.-.P.C.\.f.r.o.n.t.d.e.s.k...................0...................@3P.........................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.417077566757371
Encrypted:	false
SSDEEP:	6144:Jcifpi6ceLPL9skLmb0moSWSPtaJG8nAgex285i2MMhA20X4WABlGuNj5+:2i58oSWIZBk2MM6AFBRo
MD5:	5203A346ACCF64BD4FBAAAD883466682
SHA1:	10F5C9A5C967742583F82317D8B664B6C93A7D75
SHA-256:	7E2D75806CB6704E6EA7872CD204DDD037B8471AEAB49158688B7EEA3C37736C
SHA-512:	464338DB18B8FB82E29C9216A7080C4C41DBC8EEC7119936D51C0F6FEB08AE543021EA75A2E562E699CC0A75CA6E7CD109CB57490D6997E212E6EF2ACA1FF926
Malicious:	false
Preview:	regfF...F....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm6..m...................................................................................................................................................................................................................................................................................................................................................Y........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.949882497026309
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	setup.exe
File size:	1'949'696 bytes
MD5:	5ad5e4f1f3126c5d6cfdbfbbe5597c84
SHA1:	47b46cbe987e0e33c9d23f4c6cc304d116e5e80f
SHA256:	e5170b080959816e3a0911125d5de97bd4de77574b091646a681d65cb5bc04e0
SHA512:	8c58379f3107cc67944d003df964f123848c9e7b55edbda3d256915cbbf666fa62e8878bb0c091c84e0057fe5097fef8e3eb49f2382519dc4a06f31a4c37b163
SSDEEP:	49152:izPvPgeS5GaqaHrxCTZtEsO/kLMUunFvGA0WyUAD:YfgbNHrxCTkRWunZRyUA
TLSH:	609533A53C413D1AC4BD4A3F50FAC6175A460D0C9CD3ADA8B15A027EBC6BF4B4746D2E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x8d5000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x665ECF2A [Tue Jun 4 08:24:10 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FC3507F26AAh
setle byte ptr [00000000h]
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [0000000Ah], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi], bl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [0000000Ah], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx+00000080h], dh
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6a058	0x6c	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x69000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4d3640	0x10	vbhkqplo
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x4d35f0	0x18	vbhkqplo
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x68000	0x2dc00	80f8d87bdc807e499aaf1a4c8e384660	False	0.9984097506830601	OpenPGP Secret Key	7.985661636626442	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x69000	0x1e0	0x200	6ea3d6a036f04fad3bfaeee3e3a2306d	False	0.580078125	data	4.537518694581537	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x6a000	0x1000	0x200	6e66ae8f9a75bc604a087c954abf8737	False	0.15234375	data	1.0684380430289213	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x6b000	0x2be000	0x200	d6f728e708aad6234c2f3c4c732e54f1	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
vbhkqplo	0x329000	0x1ab000	0x1aa800	446921f9c43326301ceb179e8efa12b6	False	0.9950141504249707	data	7.954343379648948	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
oxgxjklu	0x4d4000	0x1000	0x400	3817adc06baf95fcec4f10602223427a	False	0.71484375	data	5.727441155830025	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x4d5000	0x3000	0x2200	0957947983583dd03c66d821eac60b86	False	0.06135110294117647	DOS executable (COM)	0.7031063399672679	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x4d3650	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
kernel32.dll	lstrcpy

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	1
Start time:	18:19:00
Start date:	01/07/2024
Path:	C:\Users\user\Desktop\setup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\setup.exe"
Imagebase:	0x780000
File size:	1'949'696 bytes
MD5 hash:	5AD5E4F1F3126C5D6CFDBFBBE5597C84
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000001.00000002.1335718111.0000000000781000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000001.00000003.1295247202.0000000004D30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	18:19:05
Start date:	01/07/2024
Path:	C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user~1\AppData\Local\Temp\8254624243\axplong.exe"
Imagebase:	0xd50000
File size:	1'949'696 bytes
MD5 hash:	5AD5E4F1F3126C5D6CFDBFBBE5597C84
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000000B.00000002.3724885507.0000000000D51000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000000B.00000003.1340637010.0000000005450000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 68%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	18:19:19
Start date:	01/07/2024
Path:	C:\Users\user\AppData\Local\Temp\1000111001\streamer.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user~1\AppData\Local\Temp\1000111001\streamer.exe"
Imagebase:	0x7ff7e58d0000
File size:	8'077'824 bytes
MD5 hash:	2BC0DB539A8FAB08BF4104EB7F2DE7E7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Go lang
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	19:50:16
Start date:	01/07/2024
Path:	C:\Users\user\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user~1\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe"
Imagebase:	0xe50000
File size:	1'228'288 bytes
MD5 hash:	242214131486132E33CEDA794D66CA1F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000F.00000002.1489172260.000000006CB1E000.00000004.00000001.01000000.0000000C.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 0000000F.00000002.1489172260.000000006CB1E000.00000004.00000001.01000000.0000000C.sdmp, Author: Joe Security
Antivirus matches:	Detection: 92%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	19:50:16
Start date:	01/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	19:50:16
Start date:	01/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Imagebase:	0xfb0000
File size:	43'016 bytes
MD5 hash:	5D1D74198D75640E889F0A577BBF31FC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000011.00000002.2985442915.0000000000D97000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000011.00000002.2975005911.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 00000011.00000002.2975005911.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000011.00000002.2979412810.00000000009A5000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	19:50:23
Start date:	01/07/2024
Path:	C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user~1\AppData\Local\Temp\1000125001\Freshbuild.exe"
Imagebase:	0x30000
File size:	424'960 bytes
MD5 hash:	07101CAC5B9477BA636CD8CA7B9932CB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000012.00000000.1558483602.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000012.00000001.1558636048.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Temp\1000125001\Freshbuild.exe, Author: Joe Security
Antivirus matches:	Detection: 96%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	19:50:25
Start date:	01/07/2024
Path:	C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user~1\AppData\Local\Temp\b66a8ae076\Hkbsse.exe"
Imagebase:	0xa0000
File size:	424'960 bytes
MD5 hash:	07101CAC5B9477BA636CD8CA7B9932CB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000013.00000002.3721434800.00000000000A1000.00000020.00000001.01000000.0000000F.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000013.00000000.1571924265.00000000000A1000.00000020.00000001.01000000.0000000F.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe, Author: Joe Security
Antivirus matches:	Detection: 96%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	19:50:26
Start date:	01/07/2024
Path:	C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user~1\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
Imagebase:	0xa0000
File size:	424'960 bytes
MD5 hash:	07101CAC5B9477BA636CD8CA7B9932CB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000014.00000002.1591289151.00000000000A1000.00000020.00000001.01000000.0000000F.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000014.00000000.1580634291.00000000000A1000.00000020.00000001.01000000.0000000F.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	19:50:26
Start date:	01/07/2024
Path:	C:\Users\user\AppData\Local\Temp\1000128001\crypt6.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user~1\AppData\Local\Temp\1000128001\crypt6.exe"
Imagebase:	0x950000
File size:	524'288 bytes
MD5 hash:	A957DC16D684FBD7E12FC87E8EE12FEA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000015.00000002.1766982252.0000000000984000.00000004.00000001.01000000.00000010.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	19:50:26
Start date:	01/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	19:50:26
Start date:	01/07/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xcd0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000017.00000002.1725978010.0000000000421000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000017.00000002.1730701339.0000000003005000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000017.00000002.1730701339.000000000320C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	19:50:26
Start date:	01/07/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 312
Imagebase:	0x1b0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	19:50:28
Start date:	01/07/2024
Path:	C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user~1\AppData\Local\Temp\1000130001\newlogs.exe"
Imagebase:	0x240000
File size:	304'128 bytes
MD5 hash:	0970456D2E2BCB36F49D23F5F2EEC4CE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000001C.00000000.1604424609.0000000000242000.00000002.00000001.01000000.00000012.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\1000130001\newlogs.exe, Author: Joe Security
Antivirus matches:	Detection: 88%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	29
Start time:	19:50:29
Start date:	01/07/2024
Path:	C:\Users\user\AppData\Local\Temp\1000030001\1.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user~1\AppData\Local\Temp\1000030001\1.exe"
Imagebase:	0x400000
File size:	242'688 bytes
MD5 hash:	5AB7C9BADBFDAB65FBC3E519BDB81235
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000001D.00000002.1733003318.0000000004751000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000001D.00000002.1733003318.0000000004751000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000001D.00000002.1731585464.0000000002CF0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000001D.00000002.1732396588.0000000002E7F000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000001D.00000002.1731795497.0000000002E50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000001D.00000002.1731795497.0000000002E50000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	19:50:30
Start date:	01/07/2024
Path:	C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user~1\AppData\Local\Temp\1000131001\stealc_zov.exe"
Imagebase:	0x670000
File size:	161'792 bytes
MD5 hash:	253CCAC8A47B80287F651987C0C779EA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000001E.00000002.3246282241.0000000000671000.00000080.00000001.01000000.00000014.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 0000001E.00000002.3246282241.0000000000671000.00000080.00000001.01000000.00000014.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000001E.00000000.1626680891.0000000000671000.00000080.00000001.01000000.00000014.sdmp, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: 0000001E.00000000.1626680891.0000000000671000.00000080.00000001.01000000.00000014.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 0000001E.00000002.3253196332.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe, Author: Joe Security Rule: JoeSecurity_MarsStealer, Description: Yara detected Mars stealer, Source: C:\Users\user\AppData\Local\Temp\1000131001\stealc_zov.exe, Author: Joe Security
Antivirus matches:	Detection: 88%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	19:50:31
Start date:	01/07/2024
Path:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Imagebase:	0x4c0000
File size:	231'736 bytes
MD5 hash:	A64BEAB5D4516BECA4C40B25DC0C1CD8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001F.00000003.1709677823.00000000036E2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001F.00000003.1653312909.00000000036E2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001F.00000003.1710428950.00000000036E6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001F.00000003.1665322987.00000000036E3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	19:50:32
Start date:	01/07/2024
Path:	C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user~1\AppData\Local\Temp\1000132001\newbuild.exe"
Imagebase:	0xe30000
File size:	304'128 bytes
MD5 hash:	9AB4DE8B2F2B99F009D32AA790CD091B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000021.00000002.1833633665.00000000031B4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\1000132001\newbuild.exe, Author: Joe Security
Antivirus matches:	Detection: 76%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	19:50:36
Start date:	01/07/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff70ffd0000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	35
Start time:	19:50:36
Start date:	01/07/2024
Path:	C:\Users\user\AppData\Local\Temp\1000144001\ZharkBOT.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user~1\AppData\Local\Temp\1000144001\ZharkBOT.exe"
Imagebase:	0x390000
File size:	1'221'120 bytes
MD5 hash:	339271AF2BBDAD0395A479C3EF2A714A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000023.00000003.1790275554.00000000028D9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000023.00000003.1803784360.00000000028CB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	19:50:57
Start date:	01/07/2024
Path:	C:\ProgramData\34vgn892c.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\34vgn892c.exe"
Imagebase:	0xe90000
File size:	1'221'120 bytes
MD5 hash:	339271AF2BBDAD0395A479C3EF2A714A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000026.00000003.2053180664.00000000032CD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000026.00000003.2065808485.00000000032CD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	39
Start time:	19:50:59
Start date:	01/07/2024
Path:	C:\Users\user\AppData\Roaming\dcbedta
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\dcbedta
Imagebase:	0x400000
File size:	242'688 bytes
MD5 hash:	5AB7C9BADBFDAB65FBC3E519BDB81235
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000027.00000002.2186372317.0000000002DA1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000027.00000002.2186372317.0000000002DA1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000027.00000002.2185619506.0000000002D70000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000027.00000002.2185877753.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000027.00000002.2185877753.0000000002D80000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000027.00000002.2187001287.0000000002F8E000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	19:51:00
Start date:	01/07/2024
Path:	C:\Users\user\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user~1\AppData\Local\Temp\b66a8ae076\Hkbsse.exe
Imagebase:	0xa0000
File size:	424'960 bytes
MD5 hash:	07101CAC5B9477BA636CD8CA7B9932CB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000028.00000000.1918746786.00000000000A1000.00000020.00000001.01000000.0000000F.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000028.00000002.1931585603.00000000000A1000.00000020.00000001.01000000.0000000F.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	19:51:00
Start date:	01/07/2024
Path:	C:\Users\user\AppData\Local\Temp\8254624243\axplong.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user~1\AppData\Local\Temp\8254624243\axplong.exe
Imagebase:	0xd50000
File size:	1'949'696 bytes
MD5 hash:	5AD5E4F1F3126C5D6CFDBFBBE5597C84
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000029.00000003.1949201156.0000000005430000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000029.00000002.1990646891.0000000000D51000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	19:51:11
Start date:	01/07/2024
Path:	C:\Users\user\AppData\Local\Temp\50EC.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user~1\AppData\Local\Temp\50EC.exe
Imagebase:	0xa90000
File size:	6'642'176 bytes
MD5 hash:	BD2EAC64CBDED877608468D86786594A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 50%, ReversingLabs
Has exited:	true

Show Windows behavior

Function 04F40C63 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1339749539.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f40000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42cd86f5e6caedccbdd63d080f4d9db0cc5d861dd8e0befb7a281096e7f00a93
Instruction ID: bf42d99d71c88ff78bf8659aa825a62e593f5d614a6697a67a29bf26cde49d5a
Opcode Fuzzy Hash: 42cd86f5e6caedccbdd63d080f4d9db0cc5d861dd8e0befb7a281096e7f00a93
Instruction Fuzzy Hash: 55111CEB248160BDB14280826B54AF66F7EE6D6671731842BFA07D4506EE892A4F7032

Function 04F40C6C Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1339749539.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f40000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9ac23c0fc6f59a1c7850190c554e1223afd86e2988889008033942de494d92b
Instruction ID: ba1aac1a0da9ef24e3fe5ff11435889c2b8b457a89ef778209bd9c271bec9071
Opcode Fuzzy Hash: f9ac23c0fc6f59a1c7850190c554e1223afd86e2988889008033942de494d92b
Instruction Fuzzy Hash: 9621E1EB24D154BDB10245412B60DF66F7EE7D3631331882AFB43C5506EE9A2A4F7031

Function 04F40BBD Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1339749539.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f40000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fa56732822282a0db976c11456bcd07b140e07262cab671fce1ef2609c25bca
Instruction ID: 8a9f1931fc70dd4b8f297a64f7f5d55cc26f8eba2818b815d2f9fbc7fcb6a0ed
Opcode Fuzzy Hash: 4fa56732822282a0db976c11456bcd07b140e07262cab671fce1ef2609c25bca
Instruction Fuzzy Hash: 1821D1EB24C114BDB04284426B64AFA2F6EE3C67307318427FA07C5502FE992A8F7032

Function 04F40BE9 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1339749539.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f40000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c79bc10a7b6015a90a67d70cccc02021404e184939cb9532201bf787c2544646
Instruction ID: 1a518f2cd8f7e51289957e12b8fb3c16636d61bf6cf615ba21eda48b4cf6c6a7
Opcode Fuzzy Hash: c79bc10a7b6015a90a67d70cccc02021404e184939cb9532201bf787c2544646
Instruction Fuzzy Hash: 4021A0EB24D164BDB14290422B54EFA6F6EE3C6630731842BFA03C9506EE992A4F7031

Function 04F40C03 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1339749539.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f40000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec3e47a02c00bc498588165e0084b274d1156b4f777d71123510e57e97caa19
Instruction ID: d742539a67ec59d2695227655825929c4558cfa19e4ee5f21721d791409ba5be
Opcode Fuzzy Hash: cec3e47a02c00bc498588165e0084b274d1156b4f777d71123510e57e97caa19
Instruction Fuzzy Hash: 662191EB24D160BDB14241426B549F66F7ED7C6730331846BFA03C9506EE992A4F7032

Function 04F40C23 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1339749539.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f40000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f46e3b4bdce6b7f43d985237dafbb29900205fce0e8299b711c0bc085b9312a
Instruction ID: 267aeaeec4415f3e5c81e79c4dd0b2b728049b64ae24bb014f756a441bb87623
Opcode Fuzzy Hash: 5f46e3b4bdce6b7f43d985237dafbb29900205fce0e8299b711c0bc085b9312a
Instruction Fuzzy Hash: 932171EB24C150BDF14290426B54EF66F7EE7D6631731842BFA03C5506EE992A8F7032

Function 04F40C40 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1339749539.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f40000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a97ec315267a1a29dd62428a67181af5e584b0a1110ac1d1f4f02604700f877c
Instruction ID: 31de2010d2dd934e90b179d66fbeb49ee515b64f609a45080d87771d9ffcf6c6
Opcode Fuzzy Hash: a97ec315267a1a29dd62428a67181af5e584b0a1110ac1d1f4f02604700f877c
Instruction Fuzzy Hash: EC21B0EB24D150BDB10291822B54AF76F7EE7D26303318427FA03C4506FE992A4F7032

Function 04F40C94 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1339749539.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f40000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cd67c7867d0061fbf3377a368ff027dd7319f41435ff0e9a3ee37ddb214bc48
Instruction ID: 865cb0a194a07c20779015f18ac02fdcc5003471dad67f2bcf7f6ea1de65f748
Opcode Fuzzy Hash: 9cd67c7867d0061fbf3377a368ff027dd7319f41435ff0e9a3ee37ddb214bc48
Instruction Fuzzy Hash: C611FEEB2481607DF14285427F24EFA6F7EE6D2631731C42BF947D4506EE892A8E7132

Function 04F40CDE Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1339749539.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f40000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96df546348e2b854b131132a95582678dfb00242f4446e46e2dd99b210c308bd
Instruction ID: dbd74d3889cc7e0094e64a3a88631b4b101ed45bf26a88fe8bdb2fbf1baa4a2d
Opcode Fuzzy Hash: 96df546348e2b854b131132a95582678dfb00242f4446e46e2dd99b210c308bd
Instruction Fuzzy Hash: 74F0A4AB248154BDB14190423B14AF76F7DE6D2631331852BFA07D5506EE492A9EB032

Function 04F40CD0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1339749539.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f40000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed00992a42b9cf146939c733a33582b793849bf8ecbf40aed961dc962acf7579
Instruction ID: 332e2b61256c3abe67df64bd1090c0d87ab0df3faa54989031b86de60342e3d3
Opcode Fuzzy Hash: ed00992a42b9cf146939c733a33582b793849bf8ecbf40aed961dc962acf7579
Instruction Fuzzy Hash: FBF0A4BB24D164BDB14190422B14AFA6F3DE7D2231331841BF903D4106EE452A8EB132

Function 04F40CE7 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1339749539.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f40000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 157ddc78f3e03c68cbd6496fadc5418311b8f8ebdc0a0b0e148151784306e81f
Instruction ID: e9230496ec56b3a6061c8141ab9d2b40166ba09f3c40646aa50173aa95ffbb51
Opcode Fuzzy Hash: 157ddc78f3e03c68cbd6496fadc5418311b8f8ebdc0a0b0e148151784306e81f
Instruction Fuzzy Hash: 08F0C2AB20C164BCF08695427B14AF66F3DE7D22313348927F943C4506EE493A9EB132

Function 04F40D0F Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1339749539.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f40000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65454db13138341068f140abe73a430ddb47e4a5f0676e87cd4c81a43c342f51
Instruction ID: ae2b6ac800380562ade7ea60079fce883eb2d9d266700598131f4c16026d73ae
Opcode Fuzzy Hash: 65454db13138341068f140abe73a430ddb47e4a5f0676e87cd4c81a43c342f51
Instruction Fuzzy Hash: 61F028E72082607DF14250912F21AF66F7DD6D66307318527F943D6143ED491A8EB032

Function 04F40CFF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1339749539.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f40000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb438e825a8e671f24e21ff63abbf8efb8c9baa9b5a6b1956917ee51069f1057
Instruction ID: 2ec60c4baf3f820836458bb905204d581ca1399c6dff78b8087f59c6d3e00610
Opcode Fuzzy Hash: eb438e825a8e671f24e21ff63abbf8efb8c9baa9b5a6b1956917ee51069f1057
Instruction Fuzzy Hash: 87F0B4AB348150BDF04685427B149FA6F7ED7D1631330846BF943C0506FF59268EB032

Function 04F40D3B Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1339749539.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4f40000_setup.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f1bb26daaafb6127ba7df4978b131f8d17f04406f438647b24d217e53dd20eb
Instruction ID: 84e14a60e86c6e8ae4f1d3f356141e2e26ea3612ff62c6224d8522347064df27
Opcode Fuzzy Hash: 7f1bb26daaafb6127ba7df4978b131f8d17f04406f438647b24d217e53dd20eb
Instruction Fuzzy Hash: 6EF065EB2481607CB05280423B54EF76F7ED6D2630331C467F903C1602EE89269E7032

Analysis Process: axplong.exePID: 7520, Parent PID: 5368COMMON

Execution Graph

Execution Coverage:	10.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	10.3%
Total number of Nodes:	1947
Total number of Limit Nodes:	32

Executed Functions

Function 00D5BD30 Relevance: 21.3, APIs: 6, Strings: 6, Instructions: 310
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(00DA8D18,00000000,00000000,00000000,00000000), ref: 00D5BDBD
InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 00D5BDE0
HttpOpenRequestA.WININET(?,00000000), ref: 00D5BE2B
HttpSendRequestA.WININET(?,00000000), ref: 00D5BEEA
InternetReadFile.WININET(?,?,000003FF,?), ref: 00D5BF9D
InternetReadFile.WININET(?,?,000003FF,?,?,?,?,?), ref: 00D5C051
InternetCloseHandle.WININET(?), ref: 00D5C077
InternetCloseHandle.WININET(?), ref: 00D5C07F
InternetCloseHandle.WININET(?), ref: 00D5C087

Strings

invalid stoi argument, xrefs: 00D5E3D4
SbKm, xrefs: 00D5D4E6
9wGTaHilQw==, xrefs: 00D5C2BB, 00D5C513
9wGTaLGWQy9=, xrefs: 00D5C355
StYMTE==, xrefs: 00D5BE03
stoi argument out of range, xrefs: 00D5E3CA

Memory Dump Source

Source File: 0000000B.00000002.3724885507.0000000000D51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D50000, based on PE: true

Associated: 0000000B.00000002.3724371477.0000000000D50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3724885507.0000000000DB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3726837341.0000000000DB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000DBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000F47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001031000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001062000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001069000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001079000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3739256522.000000000107A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745201574.0000000001223000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745424065.0000000001225000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d50000_axplong.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$FileHttpOpenReadRequest$ConnectSend
String ID: 9wGTaHilQw==$9wGTaLGWQy9=$SbKm$StYMTE==$invalid stoi argument$stoi argument out of range
API String ID: 1354133546-230317815
Opcode ID: 4aed76e82a0772e10045dd69cc8a957859532f6d1b365938b0c31db729274be0
Instruction ID: 32f0730f73d1df218ec5f85a4a91db6dcb747d5ab587d40f5341b60f8ff716b0
Opcode Fuzzy Hash: 4aed76e82a0772e10045dd69cc8a957859532f6d1b365938b0c31db729274be0
Instruction Fuzzy Hash: 72B1D1B1A102189FDF24CF28CC85BAEBBA5EF41305F504199FD0997291D7719AC88FB4

Function 00D5E410 Relevance: 13.5, Strings: 10, Instructions: 1000
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

111, xrefs: 00D5F680
e76b71, xrefs: 00D5FA6E
HcKn91KZ, xrefs: 00D5E44F
XIt=, xrefs: 00D6085D
XIp=, xrefs: 00D604AA
Vp==, xrefs: 00D5E9EF, 00D5EC36
NvB+, xrefs: 00D5E704
NF==, xrefs: 00D5E475
Xst=, xrefs: 00D5F5FD, 00D5F8DA
246122658369, xrefs: 00D5F617, 00D5F8F4, 00D604C7, 00D6087A

Memory Dump Source

Source File: 0000000B.00000002.3724885507.0000000000D51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D50000, based on PE: true

Associated: 0000000B.00000002.3724371477.0000000000D50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3724885507.0000000000DB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3726837341.0000000000DB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000DBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000F47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001031000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001062000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001069000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001079000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3739256522.000000000107A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745201574.0000000001223000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745424065.0000000001225000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d50000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: 111$246122658369$HcKn91KZ$NF==$NvB+$Vp==$XIp=$XIt=$Xst=$e76b71
API String ID: 0-788600999
Opcode ID: 53403499edf943148f7c3992f6751f2d73e6dba19c34c630a3016df0486745c5
Instruction ID: cea90023b2741b56d7c0e83313b73953724b50213075b91bdfe62b8c3143002a
Opcode Fuzzy Hash: 53403499edf943148f7c3992f6751f2d73e6dba19c34c630a3016df0486745c5
Instruction Fuzzy Hash: 9982C370A04248DBEF14EF68C9497DE7FB5EB46304F504198E8056B3C6D7B59A88CBB2

Function 00D56590 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 257
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00D56630

Strings

JHKlbU==, xrefs: 00D56781
SnPe LOj, xrefs: 00D5664C
HHQlbU==, xrefs: 00D566D8

Memory Dump Source

Source File: 0000000B.00000002.3724885507.0000000000D51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D50000, based on PE: true

Associated: 0000000B.00000002.3724371477.0000000000D50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3724885507.0000000000DB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3726837341.0000000000DB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000DBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000F47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001031000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001062000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001069000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001079000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3739256522.000000000107A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745201574.0000000001223000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745424065.0000000001225000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d50000_axplong.jbxd

Yara matches

Similarity

API ID: AccountLookupName
String ID: HHQlbU==$JHKlbU==$SnPe LOj
API String ID: 1484870144-2237643154
Opcode ID: f657f84f4e613413fbd850f55edaa39aee581b53cacae77655e609d3bd37ef25
Instruction ID: 7c52ebee3216ae7a1d82210db0209b99907f26a8edaaa48c3029cb059ad72555
Opcode Fuzzy Hash: f657f84f4e613413fbd850f55edaa39aee581b53cacae77655e609d3bd37ef25
Instruction Fuzzy Hash: 2291D5B1A001189BDF28DB28CC85BEDB7B9EB45305F8045E9E91997291DA709FC8CF74

Function 00D6D2E8 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00D523BE

Memory Dump Source

Source File: 0000000B.00000002.3724885507.0000000000D51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D50000, based on PE: true

Associated: 0000000B.00000002.3724371477.0000000000D50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3724885507.0000000000DB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3726837341.0000000000DB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000DBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000F47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001031000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001062000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001069000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001079000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3739256522.000000000107A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745201574.0000000001223000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745424065.0000000001225000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d50000_axplong.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID:
API String ID: 2659868963-0
Opcode ID: 5cf63bcba7f061156fa317a7ac6863b99d336e3d965be2d43b8757546de473d0
Instruction ID: 64728e61a3e2e2f0372007288cc967c662cd2b52495b4b30350a09ccc69fb73d
Opcode Fuzzy Hash: 5cf63bcba7f061156fa317a7ac6863b99d336e3d965be2d43b8757546de473d0
Instruction Fuzzy Hash: 6C515AB2E00706CBDB15DF58E881BAAB7B6FB48310F28866AD415EB255D3759940CF70

Function 00D63520 Relevance: 51.5, APIs: 1, Strings: 28, Instructions: 761
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00D6422F

Part of subcall function 00D67840: __Cnd_unregister_at_thread_exit.LIBCPMT ref: 00D6792C
Part of subcall function 00D67840: __Cnd_destroy_in_situ.LIBCPMT ref: 00D67938
Part of subcall function 00D67840: __Mtx_destroy_in_situ.LIBCPMT ref: 00D67941

Strings

XvPZ, xrefs: 00D65373
SBZ, xrefs: 00D65440
Inhk, xrefs: 00D6375F
avBZ, xrefs: 00D653C5
a9P=, xrefs: 00D66353
246122658369, xrefs: 00D61E75, 00D627BE, 00D62A13, 00D62A80, 00D62E58, 00D63343, 00D633A4, 00D64F0A, 00D64F1D, 00D64F5F, 00D64F69, 00D654C4
bcBZ, xrefs: 00D654AB
Xvml, xrefs: 00D63BA9
e76b71, xrefs: 00D65459
WRQd, xrefs: 00D63D90
bLTZ, xrefs: 00D6539C
NvB+, xrefs: 00D64746, 00D647BD, 00D64A65, 00D64ADC
LrTsKE==, xrefs: 00D65489
NvF+, xrefs: 00D6478D, 00D648BC, 00D64AAC, 00D64BDB
Wb Z, xrefs: 00D65417
WMNZ, xrefs: 00D6534A
Gl==, xrefs: 00D6366E, 00D64CFD
aSF2aA==, xrefs: 00D646E2
WMxZ, xrefs: 00D653EE
9LFZ, xrefs: 00D654D2
stoi argument out of range, xrefs: 00D62DD2, 00D62DF0, 00D64239, 00D64E7C
wNZ, xrefs: 00D65321
invalid stoi argument, xrefs: 00D62DB9, 00D62DC8, 00D6422A, 00D64E6D
5120, xrefs: 00D63A8F, 00D63B7A
XM7e, xrefs: 00D63ABE
aRFZ, xrefs: 00D65467
R2Z, xrefs: 00D652ED
", xrefs: 00D63E69

Memory Dump Source

Source File: 0000000B.00000002.3724885507.0000000000D51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D50000, based on PE: true

Associated: 0000000B.00000002.3724371477.0000000000D50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3724885507.0000000000DB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3726837341.0000000000DB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000DBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000F47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001031000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001062000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001069000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001079000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3739256522.000000000107A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745201574.0000000001223000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745424065.0000000001225000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d50000_axplong.jbxd

Yara matches

Similarity

API ID: Cnd_destroy_in_situCnd_unregister_at_thread_exitMtx_destroy_in_situXinvalid_argumentstd::_
String ID: R2Z$ SBZ$ wNZ$"$246122658369$5120$9LFZ$Gl==$Inhk$LrTsKE==$NvB+$NvF+$WMNZ$WMxZ$WRQd$Wb Z$XM7e$XvPZ$Xvml$a9P=$aRFZ$aSF2aA==$avBZ$bLTZ$bcBZ$e76b71$invalid stoi argument$stoi argument out of range
API String ID: 4234742559-736024444
Opcode ID: 6c55462c48f225ef2d11aafb73387d2affec54d8261ee744529d51688cf94e6e
Instruction ID: db0cfacc09a27de89caf2730bdf52915081b395778ae0f913c4adac932687538
Opcode Fuzzy Hash: 6c55462c48f225ef2d11aafb73387d2affec54d8261ee744529d51688cf94e6e
Instruction Fuzzy Hash: 96520371A00248DBDF18EF78CC5AB9DBBB5EF56304F604188E405A7286D7759A84CBB2

Function 00D64690 Relevance: 35.5, APIs: 1, Strings: 21, Instructions: 2484COMMON

Download Yara Rule

APIs

Part of subcall function 00D67840: __Cnd_unregister_at_thread_exit.LIBCPMT ref: 00D6792C
Part of subcall function 00D67840: __Cnd_destroy_in_situ.LIBCPMT ref: 00D67938
Part of subcall function 00D67840: __Mtx_destroy_in_situ.LIBCPMT ref: 00D67941

Part of subcall function 00D5BD30: InternetOpenW.WININET(00DA8D18,00000000,00000000,00000000,00000000), ref: 00D5BDBD
Part of subcall function 00D5BD30: InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 00D5BDE0
Part of subcall function 00D5BD30: HttpOpenRequestA.WININET(?,00000000), ref: 00D5BE2B

std::_Xinvalid_argument.LIBCPMT ref: 00D64E72

Strings

NvF+, xrefs: 00D6478D, 00D648BC, 00D64AAC, 00D64BDB
XvPZ, xrefs: 00D65373
SBZ, xrefs: 00D65440
Wb Z, xrefs: 00D65417
WMNZ, xrefs: 00D6534A
Gl==, xrefs: 00D6366E, 00D64CFD
avBZ, xrefs: 00D653C5
aSF2aA==, xrefs: 00D646E2
WMxZ, xrefs: 00D653EE
9LFZ, xrefs: 00D654D2
a9P=, xrefs: 00D66353, 00D66622
246122658369, xrefs: 00D64F0A, 00D64F1D, 00D64F5F, 00D64F69, 00D654C4
stoi argument out of range, xrefs: 00D64239, 00D64E7C
wNZ, xrefs: 00D65321
bcBZ, xrefs: 00D654AB
e76b71, xrefs: 00D65459
bLTZ, xrefs: 00D6539C
NvB+, xrefs: 00D64746, 00D647BD, 00D64A65, 00D64ADC
LrTsKE==, xrefs: 00D65489
aRFZ, xrefs: 00D65467
R2Z, xrefs: 00D652ED

Memory Dump Source

Source File: 0000000B.00000002.3724885507.0000000000D51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D50000, based on PE: true

Associated: 0000000B.00000002.3724371477.0000000000D50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3724885507.0000000000DB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3726837341.0000000000DB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000DBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000F47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001031000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001062000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001069000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001079000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3739256522.000000000107A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745201574.0000000001223000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745424065.0000000001225000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d50000_axplong.jbxd

Yara matches

Similarity

API ID: InternetOpen$Cnd_destroy_in_situCnd_unregister_at_thread_exitConnectHttpMtx_destroy_in_situRequestXinvalid_argumentstd::_
String ID: R2Z$ SBZ$ wNZ$246122658369$9LFZ$Gl==$LrTsKE==$NvB+$NvF+$WMNZ$WMxZ$Wb Z$XvPZ$a9P=$aRFZ$aSF2aA==$avBZ$bLTZ$bcBZ$e76b71$stoi argument out of range
API String ID: 2414744145-383584070
Opcode ID: 97b9488f3d66a0b789d2ee5036ed559725eb4134d3803bdf1fe5946a1a603d5e
Instruction ID: 1ef4a8180052d2efaa63aa80d987861238a08ce046987517ac6536152a2bfee8
Opcode Fuzzy Hash: 97b9488f3d66a0b789d2ee5036ed559725eb4134d3803bdf1fe5946a1a603d5e
Instruction Fuzzy Hash: 4D232371E002488BEB19DB28CD8979DBBB69B91304F5082D8E409A72D6DB759FC4CF71

Function 00D55DD0 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 364
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

00000422, xrefs: 00D55FB9
0000043f, xrefs: 00D5601B
00000419, xrefs: 00D55F88
Keyboard Layout\Preload, xrefs: 00D55F44
00000423, xrefs: 00D55FEA

Memory Dump Source

Source File: 0000000B.00000002.3724885507.0000000000D51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D50000, based on PE: true

Associated: 0000000B.00000002.3724371477.0000000000D50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3724885507.0000000000DB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3726837341.0000000000DB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000DBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000F47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001031000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001062000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001069000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001079000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3739256522.000000000107A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745201574.0000000001223000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745424065.0000000001225000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d50000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: 00000419$00000422$00000423$0000043f$Keyboard Layout\Preload
API String ID: 0-3963862150
Opcode ID: 7a19fd477602e770114ddcace1df7a078b56a69d9bfb2a0ae6f8fbc266b3b07a
Instruction ID: df78ae318eb34ad34ff9b928e49a2a41d9d8e4f9840494d78f4075315abf99be
Opcode Fuzzy Hash: 7a19fd477602e770114ddcace1df7a078b56a69d9bfb2a0ae6f8fbc266b3b07a
Instruction Fuzzy Hash: E5E1AD71904218ABDF24DFA4CC99BDEB7B9EB05304F5042D9E809A7291DB749BC8CF61

Function 00D57CE0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 392
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNEL32(?), ref: 00D57E83

Strings

K9pqLk==, xrefs: 00D58192
K9prKk==, xrefs: 00D580EA
K9pqMU==, xrefs: 00D58042

Memory Dump Source

Source File: 0000000B.00000002.3724885507.0000000000D51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D50000, based on PE: true

Associated: 0000000B.00000002.3724371477.0000000000D50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3724885507.0000000000DB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3726837341.0000000000DB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000DBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000F47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001031000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001062000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001069000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001079000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3739256522.000000000107A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745201574.0000000001223000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745424065.0000000001225000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d50000_axplong.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID: K9pqLk==$K9pqMU==$K9prKk==
API String ID: 1721193555-747669196
Opcode ID: f688d82992908aafc8fad6e6c6546a38431fc68f4ded05888cec6db604e3c7ab
Instruction ID: a48ee9e5a7b8548ca8a0584881bf32fce666f2fafc01c53b3eafc63fbf464511
Opcode Fuzzy Hash: f688d82992908aafc8fad6e6c6546a38431fc68f4ded05888cec6db604e3c7ab
Instruction Fuzzy Hash: 79D10771E00644DBDF14BB28DC5A7AD7B61EB46315F940288EC15AB3C2DB745E888BF2

Function 00D86DE1 Relevance: 4.6, APIs: 3, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNEL32(?,?,00000000,00000000), ref: 00D86E03
GetFileInformationByHandle.KERNEL32(?,?), ref: 00D86E5D
__dosmaperr.LIBCMT ref: 00D86EF2

Part of subcall function 00D87157: __dosmaperr.LIBCMT ref: 00D8718C

Memory Dump Source

Source File: 0000000B.00000002.3724885507.0000000000D51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D50000, based on PE: true

Associated: 0000000B.00000002.3724371477.0000000000D50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3724885507.0000000000DB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3726837341.0000000000DB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000DBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000F47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001031000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001062000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001069000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001079000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3739256522.000000000107A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745201574.0000000001223000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745424065.0000000001225000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d50000_axplong.jbxd

Yara matches

Similarity

API ID: File__dosmaperr$HandleInformationType
String ID:
API String ID: 2531987475-0
Opcode ID: fda12f839f563332a48b8080ebae8dda2f6bad0ec8183089ef0f74e0eb356798
Instruction ID: 182db584c45a6902996b5921f8b5cdb26cae93e3233d5a4a1ebea7113cfa564d
Opcode Fuzzy Hash: fda12f839f563332a48b8080ebae8dda2f6bad0ec8183089ef0f74e0eb356798
Instruction Fuzzy Hash: A1415A75900244ABDB24EFB5D8459AFBBF9EF89310B14842DF956D3610EB31E804CB31

Function 00D58290 Relevance: 1.7, APIs: 1, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNEL32(?), ref: 00D58434

Memory Dump Source

Source File: 0000000B.00000002.3724885507.0000000000D51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D50000, based on PE: true

Associated: 0000000B.00000002.3724371477.0000000000D50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3724885507.0000000000DB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3726837341.0000000000DB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000DBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000F47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001031000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001062000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001069000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001079000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3739256522.000000000107A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745201574.0000000001223000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745424065.0000000001225000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d50000_axplong.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: eaf439b11294d4f5596156b7c7d8a3b535f389e3390959ddec1252d0677fabf1
Instruction ID: b638675258c84cdef3b4a3d3c7eaac061c85bcfbb99cd80b0f0fe8dfb1febdb0
Opcode Fuzzy Hash: eaf439b11294d4f5596156b7c7d8a3b535f389e3390959ddec1252d0677fabf1
Instruction Fuzzy Hash: 19512370D102099BEF24EB28CD497EEB775EB45301F504298EC08A72D1EF319A888BB1

Function 00D86C79 Relevance: 1.6, APIs: 1, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000B.00000002.3724885507.0000000000D51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D50000, based on PE: true

Associated: 0000000B.00000002.3724371477.0000000000D50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3724885507.0000000000DB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3726837341.0000000000DB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000DBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000F47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001031000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001062000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001069000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001079000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3739256522.000000000107A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745201574.0000000001223000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745424065.0000000001225000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d50000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97bd002be2ed4350ecd71657ee67e8bf83d43f7ae3732c8b0b6415cb17c521e6
Instruction ID: ff5db3d15b2beea112a7317b7b3cb27ae07ebdf8ff42755db4727f0568c06498
Opcode Fuzzy Hash: 97bd002be2ed4350ecd71657ee67e8bf83d43f7ae3732c8b0b6415cb17c521e6
Instruction Fuzzy Hash: 0921B372A05108AAEB11BB68AC46B9F3B29EF41378F240314F9242B1D1DBB0ED0597B1

Function 00D86F51 Relevance: 1.6, APIs: 1, Instructions: 56
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00D86F93

Memory Dump Source

Source File: 0000000B.00000002.3724885507.0000000000D51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D50000, based on PE: true

Associated: 0000000B.00000002.3724371477.0000000000D50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3724885507.0000000000DB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3726837341.0000000000DB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000DBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000F47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001031000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001062000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001069000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001079000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3739256522.000000000107A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745201574.0000000001223000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745424065.0000000001225000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d50000_axplong.jbxd

Yara matches

Similarity

API ID: Time$LocalSpecificSystem
String ID:
API String ID: 2574697306-0
Opcode ID: 2f9edb3e08ee384b5de7c86fd1a2c60e8a082f3c0987c2a3856af9e8d5a56c06
Instruction ID: 28e483c6803f7835e1c203922df976e37a2352ad276004a621b157ecf4d14c54
Opcode Fuzzy Hash: 2f9edb3e08ee384b5de7c86fd1a2c60e8a082f3c0987c2a3856af9e8d5a56c06
Instruction Fuzzy Hash: 171121B290020DABCB00EED5D945EDFB7BCAF48320F545266E611E6190E730EB49CB71

Function 00D8AEEB Relevance: 1.5, APIs: 1, Instructions: 33
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,B2E73BC7,?,?,00D6D302,B2E73BC7,?,00D678CB,?,?,?,?,?,?,00D57415,?), ref: 00D8AF1E

Memory Dump Source

Source File: 0000000B.00000002.3724885507.0000000000D51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D50000, based on PE: true

Associated: 0000000B.00000002.3724371477.0000000000D50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3724885507.0000000000DB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3726837341.0000000000DB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000DBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000F47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001031000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001062000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001069000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001079000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3739256522.000000000107A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745201574.0000000001223000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745424065.0000000001225000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d50000_axplong.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: adc64603edef93b5fe10088f3d9f9b6cd5a670e3291edda2b3b268b80a770a52
Instruction ID: 413e0f63afd21f4eda20f914dec48cf189a5e3eee8411b36d7573415f1c78eba
Opcode Fuzzy Hash: adc64603edef93b5fe10088f3d9f9b6cd5a670e3291edda2b3b268b80a770a52
Instruction Fuzzy Hash: 6AE022B1204622AAFB22336E5C40B6B7A9CCF823B1F180122FF4497180DB24CC0083F3

Function 00D66AB0 Relevance: 1.3, APIs: 1, Instructions: 40sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00D66B35

Memory Dump Source

Source File: 0000000B.00000002.3724885507.0000000000D51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D50000, based on PE: true

Associated: 0000000B.00000002.3724371477.0000000000D50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3724885507.0000000000DB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3726837341.0000000000DB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000DBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000F47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001031000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001062000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001069000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001079000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3739256522.000000000107A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745201574.0000000001223000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745424065.0000000001225000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d50000_axplong.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 0c08e5b477f82f89bae5670281c0765060ad6d5cde938ba6808d496210136d9b
Instruction ID: 26895527868e7f68735e91d20efe00a87cf6b86e3f849f80732b33524be2628c
Opcode Fuzzy Hash: 0c08e5b477f82f89bae5670281c0765060ad6d5cde938ba6808d496210136d9b
Instruction Fuzzy Hash: 49F0A972A40604EBCB01BB6CDD0775E7B74EB16B61F800358E811673D5EA70590487F2

Function 05620DF3 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3789780360.0000000005620000.00000040.00001000.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5620000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b08e0dad98093b7315f3b66c19cbd30a097ab33dbf2d9412a30585a1b8f0493
Instruction ID: bd02e9307f229d8c3112a7c1c8aebe02540c13d9df6b4a9ebdf161bcd3d583fe
Opcode Fuzzy Hash: 3b08e0dad98093b7315f3b66c19cbd30a097ab33dbf2d9412a30585a1b8f0493
Instruction Fuzzy Hash: F12105EA04D670AEE342C2956658AF67F2FEAC76307344467F4C6CA542E1840A8ACA71

Function 05620DD0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3789780360.0000000005620000.00000040.00001000.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5620000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09435d986d368accb6023d57fe8500b94aaab8d1ce049bb7a4321929f911b317
Instruction ID: ae6faa4c210db54804be36dfd7c8616e29bade6bccf05fb36d05a0964d198010
Opcode Fuzzy Hash: 09435d986d368accb6023d57fe8500b94aaab8d1ce049bb7a4321929f911b317
Instruction Fuzzy Hash: CF11C4EB14C930BE6342C1856B4C6BA7B5FE6DB6303304456F487C5642D2840ACBD932

Function 05620D99 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3789780360.0000000005620000.00000040.00001000.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5620000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5859c6ee633de25b69e15375706c8312b769191f5934330a9d85e7c8ec0a2ef1
Instruction ID: 534a0e38651c9afab8e426d55fe14ca10d41b85ee001cdc31a69ca2614cce9cc
Opcode Fuzzy Hash: 5859c6ee633de25b69e15375706c8312b769191f5934330a9d85e7c8ec0a2ef1
Instruction Fuzzy Hash: D91161EB14D531BD7242C1856B4CAFB6A6FE6DB7307308427F487C5601E2880ACAD931

Function 05620DA9 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3789780360.0000000005620000.00000040.00001000.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5620000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 949ea29a1741c8749771c86623c7d1628c1cff0846506624e4f6fd7c48cfd4ea
Instruction ID: 12c2d9ea43131242aba419c3e8b528cf55eb2bc3fedad6249f9d5e45c7156d81
Opcode Fuzzy Hash: 949ea29a1741c8749771c86623c7d1628c1cff0846506624e4f6fd7c48cfd4ea
Instruction Fuzzy Hash: 5611C1EB14C634BEA342C18567586FB6B6FE6DB730730842BF887C6502D1880ADAD531

Function 05620D72 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3789780360.0000000005620000.00000040.00001000.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5620000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4a0364636efb445f6d7a4ae41f81efde41776ebdf076f839104169ecf92f204
Instruction ID: 7d4e4e01be720b6394d2f48d1485f7bf899840b0c6cfcf8a2053887e2111b284
Opcode Fuzzy Hash: c4a0364636efb445f6d7a4ae41f81efde41776ebdf076f839104169ecf92f204
Instruction Fuzzy Hash: AC0140EB14D531BD6242C185675C6FA6B6FE6DB7307308827F587C5601D2880ADBD932

Function 05620E34 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3789780360.0000000005620000.00000040.00001000.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5620000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4733fcbbf527593a0bb1bfd2f6ef366a5d7ce1a06d6b60e1d6e20c31e3279b2
Instruction ID: 3ede8e69accaee3ace6d9835790ec650745f3565afb6452385e039a4170fc491
Opcode Fuzzy Hash: f4733fcbbf527593a0bb1bfd2f6ef366a5d7ce1a06d6b60e1d6e20c31e3279b2
Instruction Fuzzy Hash: 280184EB18C531BD6341D1C56B4CAFA6A2FE6D77307308427F883C5502E2884ACAD935

Function 05620E29 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3789780360.0000000005620000.00000040.00001000.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5620000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93c45f0679d4292ffa11bdb37ad7708347f0ab2de3bda7563c683fb10ca96a00
Instruction ID: c569936f00a195ffd5ce42f55effc5c8ea839a9815835e7fa206dd72f5f53895
Opcode Fuzzy Hash: 93c45f0679d4292ffa11bdb37ad7708347f0ab2de3bda7563c683fb10ca96a00
Instruction Fuzzy Hash: 08F04FEB18D534BD7252D1856B5CAFA6A6FE2D77307308427F587C0902A2880ADED436

Function 05620E4B Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3789780360.0000000005620000.00000040.00001000.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5620000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a131eb75dd482352415b38405032e90d852e644d4894c5b1dbe2a0f2369c0f50
Instruction ID: 0c5258ffd8f1afc74e7d6dea5f107ad846b0da45a4963425087258088d66d45b
Opcode Fuzzy Hash: a131eb75dd482352415b38405032e90d852e644d4894c5b1dbe2a0f2369c0f50
Instruction Fuzzy Hash: 4CF09AEB08C420BDA242D0C227586FA6B1FE6E72307308457B983C4A42928807DEE532

Function 05620E8B Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3789780360.0000000005620000.00000040.00001000.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5620000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6028e42a82edeffc673eadc754b4b104e67b1ee4753e9a1b35a19027332e017b
Instruction ID: b73550ebe017fef60be1887634c22a21e9d93b658f20fb86f7e094a0f502959c
Opcode Fuzzy Hash: 6028e42a82edeffc673eadc754b4b104e67b1ee4753e9a1b35a19027332e017b
Instruction Fuzzy Hash: 26F0FCE718C5306DA341D096269C6FA675FF7D7230B304067F582C1906D28946CED431

Function 05620E70 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3789780360.0000000005620000.00000040.00001000.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5620000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 000ca972b088e3e0b55a0cdbad4f69e8acd883d86f2201819fa4530754658eed
Instruction ID: d8d664008a2dde86719cef43150e732cb72a88d542038eabf2a4ec26557d46fc
Opcode Fuzzy Hash: 000ca972b088e3e0b55a0cdbad4f69e8acd883d86f2201819fa4530754658eed
Instruction Fuzzy Hash: 7DF089E758C531BEA351D0D666486FBA75FF6D72307308026B543C1946E38946DEE431

Function 05620E60 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3789780360.0000000005620000.00000040.00001000.00020000.00000000.sdmp, Offset: 05620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_5620000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5e832286537a526e3bfadf5146925016a2baacd68aa4ae30d826c104f47c9c8
Instruction ID: a7d7fac10dbe20f4af365caed5de5e649f0ace97d4d58d44904abbc7f4b7dce6
Opcode Fuzzy Hash: d5e832286537a526e3bfadf5146925016a2baacd68aa4ae30d826c104f47c9c8
Instruction Fuzzy Hash: 6AF08CEB18C5307EB242C0C2761DAFA6B2FE6D33717308467F983C0942928806CEE532

Non-executed Functions

Function 00D93048 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1340COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00D931C3

Strings

1#SNAN, xrefs: 00D9435A
1#IND, xrefs: 00D94353
1#INF, xrefs: 00D9437E
1#QNAN, xrefs: 00D94361

Memory Dump Source

Source File: 0000000B.00000002.3724885507.0000000000D51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D50000, based on PE: true

Associated: 0000000B.00000002.3724371477.0000000000D50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3724885507.0000000000DB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3726837341.0000000000DB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000DBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000F47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001031000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001062000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001069000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001079000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3739256522.000000000107A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745201574.0000000001223000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745424065.0000000001225000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d50000_axplong.jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 90ab5a9378c7877637cd806942502c66b1cb7c2ec09a73f07802b3c2eda5e468
Instruction ID: ce1c5ee0a22ade5488111048a31e39904fc6c8500136532ad8e378e7a11731f0
Opcode Fuzzy Hash: 90ab5a9378c7877637cd806942502c66b1cb7c2ec09a73f07802b3c2eda5e468
Instruction Fuzzy Hash: 4AC22971E086288FDF65CE28DD407EAB3B5EB48315F1841EAD84DE7241E775AE818F60

Function 00D92BB0 Relevance: 3.4, APIs: 2, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3724885507.0000000000D51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D50000, based on PE: true

Associated: 0000000B.00000002.3724371477.0000000000D50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3724885507.0000000000DB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3726837341.0000000000DB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000DBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000F47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001031000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001062000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001069000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001079000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3739256522.000000000107A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745201574.0000000001223000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745424065.0000000001225000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d50000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bf072589c0c8c6daaa14a71d751704f1d0fc013c2abe94fbb674223392015af
Instruction ID: c1d14111745c99534221589b0573dd3af78ceb3bf05789115e38e3bc1810d3cb
Opcode Fuzzy Hash: 5bf072589c0c8c6daaa14a71d751704f1d0fc013c2abe94fbb674223392015af
Instruction Fuzzy Hash: 22F12E71E012199FDF14CFA9D8906AEB7F1FF48314F158269E819AB344D731AE41CBA4

Function 00D6CAED Relevance: 1.5, APIs: 1, Instructions: 16timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,00D6CE55,?,?,?,?,00D6CE8A,?,?,?,?,?,?,00D6C400,?,00000001), ref: 00D6CB06

Memory Dump Source

Source File: 0000000B.00000002.3724885507.0000000000D51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D50000, based on PE: true

Associated: 0000000B.00000002.3724371477.0000000000D50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3724885507.0000000000DB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3726837341.0000000000DB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000DBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000F47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001031000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001062000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001069000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001079000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3739256522.000000000107A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745201574.0000000001223000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745424065.0000000001225000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d50000_axplong.jbxd

Yara matches

Similarity

API ID: Time$FilePreciseSystem
String ID:
API String ID: 1802150274-0
Opcode ID: 96c5d951de41ee461a1e3fc9269c7c848a0474b390ae53652e93d1ded03ee056
Instruction ID: 9a32556e49c6acccf5ba997ae491dd078f00fbd9d51622948a31c2bb9b5b8963
Opcode Fuzzy Hash: 96c5d951de41ee461a1e3fc9269c7c848a0474b390ae53652e93d1ded03ee056
Instruction Fuzzy Hash: 16D0223270323893CA022B88BC086BCBB08AF81B503440021E805A3220CA50AC004BF4

Function 00D87D63 Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 00D87EDF

Memory Dump Source

Source File: 0000000B.00000002.3724885507.0000000000D51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D50000, based on PE: true

Associated: 0000000B.00000002.3724371477.0000000000D50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3724885507.0000000000DB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3726837341.0000000000DB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000DBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000F47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001031000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001062000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001069000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001079000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3739256522.000000000107A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745201574.0000000001223000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745424065.0000000001225000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d50000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
Instruction ID: 1ed0660ac84fbb984c1110d3caae6899250f302e56cd07df51722139f3e6f160
Opcode Fuzzy Hash: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
Instruction Fuzzy Hash: 4751677060C64A9ADF3ABA2C88D67FE679A9F51300F3C0499F582D7382DA11DD449372

Function 00D54CD0 Relevance: .7, Instructions: 701COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3724885507.0000000000D51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D50000, based on PE: true

Associated: 0000000B.00000002.3724371477.0000000000D50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3724885507.0000000000DB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3726837341.0000000000DB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000DBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000F47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001031000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001062000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001069000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001079000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3739256522.000000000107A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745201574.0000000001223000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745424065.0000000001225000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d50000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aab62d19a61153be7cf53744152f961341d5bd379cbdadb02a85de773c5555b0
Instruction ID: 01bd9d702850a62acccf3683fa3f1d7661e5e40bf204bf3bd1b4ab770a16454c
Opcode Fuzzy Hash: aab62d19a61153be7cf53744152f961341d5bd379cbdadb02a85de773c5555b0
Instruction Fuzzy Hash: EB2270B3F515148BDB0CCA5DDCA27ECB2E3AFD8214B0E813DE40AE3345EA78D9159644

Function 00D96EE9 Relevance: .3, Instructions: 275COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3724885507.0000000000D51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D50000, based on PE: true

Associated: 0000000B.00000002.3724371477.0000000000D50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3724885507.0000000000DB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3726837341.0000000000DB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000DBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000F47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001031000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001062000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001069000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001079000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3739256522.000000000107A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745201574.0000000001223000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745424065.0000000001225000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d50000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6c4501f1a462b048ea5021a93c1f6dc5dbe0b2b3ad5732ca4e0d6d13179f6b2
Instruction ID: 2cebfe65754569857b0a1e42d7ed07b26bea8481f690395e57c60cea89f90a37
Opcode Fuzzy Hash: c6c4501f1a462b048ea5021a93c1f6dc5dbe0b2b3ad5732ca4e0d6d13179f6b2
Instruction Fuzzy Hash: FBB13C31624605DFDB15CF28C486BA57BB0FF45364F298658E8DACF2A1C335E992CB50

Function 00D54AD0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3724885507.0000000000D51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D50000, based on PE: true

Associated: 0000000B.00000002.3724371477.0000000000D50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3724885507.0000000000DB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3726837341.0000000000DB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000DBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000F47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001031000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001062000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001069000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001079000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3739256522.000000000107A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745201574.0000000001223000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745424065.0000000001225000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d50000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 606c5abb76675450f1eadc7af1f06c763671c0cc9627d11f2cff36dbc4aa3d72
Instruction ID: 04aa5528aa1042df80abe485ec691d2b506bee8beff1aa5c26e7666a5435d845
Opcode Fuzzy Hash: 606c5abb76675450f1eadc7af1f06c763671c0cc9627d11f2cff36dbc4aa3d72
Instruction Fuzzy Hash: 5551B3716083918FC719CF2D801523ABFF1BFC6201F084A9EE8D687292D775D648CBA2

Function 00D9775B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3724885507.0000000000D51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D50000, based on PE: true

Associated: 0000000B.00000002.3724371477.0000000000D50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3724885507.0000000000DB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3726837341.0000000000DB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000DBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000F47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001031000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001062000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001069000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001079000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3739256522.000000000107A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745201574.0000000001223000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745424065.0000000001225000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d50000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00ccee175d4cba31e74ee813ad0abb4514ff0f0c044738054f4ccde4f23eae16
Instruction ID: f75fe12816734c2affeacef5a701cce41cba8661043ecc166ba7895246482743
Opcode Fuzzy Hash: 00ccee175d4cba31e74ee813ad0abb4514ff0f0c044738054f4ccde4f23eae16
Instruction Fuzzy Hash: E921D673F20539477B0CC47E8C5327DB6E1C78C500745423AE8A6EA2C1D968D917E2E4

Function 00D9763B Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3724885507.0000000000D51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D50000, based on PE: true

Associated: 0000000B.00000002.3724371477.0000000000D50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3724885507.0000000000DB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3726837341.0000000000DB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000DBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000F47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001031000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001062000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001069000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001079000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3739256522.000000000107A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745201574.0000000001223000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745424065.0000000001225000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d50000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87d3d632afd4b1605b044405f4e56d2304449c2e0163eab86f5694f3a5196930
Instruction ID: 227168c3aa218b39c84f3539c661319611b91e2a717a3f6e707efffc7750ede3
Opcode Fuzzy Hash: 87d3d632afd4b1605b044405f4e56d2304449c2e0163eab86f5694f3a5196930
Instruction Fuzzy Hash: 5A118A63F30C255B675C817D8C1727AA5D2EBD825071F533AD826E7384E994DE13D2A0

Function 00D98700 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3724885507.0000000000D51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D50000, based on PE: true

Associated: 0000000B.00000002.3724371477.0000000000D50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3724885507.0000000000DB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3726837341.0000000000DB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000DBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000F47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001031000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001062000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001069000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001079000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3739256522.000000000107A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745201574.0000000001223000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745424065.0000000001225000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d50000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 6af1d3b60d91eaf19323258f8df4e6700366779d38ab2fcb47723a1fb637aa76
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 50112B7B20008287DF048AFDD8F86B6A796EBC7B2173C437AD1424B758DA23D945B620

Function 00D8643B Relevance: .0, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3724885507.0000000000D51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D50000, based on PE: true

Associated: 0000000B.00000002.3724371477.0000000000D50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3724885507.0000000000DB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3726837341.0000000000DB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000DBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000F47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001031000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001062000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001069000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001079000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3739256522.000000000107A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745201574.0000000001223000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745424065.0000000001225000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d50000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82d64c501e662b6a3fd8b65604eaba2fd4e3e3eb520e268ce27ce5e90019c520
Instruction ID: b049fc7141a5ea95daa1af143b52a2de520b81e2bfc32f9f7fc29a953a7bf4dd
Opcode Fuzzy Hash: 82d64c501e662b6a3fd8b65604eaba2fd4e3e3eb520e268ce27ce5e90019c520
Instruction Fuzzy Hash: 12E08C30104608AFDF297B18C81CE5E3B2AEF81360F248811F80446231CB75EC82CBA0

Function 00D8A1A2 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3724885507.0000000000D51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D50000, based on PE: true

Associated: 0000000B.00000002.3724371477.0000000000D50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3724885507.0000000000DB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3726837341.0000000000DB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000DBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000F47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001031000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001062000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001069000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001079000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3739256522.000000000107A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745201574.0000000001223000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745424065.0000000001225000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d50000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
Instruction ID: 67278a993dd9a6cfbf278f5461e35a360e328b2779aa5adaa2c3560efad29a32
Opcode Fuzzy Hash: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
Instruction Fuzzy Hash: D0E0EC72A15328EBCB15EB9CC94898AF7ECEB49B51F564497B501D3251D270DF00C7E1

Function 00D62DF0 Relevance: 17.9, APIs: 3, Strings: 7, Instructions: 434COMMON

Download Yara Rule

Strings

invalid stoi argument, xrefs: 00D6422A
9wGTaHilQw==, xrefs: 00D62E97
Gl==, xrefs: 00D6366E
Inhk, xrefs: 00D6375F
stoi argument out of range, xrefs: 00D62DF0, 00D64239
Xst=, xrefs: 00D6338A
246122658369, xrefs: 00D633A4

Memory Dump Source

Source File: 0000000B.00000002.3724885507.0000000000D51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D50000, based on PE: true

Associated: 0000000B.00000002.3724371477.0000000000D50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3724885507.0000000000DB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3726837341.0000000000DB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000DBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000F47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001031000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001062000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001069000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001079000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3739256522.000000000107A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745201574.0000000001223000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745424065.0000000001225000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d50000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: 246122658369$9wGTaHilQw==$Gl==$Inhk$Xst=$invalid stoi argument$stoi argument out of range
API String ID: 0-301961687
Opcode ID: 6c3a675e2c3c3fa256471d43e1440bddfcd411588d91c8722e01d39b596d9b98
Instruction ID: c46ca366caac1c92aec072054d2dec555ed4a634a4e5445a92728d939aeae9ae
Opcode Fuzzy Hash: 6c3a675e2c3c3fa256471d43e1440bddfcd411588d91c8722e01d39b596d9b98
Instruction Fuzzy Hash: 6D02D271A00248EFEF14EFA8C859BDEBBB5EF15304F544158F805A7282D7759A88CBB1

Function 00D84750 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00D84787
___except_validate_context_record.LIBVCRUNTIME ref: 00D8478F
_ValidateLocalCookies.LIBCMT ref: 00D84818
__IsNonwritableInCurrentImage.LIBCMT ref: 00D84843
_ValidateLocalCookies.LIBCMT ref: 00D84898

Strings

csm, xrefs: 00D8482D

Memory Dump Source

Source File: 0000000B.00000002.3724885507.0000000000D51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D50000, based on PE: true

Associated: 0000000B.00000002.3724371477.0000000000D50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3724885507.0000000000DB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3726837341.0000000000DB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000DBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000F47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001031000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001062000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001069000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001079000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3739256522.000000000107A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745201574.0000000001223000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745424065.0000000001225000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d50000_axplong.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 8cd1e297812cb492f648dd99ba7015dd10cfd5e4c609ab76f018cd7f341331a6
Instruction ID: 86d7a15763e86feab82bd136dbd3e25de97eab8882e1e56a7e45edc1ccc53b73
Opcode Fuzzy Hash: 8cd1e297812cb492f648dd99ba7015dd10cfd5e4c609ab76f018cd7f341331a6
Instruction Fuzzy Hash: 2051A235A0024A9BCF10EF68DC85AAE7BB5EF46324F188195E9059B352D732DA05CBF1

Function 00D870A9 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMON

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 00D870EB

Strings

.cmd, xrefs: 00D87109
.exe, xrefs: 00D870F8
.com, xrefs: 00D8712B
.bat, xrefs: 00D8711A

Memory Dump Source

Source File: 0000000B.00000002.3724885507.0000000000D51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D50000, based on PE: true

Associated: 0000000B.00000002.3724371477.0000000000D50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3724885507.0000000000DB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3726837341.0000000000DB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000DBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000F47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001031000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001062000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001069000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001079000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3739256522.000000000107A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745201574.0000000001223000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745424065.0000000001225000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d50000_axplong.jbxd

Yara matches

Similarity

API ID: _wcsrchr
String ID: .bat$.cmd$.com$.exe
API String ID: 1752292252-4019086052
Opcode ID: cd21914c8476c972609478b8311b9783e1701a3d1d625053adffce023ca412b6
Instruction ID: 8544b5d875d31227d636231fe300093f084ed3bcbe545fb4be96ae60cafa6e88
Opcode Fuzzy Hash: cd21914c8476c972609478b8311b9783e1701a3d1d625053adffce023ca412b6
Instruction Fuzzy Hash: 9D01A127A18B1635661470199C0263756988F92FB4B3E002AF944EBAC2EF59DC4243B0

Function 00D52DC0 Relevance: 7.8, APIs: 5, Instructions: 272COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 00D52E5F
__Mtx_unlock.LIBCPMT ref: 00D52ECC
__Cnd_broadcast.LIBCPMT ref: 00D52EE3
__Mtx_unlock.LIBCPMT ref: 00D52FF5
__Mtx_unlock.LIBCPMT ref: 00D5309B

Memory Dump Source

Source File: 0000000B.00000002.3724885507.0000000000D51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D50000, based on PE: true

Associated: 0000000B.00000002.3724371477.0000000000D50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3724885507.0000000000DB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3726837341.0000000000DB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000DBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000F47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001031000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001062000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001069000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001079000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3739256522.000000000107A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745201574.0000000001223000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745424065.0000000001225000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d50000_axplong.jbxd

Yara matches

Similarity

API ID: Mtx_unlock$Cnd_broadcast
String ID:
API String ID: 32384418-0
Opcode ID: c47ed021f85def945dd817f2430a56d2db89b1aab39f286e30f1f733771998ac
Instruction ID: f6cc8fb7deb7dfab8f83c75cb6577a0a8ec7a4adbb4e5eb8797136d9bfe82323
Opcode Fuzzy Hash: c47ed021f85def945dd817f2430a56d2db89b1aab39f286e30f1f733771998ac
Instruction Fuzzy Hash: 00A1D070A013059FDF10DF69D945B6AB7B8EF16351F184269EC15D7281EB34EA08CBB1

Function 00D8C990 Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00D8CA17

Memory Dump Source

Source File: 0000000B.00000002.3724885507.0000000000D51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D50000, based on PE: true

Associated: 0000000B.00000002.3724371477.0000000000D50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3724885507.0000000000DB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3726837341.0000000000DB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000DBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000F47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001031000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001062000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001069000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001079000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3739256522.000000000107A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745201574.0000000001223000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745424065.0000000001225000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d50000_axplong.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 7941c91dc3c81985f55d5af0d0e5d35b4c2fcc41726f6f06d2574da038ee3747
Instruction ID: a1b2a300e9ca2990650d1060e099212dde7f7499fee34cc63395d1ad4914d3c0
Opcode Fuzzy Hash: 7941c91dc3c81985f55d5af0d0e5d35b4c2fcc41726f6f06d2574da038ee3747
Instruction Fuzzy Hash: BCB13772920685DFDB15EF28C882BBEBBE5EF55340F18916AE445EB341D6349D02CB70

Function 00D6BA72 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

_xtime_get.LIBCPMT ref: 00D6BACA
__Xtime_diff_to_millis2.LIBCPMT ref: 00D6BAE4
_xtime_get.LIBCPMT ref: 00D6BB07
__Xtime_diff_to_millis2.LIBCPMT ref: 00D6BB13

Memory Dump Source

Source File: 0000000B.00000002.3724885507.0000000000D51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00D50000, based on PE: true

Associated: 0000000B.00000002.3724371477.0000000000D50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3724885507.0000000000DB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3726837341.0000000000DB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000DBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000000F47000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001031000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001062000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001069000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3727570665.0000000001079000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3739256522.000000000107A000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745201574.0000000001223000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000B.00000002.3745424065.0000000001225000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_d50000_axplong.jbxd

Yara matches

Similarity

API ID: Xtime_diff_to_millis2_xtime_get
String ID:
API String ID: 531285432-0
Opcode ID: b8262d435a574ed841a38007bdab9e0430b091283521e64bdea1fabb20490ace
Instruction ID: b06e9fb97f03e19d8ba6a903fbefc2194668f25cd4844b6c17f71d4c1a8a7655
Opcode Fuzzy Hash: b8262d435a574ed841a38007bdab9e0430b091283521e64bdea1fabb20490ace
Instruction Fuzzy Hash: 24213E71A10219AFDF00EFA8DC829BEB7B8EF48710F50005AF901E7251DB71AD419BB0

Analysis Process: TpWWMUpe0LEV.exePID: 7992, Parent PID: 7520COMMON

Execution Graph

Execution Coverage:	8.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	19.5%
Total number of Nodes:	185
Total number of Limit Nodes:	15

Executed Functions

Function 6CB02F20 Relevance: 73.8, APIs: 22, Strings: 16, Instructions: 7270injectionthreadmemoryCOMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNELBASE ref: 6CB05401
ShowWindow.USER32(?,?,?,?,?,?,?,?), ref: 6CB05417
CreateProcessW.KERNELBASE ref: 6CB091F7
VirtualAlloc.KERNELBASE ref: 6CB092AA
Wow64GetThreadContext.KERNEL32 ref: 6CB09347
VirtualAllocEx.KERNELBASE ref: 6CB093F7
VirtualAllocEx.KERNELBASE ref: 6CB0945F
WriteProcessMemory.KERNELBASE ref: 6CB094E5
WriteProcessMemory.KERNELBASE ref: 6CB096DC
ReadProcessMemory.KERNEL32 ref: 6CB09D48
WriteProcessMemory.KERNEL32 ref: 6CB09DDC
WriteProcessMemory.KERNELBASE ref: 6CB09FAA
Wow64SetThreadContext.KERNEL32 ref: 6CB0A068
ResumeThread.KERNELBASE ref: 6CB0A07D
CloseHandle.KERNEL32 ref: 6CB0A107
CloseHandle.KERNEL32 ref: 6CB0A11B
GetConsoleWindow.KERNEL32 ref: 6CB0A16F
ShowWindow.USER32 ref: 6CB0A185
VirtualAlloc.KERNEL32 ref: 6CB0A863
WriteProcessMemory.KERNEL32 ref: 6CB0A92E
SetThreadContext.KERNEL32 ref: 6CB0A9A6
ResumeThread.KERNEL32 ref: 6CB0A9BB

Strings

oY}, xrefs: 6CB08BE0
@, xrefs: 6CB09457
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe, xrefs: 6CB090FF, 6CB0A828
D*?, xrefs: 6CB09C89
kernel32.dll, xrefs: 6CB0541D, 6CB0A18B
d&, xrefs: 6CB07AF1
,.`, xrefs: 6CB076BF
D, xrefs: 6CB09035
tbzU, xrefs: 6CB05F3B
WNOP, xrefs: 6CB06B13
D*?, xrefs: 6CB02F7F
ntdll.dll, xrefs: 6CB05431, 6CB0A19F
,.`, xrefs: 6CB07637
FfP, xrefs: 6CB09412
@Q1\, xrefs: 6CB07183
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, xrefs: 6CB09068

Memory Dump Source

Source File: 0000000F.00000002.1489111397.000000006CB01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CB00000, based on PE: true

Associated: 0000000F.00000002.1489090097.000000006CB00000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489149963.000000006CB17000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489172260.000000006CB1E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489172260.000000006CB45000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489231425.000000006CB47000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6cb00000_TpWWMUpe0LEV.jbxd

Yara matches

Similarity

API ID: Process$Memory$ThreadWrite$AllocVirtualWindow$Context$CloseConsoleHandleResumeShowWow64$CreateRead
String ID: d&$@$@Q1\$C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe$D$FfP$WNOP$kernel32.dll$ntdll.dll$oY}$tbzU$,.`$,.`$D*?$D*?
API String ID: 383737732-3198518188
Opcode ID: 17ea440e65c3bd33227f93a35872b07913ec960e1f7460523925b7109c249a12
Instruction ID: 57fa3f921b5796952f7bc3ff19d2a999635b3c2be673520260b9e9cbb2ad5beb
Opcode Fuzzy Hash: 17ea440e65c3bd33227f93a35872b07913ec960e1f7460523925b7109c249a12
Instruction Fuzzy Hash: ABD31031B44A598FCB04CF2DC8867D9BBF1BB5B314F008A89D859EBA94C7759D898F01

Function 6CB012D0 Relevance: 43.2, APIs: 17, Strings: 7, Instructions: 1210
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32 ref: 6CB01A4B
CreateFileMappingA.KERNEL32 ref: 6CB01B65
MapViewOfFile.KERNELBASE ref: 6CB01D1A
VirtualProtect.KERNELBASE ref: 6CB021C0
FindCloseChangeNotification.KERNELBASE ref: 6CB0235A
CloseHandle.KERNEL32 ref: 6CB0236B
CloseHandle.KERNEL32 ref: 6CB023DD
CreateFileMappingA.KERNEL32 ref: 6CB02516
CloseHandle.KERNEL32 ref: 6CB025EE
CloseHandle.KERNEL32 ref: 6CB025FF

Strings

JW8x, xrefs: 6CB01CC3
JW8x, xrefs: 6CB01C72
.text, xrefs: 6CB01FE9
E&yp, xrefs: 6CB01FFF
k5s0, xrefs: 6CB01AB6
@, xrefs: 6CB025A5
E&yp, xrefs: 6CB021D4

Memory Dump Source

Source File: 0000000F.00000002.1489111397.000000006CB01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CB00000, based on PE: true

Associated: 0000000F.00000002.1489090097.000000006CB00000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489149963.000000006CB17000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489172260.000000006CB1E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489172260.000000006CB45000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489231425.000000006CB47000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6cb00000_TpWWMUpe0LEV.jbxd

Yara matches

Similarity

API ID: Close$FileHandle$CreateMapping$ChangeFindModuleNameNotificationProtectViewVirtual
String ID: .text$@$E&yp$E&yp$JW8x$JW8x$k5s0
API String ID: 4154624388-1527704092
Opcode ID: 73eefcfa916cc9ef0b7f07e64694b3f1944d6e20fee0217db679a404500b1876
Instruction ID: 6275a94f9a77a56bf3449d95111b1979e8e147d37a6405cb54dc7bffec1c6449
Opcode Fuzzy Hash: 73eefcfa916cc9ef0b7f07e64694b3f1944d6e20fee0217db679a404500b1876
Instruction Fuzzy Hash: 7EA2DB75B04244CFDB18CF7CC999B8DBBF1AB4A308F188599E809EB756C635D9488F02

Function 6CB02630 Relevance: 12.7, APIs: 3, Strings: 4, Instructions: 496
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32 ref: 6CB0282E
GetProcAddress.KERNEL32 ref: 6CB02846

Strings

ntdll.dll, xrefs: 6CB02825
NtQueryInformationProcess, xrefs: 6CB02839
aJ, xrefs: 6CB02B2C
aJ, xrefs: 6CB02AB9

Memory Dump Source

Source File: 0000000F.00000002.1489111397.000000006CB01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CB00000, based on PE: true

Associated: 0000000F.00000002.1489090097.000000006CB00000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489149963.000000006CB17000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489172260.000000006CB1E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489172260.000000006CB45000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489231425.000000006CB47000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6cb00000_TpWWMUpe0LEV.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: NtQueryInformationProcess$ntdll.dll$aJ$aJ
API String ID: 1646373207-319702032
Opcode ID: b2c022f4a146b05ba39691284c52be0938c0eaa4b03f43afc5421529235f9c61
Instruction ID: dbccf2a021afdeb74c692a8d2cfa1f6923274859bac496946c1c16431506003d
Opcode Fuzzy Hash: b2c022f4a146b05ba39691284c52be0938c0eaa4b03f43afc5421529235f9c61
Instruction Fuzzy Hash: 0402F072B492548FCF04CEBCC5993DE7FF2BB46315F208619D811DB698C63A894E8B42

Function 6CB0B2D8 Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6CB0B31F
___scrt_uninitialize_crt.LIBCMT ref: 6CB0B339

Memory Dump Source

Source File: 0000000F.00000002.1489111397.000000006CB01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CB00000, based on PE: true

Associated: 0000000F.00000002.1489090097.000000006CB00000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489149963.000000006CB17000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489172260.000000006CB1E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489172260.000000006CB45000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489231425.000000006CB47000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6cb00000_TpWWMUpe0LEV.jbxd

Yara matches

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: b1877a8621abefcf49f04d42c6e2722fe73d2f4d3463d75cf290db8634d04b22
Instruction ID: b6d44a2daf40faf8363d233a09ee183d407933dbd0fcd41ae5c46a06f7233e62
Opcode Fuzzy Hash: b1877a8621abefcf49f04d42c6e2722fe73d2f4d3463d75cf290db8634d04b22
Instruction Fuzzy Hash: C3411472F04298EFDB208FA5C840FAE3EB4EF41769F208129E81467B40C7304A05CBA0

Function 6CB0B388 Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

dllmain_raw.LIBCMT ref: 6CB0B3C5
dllmain_crt_dispatch.LIBCMT ref: 6CB0B3DC
dllmain_raw.LIBCMT ref: 6CB0B424
dllmain_crt_dispatch.LIBCMT ref: 6CB0B437
dllmain_raw.LIBCMT ref: 6CB0B44A

Memory Dump Source

Source File: 0000000F.00000002.1489111397.000000006CB01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CB00000, based on PE: true

Associated: 0000000F.00000002.1489090097.000000006CB00000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489149963.000000006CB17000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489172260.000000006CB1E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489172260.000000006CB45000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489231425.000000006CB47000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6cb00000_TpWWMUpe0LEV.jbxd

Yara matches

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: b0aaf6f4b28d4140417256805068f8ead906dfe90c2a25bfeb0eca6b3a1424bf
Instruction ID: 76dda330b600a1d94e4331aef51228783cdd288c7ec99f4334cc59817cc7db9f
Opcode Fuzzy Hash: b0aaf6f4b28d4140417256805068f8ead906dfe90c2a25bfeb0eca6b3a1424bf
Instruction Fuzzy Hash: 11218E72F41699EBDB218F55CC40EAF3E79EB81B98F118129F8155BB14C7308E41CBA1

Function 6CB0B1D1 Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6CB0B21E

Part of subcall function 6CB0B69B: InitializeSListHead.KERNEL32(6CB46420,6CB0B228,6CB1C650,00000010,6CB0B1B9,?,?,?,6CB0B3E1,?,00000001,?,?,00000001,?,6CB1C698), ref: 6CB0B6A0

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6CB0B288

Memory Dump Source

Source File: 0000000F.00000002.1489111397.000000006CB01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CB00000, based on PE: true

Associated: 0000000F.00000002.1489090097.000000006CB00000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489149963.000000006CB17000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489172260.000000006CB1E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489172260.000000006CB45000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489231425.000000006CB47000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6cb00000_TpWWMUpe0LEV.jbxd

Yara matches

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 3231365870-0
Opcode ID: 574181bab726540782de03ec38fd83ef7b6dcac0470c1d8c10ffe25d1666aa90
Instruction ID: 937ef8e112caf67f6788449c09a5ea54c5c42e8563842c28642f6f13b7df686b
Opcode Fuzzy Hash: 574181bab726540782de03ec38fd83ef7b6dcac0470c1d8c10ffe25d1666aa90
Instruction Fuzzy Hash: C821CD367892C59EDB05ABB4C806BDD7FA0AF0337DF204419D49167FD2CBA1008886A6

Function 6CB117FE Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 6CB1184A
GetFileType.KERNELBASE(00000000), ref: 6CB1185C

Memory Dump Source

Source File: 0000000F.00000002.1489111397.000000006CB01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CB00000, based on PE: true

Associated: 0000000F.00000002.1489090097.000000006CB00000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489149963.000000006CB17000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489172260.000000006CB1E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489172260.000000006CB45000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489231425.000000006CB47000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6cb00000_TpWWMUpe0LEV.jbxd

Yara matches

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: d15dbedf7b579a42b26e92712893fd2b09fb137417ede480d79840fab3df94b2
Instruction ID: 1e3e6c43ef205e208c4ae4cf73b1c4c6c33a95f55eb3f0044baac3f6f2fc6c45
Opcode Fuzzy Hash: d15dbedf7b579a42b26e92712893fd2b09fb137417ede480d79840fab3df94b2
Instruction Fuzzy Hash: CD112C31A0D7914BC7204E3E8C843927AA5E76727AB3C4719D0B5D7DF1C730C582C152

Non-executed Functions

Function 6CB0B9BA Relevance: 6.1, APIs: 4, Instructions: 70COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00000000), ref: 6CB0B9C6
IsDebuggerPresent.KERNEL32 ref: 6CB0BA92
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6CB0BAAB
UnhandledExceptionFilter.KERNEL32(?), ref: 6CB0BAB5

Memory Dump Source

Source File: 0000000F.00000002.1489111397.000000006CB01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CB00000, based on PE: true

Associated: 0000000F.00000002.1489090097.000000006CB00000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489149963.000000006CB17000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489172260.000000006CB1E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489172260.000000006CB45000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489231425.000000006CB47000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6cb00000_TpWWMUpe0LEV.jbxd

Yara matches

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 83b95f1cda729e36ef3e94bc4fb8f877e65f4d4553c2c2099d6c6274a4dc69d2
Instruction ID: 5e5510e1f08d186f13a824ee02489156246654535f0611d7ae0923a493d70abb
Opcode Fuzzy Hash: 83b95f1cda729e36ef3e94bc4fb8f877e65f4d4553c2c2099d6c6274a4dc69d2
Instruction Fuzzy Hash: 6531D475E05329DBDF21DFA5D9497CDBBB8AF08344F1041EAE40CAB290EB719A848F45

Function 6CB0F957 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6CB0FA4F
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6CB0FA59
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6CB0FA66

Memory Dump Source

Source File: 0000000F.00000002.1489111397.000000006CB01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CB00000, based on PE: true

Associated: 0000000F.00000002.1489090097.000000006CB00000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489149963.000000006CB17000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489172260.000000006CB1E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489172260.000000006CB45000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489231425.000000006CB47000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6cb00000_TpWWMUpe0LEV.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 690191c49d709db779154876dbf9f43385cf71d7e70d6393a2e18b6801b7b2fe
Instruction ID: df20ed11db72b1589993e1eb480eb1438ba7d7e5f6673c3fef6f6cec38e09835
Opcode Fuzzy Hash: 690191c49d709db779154876dbf9f43385cf71d7e70d6393a2e18b6801b7b2fe
Instruction Fuzzy Hash: 5631A674A4132CABCB21DF64D8897CDBBB8BF08714F5042DAE41CA7250E7709B858F55

Function 6CB10008 Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1489111397.000000006CB01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CB00000, based on PE: true

Associated: 0000000F.00000002.1489090097.000000006CB00000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489149963.000000006CB17000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489172260.000000006CB1E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489172260.000000006CB45000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489231425.000000006CB47000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6cb00000_TpWWMUpe0LEV.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39dea879b0c960471b87d0b09211b436abc688ee837aa22ec954e77439bd4f3e
Instruction ID: 21ab026c769b8f2e2db0f86a3fa06579cb768592c7eea6a880b7e7fd1de5942c
Opcode Fuzzy Hash: 39dea879b0c960471b87d0b09211b436abc688ee837aa22ec954e77439bd4f3e
Instruction Fuzzy Hash: 5841A37590929DAEDB10DF69DC88AEEBBB8EF45304F1442D9E40993600DB349E548F50

Function 6CB1172D Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6CB1172D

Memory Dump Source

Source File: 0000000F.00000002.1489111397.000000006CB01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CB00000, based on PE: true

Associated: 0000000F.00000002.1489090097.000000006CB00000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489149963.000000006CB17000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489172260.000000006CB1E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489172260.000000006CB45000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489231425.000000006CB47000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6cb00000_TpWWMUpe0LEV.jbxd

Yara matches

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 65aa70fd3b2a48aed4c5b1017f259b5abb2bc6870712d5a7cfd79f045338651f
Instruction ID: fcc1e71db653d8a297c6f4ee1fc6d4092786f708a7a292f76d68e7f91103d8d9
Opcode Fuzzy Hash: 65aa70fd3b2a48aed4c5b1017f259b5abb2bc6870712d5a7cfd79f045338651f
Instruction Fuzzy Hash: A6A011B0388200CBAB008F32820A2083BF8AA02AA230080AAA808CB000EA2080208F02

Function 6CB3814A Relevance: 129.2, APIs: 86, Instructions: 188
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 6CB3815E
_free.LIBCMT ref: 6CB38166
_free.LIBCMT ref: 6CB3816E
_free.LIBCMT ref: 6CB38176
_free.LIBCMT ref: 6CB3817E
_free.LIBCMT ref: 6CB38186
_free.LIBCMT ref: 6CB3818D
_free.LIBCMT ref: 6CB38195
_free.LIBCMT ref: 6CB3819D
_free.LIBCMT ref: 6CB381A5
_free.LIBCMT ref: 6CB381AD
_free.LIBCMT ref: 6CB381B5
_free.LIBCMT ref: 6CB381BD
_free.LIBCMT ref: 6CB381C5
_free.LIBCMT ref: 6CB381CD
_free.LIBCMT ref: 6CB381D5
_free.LIBCMT ref: 6CB381E0
_free.LIBCMT ref: 6CB381E8
_free.LIBCMT ref: 6CB381F0
_free.LIBCMT ref: 6CB381F8
_free.LIBCMT ref: 6CB38200
_free.LIBCMT ref: 6CB38208
_free.LIBCMT ref: 6CB38210
_free.LIBCMT ref: 6CB38218
_free.LIBCMT ref: 6CB38220
_free.LIBCMT ref: 6CB38228
_free.LIBCMT ref: 6CB38230
_free.LIBCMT ref: 6CB38238
_free.LIBCMT ref: 6CB38240
_free.LIBCMT ref: 6CB38248
_free.LIBCMT ref: 6CB38250
_free.LIBCMT ref: 6CB38258
_free.LIBCMT ref: 6CB38266
_free.LIBCMT ref: 6CB38271
_free.LIBCMT ref: 6CB3827C
_free.LIBCMT ref: 6CB38287
_free.LIBCMT ref: 6CB38292
_free.LIBCMT ref: 6CB3829D
_free.LIBCMT ref: 6CB382A8
_free.LIBCMT ref: 6CB382B3
_free.LIBCMT ref: 6CB382BE
_free.LIBCMT ref: 6CB382C9
_free.LIBCMT ref: 6CB382D4
_free.LIBCMT ref: 6CB382DF
_free.LIBCMT ref: 6CB382EA
_free.LIBCMT ref: 6CB382F5
_free.LIBCMT ref: 6CB38300
_free.LIBCMT ref: 6CB3830B
_free.LIBCMT ref: 6CB38319
_free.LIBCMT ref: 6CB38324
_free.LIBCMT ref: 6CB3832F
_free.LIBCMT ref: 6CB3833A
_free.LIBCMT ref: 6CB38345
_free.LIBCMT ref: 6CB38350
_free.LIBCMT ref: 6CB3835B
_free.LIBCMT ref: 6CB38366
_free.LIBCMT ref: 6CB38371
_free.LIBCMT ref: 6CB3837C
_free.LIBCMT ref: 6CB38387
_free.LIBCMT ref: 6CB38392
_free.LIBCMT ref: 6CB3839D
_free.LIBCMT ref: 6CB383A8
_free.LIBCMT ref: 6CB383B3
_free.LIBCMT ref: 6CB383BE
_free.LIBCMT ref: 6CB383CC
_free.LIBCMT ref: 6CB383D7
_free.LIBCMT ref: 6CB383E2
_free.LIBCMT ref: 6CB383ED
_free.LIBCMT ref: 6CB383F8
_free.LIBCMT ref: 6CB38403
_free.LIBCMT ref: 6CB3840E
_free.LIBCMT ref: 6CB38419
_free.LIBCMT ref: 6CB38424
_free.LIBCMT ref: 6CB3842F
_free.LIBCMT ref: 6CB3843A
_free.LIBCMT ref: 6CB38445
_free.LIBCMT ref: 6CB38450
_free.LIBCMT ref: 6CB3845B
_free.LIBCMT ref: 6CB38466
_free.LIBCMT ref: 6CB38471
_free.LIBCMT ref: 6CB3847F
_free.LIBCMT ref: 6CB3848A
_free.LIBCMT ref: 6CB38495
_free.LIBCMT ref: 6CB384A0
_free.LIBCMT ref: 6CB384AB
_free.LIBCMT ref: 6CB384B6

Memory Dump Source

Source File: 0000000F.00000002.1489172260.000000006CB1E000.00000004.00000001.01000000.0000000C.sdmp, Offset: 6CB1E000, based on PE: true

Associated: 0000000F.00000002.1489172260.000000006CB45000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489231425.000000006CB47000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6cb00000_TpWWMUpe0LEV.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 55745e4d8ffa3bcd4bae6bd50e23aa08e34946fc70669168e917a1c48e4fa5ed
Instruction ID: 1cb51d794b88515d33fb24832cd1d4457d707ad4a553ec7f77a6cd17a159d2d3
Opcode Fuzzy Hash: 55745e4d8ffa3bcd4bae6bd50e23aa08e34946fc70669168e917a1c48e4fa5ed
Instruction Fuzzy Hash: 3971E431415BB0FBDF621B31FD01ADF76A27F04388F185914A1DE20EB09B22696DBE59

Function 6CB0D3EA Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

type_info::operator==.LIBVCRUNTIME ref: 6CB0D509
___TypeMatch.LIBVCRUNTIME ref: 6CB0D617
_UnwindNestedFrames.LIBCMT ref: 6CB0D769
CallUnexpected.LIBVCRUNTIME ref: 6CB0D784

Strings

csm, xrefs: 6CB0D540
csm, xrefs: 6CB0D427
csm, xrefs: 6CB0D494

Memory Dump Source

Source File: 0000000F.00000002.1489111397.000000006CB01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CB00000, based on PE: true

Associated: 0000000F.00000002.1489090097.000000006CB00000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489149963.000000006CB17000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489172260.000000006CB1E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489172260.000000006CB45000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489231425.000000006CB47000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6cb00000_TpWWMUpe0LEV.jbxd

Yara matches

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2751267872-393685449
Opcode ID: 0e354ad8e032b03dcacd5882312535529dc3a259f8b2d903ea88787599882ebd
Instruction ID: ed63b32bd78104ea29cfc8d263f1a19b5519c4aaf0516697a61ffe996b007d7a
Opcode Fuzzy Hash: 0e354ad8e032b03dcacd5882312535529dc3a259f8b2d903ea88787599882ebd
Instruction Fuzzy Hash: 11B19A75E00299EFCF05CFA4E88099EBFB4FF04319B144259E8146BA95D731EA51CFA2

Function 6CB0C490 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_ValidateLocalCookies.LIBCMT ref: 6CB0C4C7
___except_validate_context_record.LIBVCRUNTIME ref: 6CB0C4CF
_ValidateLocalCookies.LIBCMT ref: 6CB0C558
__IsNonwritableInCurrentImage.LIBCMT ref: 6CB0C583
_ValidateLocalCookies.LIBCMT ref: 6CB0C5D8

Strings

csm, xrefs: 6CB0C56D

Memory Dump Source

Source File: 0000000F.00000002.1489111397.000000006CB01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CB00000, based on PE: true

Associated: 0000000F.00000002.1489090097.000000006CB00000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489149963.000000006CB17000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489172260.000000006CB1E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489172260.000000006CB45000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489231425.000000006CB47000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6cb00000_TpWWMUpe0LEV.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 18d9f3fe6a1cb275380ef3659aa3a4ad3f97369350aa3bba1593a2c74f037e05
Instruction ID: e4f39265c0a9a6d677147a63a172428ca647ed7d8dc1dd66e7b34cd7379de61f
Opcode Fuzzy Hash: 18d9f3fe6a1cb275380ef3659aa3a4ad3f97369350aa3bba1593a2c74f037e05
Instruction Fuzzy Hash: 34416238B002889BCF00EF69C881A9E7FB5FF45328F148155D815ABB51D731DE19CBA2

Function 6CB1135C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,6CB1146B,00000000,6CB0EC70,00000000,00000000,00000001,?,6CB115E4,00000022,FlsSetValue,6CB18898,6CB188A0,00000000), ref: 6CB1141D

Strings

ext-ms-, xrefs: 6CB113C7
api-ms-, xrefs: 6CB113B3

Memory Dump Source

Source File: 0000000F.00000002.1489111397.000000006CB01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CB00000, based on PE: true

Associated: 0000000F.00000002.1489090097.000000006CB00000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489149963.000000006CB17000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489172260.000000006CB1E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489172260.000000006CB45000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489231425.000000006CB47000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6cb00000_TpWWMUpe0LEV.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 41f6cd4df2c60e786fe1e3a6e0ff2aadc7eee3ff5b0da4b4ac475522e5c2fb0e
Instruction ID: 605b323f494dfe73ca570da689aa249d93cd15173d3a37364ea326ae660c8300
Opcode Fuzzy Hash: 41f6cd4df2c60e786fe1e3a6e0ff2aadc7eee3ff5b0da4b4ac475522e5c2fb0e
Instruction Fuzzy Hash: E0212B35B4E2A1ABC7119B66DC84A4B3779EB12768F290211EC16A7E84D770ED01C6E1

Function 6CB0CA3C Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,?,6CB0C671,6CB0B790,6CB0B1A9,?,6CB0B3E1,?,00000001,?,?,00000001,?,6CB1C698,0000000C,6CB0B4DA), ref: 6CB0CA4A
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6CB0CA58
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6CB0CA71
SetLastError.KERNEL32(00000000,6CB0B3E1,?,00000001,?,?,00000001,?,6CB1C698,0000000C,6CB0B4DA,?,00000001,?), ref: 6CB0CAC3

Memory Dump Source

Source File: 0000000F.00000002.1489111397.000000006CB01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CB00000, based on PE: true

Associated: 0000000F.00000002.1489090097.000000006CB00000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489149963.000000006CB17000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489172260.000000006CB1E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489172260.000000006CB45000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489231425.000000006CB47000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6cb00000_TpWWMUpe0LEV.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 122fb775233228c566b91950236ec7db8c2b0642d530ba82bf041d6ff12cbe67
Instruction ID: f58722b1cb2533a3bd0f455d8845cbf080ca8fc2245d6b1a9c316037c2214aca
Opcode Fuzzy Hash: 122fb775233228c566b91950236ec7db8c2b0642d530ba82bf041d6ff12cbe67
Instruction Fuzzy Hash: 5B01FC3230D7555EA704B57AAC8654F3FA4EB033BD724432AF51453AD9EF518808525A

Function 6CB1058E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

C:\Users\user~1\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe, xrefs: 6CB105AA

Memory Dump Source

Source File: 0000000F.00000002.1489111397.000000006CB01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CB00000, based on PE: true

Associated: 0000000F.00000002.1489090097.000000006CB00000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489149963.000000006CB17000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489172260.000000006CB1E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489172260.000000006CB45000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489231425.000000006CB47000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6cb00000_TpWWMUpe0LEV.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Users\user~1\AppData\Local\Temp\1000112001\TpWWMUpe0LEV.exe
API String ID: 0-2964670835
Opcode ID: a5a5a030d10ead710ecf88430a1a478be789c7e72e74e04717e3a512eedf248a
Instruction ID: 873e94e158d7c5d1c391361eebd2ff1dab7f08ed5e790a0c3f937a7cea6146d9
Opcode Fuzzy Hash: a5a5a030d10ead710ecf88430a1a478be789c7e72e74e04717e3a512eedf248a
Instruction Fuzzy Hash: A9215E7170C2C9AF9B109F66E99099F7BADFF8136C7044619E918D7E50EB31EC208B61

Function 6CB37463 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6CB3746F

Part of subcall function 6CB3674C: __getptd_noexit.LIBCMT ref: 6CB3674F
Part of subcall function 6CB3674C: __amsg_exit.LIBCMT ref: 6CB3675C

__amsg_exit.LIBCMT ref: 6CB3748F
__lock.LIBCMT ref: 6CB3749F
_free.LIBCMT ref: 6CB374CF

Strings

0EB, xrefs: 6CB374C6

Memory Dump Source

Source File: 0000000F.00000002.1489172260.000000006CB1E000.00000004.00000001.01000000.0000000C.sdmp, Offset: 6CB1E000, based on PE: true

Associated: 0000000F.00000002.1489172260.000000006CB45000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489231425.000000006CB47000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6cb00000_TpWWMUpe0LEV.jbxd

Yara matches

Similarity

API ID: __amsg_exit$__getptd__getptd_noexit__lock_free
String ID: 0EB
API String ID: 3170801528-3472271230
Opcode ID: be45c67b52b1c0925cc96b4187c014e10b21e7c5728550a5992ef4fb61579355
Instruction ID: 58e6a9bcfe37f2211106df9655f6a9763a4e23c5768a46ee5c2b20413c2ca1d3
Opcode Fuzzy Hash: be45c67b52b1c0925cc96b4187c014e10b21e7c5728550a5992ef4fb61579355
Instruction Fuzzy Hash: 5201E131A01AB1EBD7108F64A94878EBF60FF05728F615015D428B3F80CBA4B485CFDA

Function 6CB0E59E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,6592D725,00000000,?,00000000,6CB16EB2,000000FF,?,6CB0E538,?,?,6CB0E50C,?), ref: 6CB0E5D3
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6CB0E5E5
FreeLibrary.KERNEL32(00000000,?,00000000,6CB16EB2,000000FF,?,6CB0E538,?,?,6CB0E50C,?), ref: 6CB0E607

Strings

mscoree.dll, xrefs: 6CB0E5CC
CorExitProcess, xrefs: 6CB0E5DD

Memory Dump Source

Source File: 0000000F.00000002.1489111397.000000006CB01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CB00000, based on PE: true

Associated: 0000000F.00000002.1489090097.000000006CB00000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489149963.000000006CB17000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489172260.000000006CB1E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489172260.000000006CB45000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489231425.000000006CB47000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6cb00000_TpWWMUpe0LEV.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 0ca7937b8326dc7ccb1c6a9ccd54d14add054bb6ebf98b12f9f7220db3552568
Instruction ID: f2f01e40aaee90778d29e36ac5fb54c8099316fe8f53892e65784993628c4e74
Opcode Fuzzy Hash: 0ca7937b8326dc7ccb1c6a9ccd54d14add054bb6ebf98b12f9f7220db3552568
Instruction Fuzzy Hash: B8016235A146A9EFDB019F50CC09BAE7BBDFB05725F014625E821A3A90DB759900CA91

Function 6CB13025 Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 6CB130AA
__alloca_probe_16.LIBCMT ref: 6CB13173
__freea.LIBCMT ref: 6CB131DA

Part of subcall function 6CB121BC: HeapAlloc.KERNEL32(00000000,6CB10B07,6CB11ED6,?,6CB10B07,00000220,?,?,6CB11ED6), ref: 6CB121EE

__freea.LIBCMT ref: 6CB131ED
__freea.LIBCMT ref: 6CB131FA

Memory Dump Source

Source File: 0000000F.00000002.1489111397.000000006CB01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CB00000, based on PE: true

Associated: 0000000F.00000002.1489090097.000000006CB00000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489149963.000000006CB17000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489172260.000000006CB1E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489172260.000000006CB45000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489231425.000000006CB47000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6cb00000_TpWWMUpe0LEV.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: 24a368bb3fa72bdd217ae3f225fa62877018c487fdf6a1584ca7f4a9b6acea0c
Instruction ID: fce494d893df1bbdcd8439c8b74dd3a19afac65bc524046314a89b7bdb6651ec
Opcode Fuzzy Hash: 24a368bb3fa72bdd217ae3f225fa62877018c487fdf6a1584ca7f4a9b6acea0c
Instruction Fuzzy Hash: D851B3B2649286AFEB114F64CC45EEF3AADEF45768B250129FD14D7E00FB32CD248661

Function 6CB371C7 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6CB371D3

Part of subcall function 6CB3674C: __getptd_noexit.LIBCMT ref: 6CB3674F
Part of subcall function 6CB3674C: __amsg_exit.LIBCMT ref: 6CB3675C

__getptd.LIBCMT ref: 6CB371EA
__amsg_exit.LIBCMT ref: 6CB371F8
__lock.LIBCMT ref: 6CB37208
__updatetlocinfoEx_nolock.LIBCMT ref: 6CB3721C

Memory Dump Source

Source File: 0000000F.00000002.1489172260.000000006CB1E000.00000004.00000001.01000000.0000000C.sdmp, Offset: 6CB1E000, based on PE: true

Associated: 0000000F.00000002.1489172260.000000006CB45000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489231425.000000006CB47000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6cb00000_TpWWMUpe0LEV.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: feb6dc4b8d9ac8d85f3e2868ee9d5913852259a8d5734a1dbf62adb9f4533fcc
Instruction ID: 3a5285498e8535ba66d99f6b325661ac008d5ae67f3ab20fb492758165ffbb7e
Opcode Fuzzy Hash: feb6dc4b8d9ac8d85f3e2868ee9d5913852259a8d5734a1dbf62adb9f4533fcc
Instruction Fuzzy Hash: 23F0F6329816B0DBD6219B685E057CC3690BF01728F612209E41CF6BD0CFA45405865E

Function 6CB333D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 6CB33442
__aulldiv.LIBCMT ref: 6CB33450

Strings

@, xrefs: 6CB3341D
lYb, xrefs: 6CB3346B, 6CB3346E

Memory Dump Source

Source File: 0000000F.00000002.1489172260.000000006CB1E000.00000004.00000001.01000000.0000000C.sdmp, Offset: 6CB1E000, based on PE: true

Associated: 0000000F.00000002.1489172260.000000006CB45000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489231425.000000006CB47000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6cb00000_TpWWMUpe0LEV.jbxd

Yara matches

Similarity

API ID: __aulldiv
String ID: @$lYb
API String ID: 3732870572-948519696
Opcode ID: 854f6f18041aef9052c10d726e8fe1c6cf7f394222e00842828e43ac8fd55494
Instruction ID: 176566b2c740c360884dcdc12a99256c89d27948667a57fcabf753113d980da1
Opcode Fuzzy Hash: 854f6f18041aef9052c10d726e8fe1c6cf7f394222e00842828e43ac8fd55494
Instruction Fuzzy Hash: 56215BB1E40258ABDB10DFD9CD45FAFB779FB44B14F104109F609BB680C77859058BA5

Function 6CB0D012 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,6CB0CFC3,00000000,?,00000001,?,?,?,6CB0D0B2,00000001,FlsFree,6CB17F70,FlsFree), ref: 6CB0D01F
GetLastError.KERNEL32(?,6CB0CFC3,00000000,?,00000001,?,?,?,6CB0D0B2,00000001,FlsFree,6CB17F70,FlsFree,00000000,?,6CB0CB11), ref: 6CB0D029
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 6CB0D051

Strings

api-ms-, xrefs: 6CB0D036

Memory Dump Source

Source File: 0000000F.00000002.1489111397.000000006CB01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CB00000, based on PE: true

Associated: 0000000F.00000002.1489090097.000000006CB00000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489149963.000000006CB17000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489172260.000000006CB1E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489172260.000000006CB45000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489231425.000000006CB47000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6cb00000_TpWWMUpe0LEV.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 85b87e871ba7dce63fd96bbc8394b180f59d98d7d68232bc6dc1d7fee5d13a63
Instruction ID: 03dbe5a7a7f46795c83e9460676951be9186f9a0df20ca998a4539ef0730b8ac
Opcode Fuzzy Hash: 85b87e871ba7dce63fd96bbc8394b180f59d98d7d68232bc6dc1d7fee5d13a63
Instruction Fuzzy Hash: 31E01A34384248FBEF101A71EC0AB4A3F6EAB01B58F204020FA0DBACD5E7A1A511D996

Function 6CB13732 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(6592D725,00000000,00000000,?), ref: 6CB13795

Part of subcall function 6CB1115E: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6CB131D0,?,00000000,-00000008), ref: 6CB111BF

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 6CB139E7
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6CB13A2D
GetLastError.KERNEL32 ref: 6CB13AD0

Memory Dump Source

Source File: 0000000F.00000002.1489111397.000000006CB01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CB00000, based on PE: true

Associated: 0000000F.00000002.1489090097.000000006CB00000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489149963.000000006CB17000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489172260.000000006CB1E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489172260.000000006CB45000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489231425.000000006CB47000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6cb00000_TpWWMUpe0LEV.jbxd

Yara matches

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: a182a39810aaef59197131857715b84a953869e7d70c18f6b05f7968ae1df841
Instruction ID: 16cb87f256ccb569fe89c04ad5f73228322e859f369bbd9cb7ce2e0eae4b999f
Opcode Fuzzy Hash: a182a39810aaef59197131857715b84a953869e7d70c18f6b05f7968ae1df841
Instruction Fuzzy Hash: DAD15B75E092989FCB05CFA8C8809EDBBF9FF09314F24456AE456EBB41E730A945CB50

Function 6CB0D193 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 6CB0D25A
___AdjustPointer.LIBCMT ref: 6CB0D27D
___AdjustPointer.LIBCMT ref: 6CB0D319

Memory Dump Source

Source File: 0000000F.00000002.1489111397.000000006CB01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CB00000, based on PE: true

Associated: 0000000F.00000002.1489090097.000000006CB00000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489149963.000000006CB17000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489172260.000000006CB1E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489172260.000000006CB45000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489231425.000000006CB47000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6cb00000_TpWWMUpe0LEV.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 1fbd78f2b4b25dfc4d462d112456186ea04a278bb4d885c6a2a6a08a2c6b6a7c
Instruction ID: 51f0fde4c07b9d70e0a4a6f7a2054de13b45b72255f3588887dea31f25c08b51
Opcode Fuzzy Hash: 1fbd78f2b4b25dfc4d462d112456186ea04a278bb4d885c6a2a6a08a2c6b6a7c
Instruction Fuzzy Hash: 815104727056869FEB158F74E880BAA7FB4FF05328F20452DE81547AD1D771E880CB91

Function 6CB0FDA8 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 6CB1115E: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6CB131D0,?,00000000,-00000008), ref: 6CB111BF

GetLastError.KERNEL32 ref: 6CB0FE0C
__dosmaperr.LIBCMT ref: 6CB0FE13
GetLastError.KERNEL32(?,?,?,?), ref: 6CB0FE4D
__dosmaperr.LIBCMT ref: 6CB0FE54

Memory Dump Source

Source File: 0000000F.00000002.1489111397.000000006CB01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CB00000, based on PE: true

Associated: 0000000F.00000002.1489090097.000000006CB00000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489149963.000000006CB17000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489172260.000000006CB1E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489172260.000000006CB45000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489231425.000000006CB47000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6cb00000_TpWWMUpe0LEV.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 0ea1cf08ae0f535f1e1502b91a8107045ac0950baee639c05870543755dd194d
Instruction ID: 25537d09ac90149c1f03883e4d5e16c176774a08ddd34573ea6c50341cca7544
Opcode Fuzzy Hash: 0ea1cf08ae0f535f1e1502b91a8107045ac0950baee639c05870543755dd194d
Instruction Fuzzy Hash: 23219571708299AF9B109FA6D88095FBBBDFF053A87048629E81997E41D730EC118B95

Function 6CB11201 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 6CB11209

Part of subcall function 6CB1115E: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6CB131D0,?,00000000,-00000008), ref: 6CB111BF

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6CB11241
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6CB11261

Memory Dump Source

Source File: 0000000F.00000002.1489111397.000000006CB01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CB00000, based on PE: true

Associated: 0000000F.00000002.1489090097.000000006CB00000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489149963.000000006CB17000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489172260.000000006CB1E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489172260.000000006CB45000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489231425.000000006CB47000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6cb00000_TpWWMUpe0LEV.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 7c959cf0f102674a7621f0afd71ac313e878235060272968466bacb6e977b436
Instruction ID: 09663c8c55b7aa7947bf7f03681debd109c78a4c6dab4d1a9f5e4f3d5f1531ea
Opcode Fuzzy Hash: 7c959cf0f102674a7621f0afd71ac313e878235060272968466bacb6e977b436
Instruction Fuzzy Hash: B211C8B17496A97E67125B768C8ACEF7E7CDEA72AC7180114F805D2E00EB60DD1085F1

Function 6CB150A6 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,6CB14866,00000000,00000001,00000000,?,?,6CB13B24,?,00000000,00000000), ref: 6CB150BD
GetLastError.KERNEL32(?,6CB14866,00000000,00000001,00000000,?,?,6CB13B24,?,00000000,00000000,?,?,?,6CB140C7,00000000), ref: 6CB150C9

Part of subcall function 6CB1508F: CloseHandle.KERNEL32(FFFFFFFE,6CB150D9,?,6CB14866,00000000,00000001,00000000,?,?,6CB13B24,?,00000000,00000000,?,?), ref: 6CB1509F

___initconout.LIBCMT ref: 6CB150D9

Part of subcall function 6CB15051: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6CB15080,6CB14853,?,?,6CB13B24,?,00000000,00000000,?), ref: 6CB15064

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,6CB14866,00000000,00000001,00000000,?,?,6CB13B24,?,00000000,00000000,?), ref: 6CB150EE

Memory Dump Source

Source File: 0000000F.00000002.1489111397.000000006CB01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CB00000, based on PE: true

Associated: 0000000F.00000002.1489090097.000000006CB00000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489149963.000000006CB17000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489172260.000000006CB1E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489172260.000000006CB45000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489231425.000000006CB47000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6cb00000_TpWWMUpe0LEV.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 98d0aed1a6a65d4457aed83a5650dbacc68d451d55430c6c6924cbeaf711133b
Instruction ID: 9193b69148b6e7723d41b2c6feed203461bf83cfd3ba1ef7a775933c44f70ebb
Opcode Fuzzy Hash: 98d0aed1a6a65d4457aed83a5650dbacc68d451d55430c6c6924cbeaf711133b
Instruction Fuzzy Hash: 6CF01C36604258BFCF121FE1CC0CE8A3F7AFB0A3B5B054014FA1A97A20C6328864DBD5

Function 6CB0D78F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 6CB0D7B4

Strings

MOC, xrefs: 6CB0D7C6
RCC, xrefs: 6CB0D7CE

Memory Dump Source

Source File: 0000000F.00000002.1489111397.000000006CB01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 6CB00000, based on PE: true

Associated: 0000000F.00000002.1489090097.000000006CB00000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489149963.000000006CB17000.00000002.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489172260.000000006CB1E000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489172260.000000006CB45000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489231425.000000006CB47000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6cb00000_TpWWMUpe0LEV.jbxd

Yara matches

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: f9024e5319f79549a4e2fa252a76ec2a67b5392eebfb07b430d7dc5ba15fc7a4
Instruction ID: 215e0705f5ed095bdb401f6129d78518bb5892236dc2a226a8d0d3657f9db75c
Opcode Fuzzy Hash: f9024e5319f79549a4e2fa252a76ec2a67b5392eebfb07b430d7dc5ba15fc7a4
Instruction Fuzzy Hash: 06417872A00249AFDF05DFA8DC80AEE7FB5FF48309F1481A9EA0467691D3359950DB52

Function 6CB1E5E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 6CB1E618
__aulldiv.LIBCMT ref: 6CB1E626

Strings

@, xrefs: 6CB1E5F3

Memory Dump Source

Source File: 0000000F.00000002.1489172260.000000006CB1E000.00000004.00000001.01000000.0000000C.sdmp, Offset: 6CB1E000, based on PE: true

Associated: 0000000F.00000002.1489172260.000000006CB45000.00000004.00000001.01000000.0000000C.sdmpDownload File
Associated: 0000000F.00000002.1489231425.000000006CB47000.00000002.00000001.01000000.0000000C.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_6cb00000_TpWWMUpe0LEV.jbxd

Yara matches

Similarity

API ID: __aulldiv
String ID: @
API String ID: 3732870572-2766056989
Opcode ID: 721940bddceabd09e7a22a1874063ddbad559e8aadbfb121420a8f9c72e410a4
Instruction ID: 454c2a315549d3a435676271d6f07ae8d577d7626b5042b20c4af762e58321fb
Opcode Fuzzy Hash: 721940bddceabd09e7a22a1874063ddbad559e8aadbfb121420a8f9c72e410a4
Instruction Fuzzy Hash: 0A0162B0A44388FBDB10DBD0CD49B8EB778AF44705F544045E704B6AC0C77459498B95

Analysis Process: aspnet_regiis.exePID: 8052, Parent PID: 7992COMMON

Execution Graph

Execution Coverage:	20%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.2%
Total number of Nodes:	1298
Total number of Limit Nodes:	27

Executed Functions

Function 00976550 Relevance: 4.6, APIs: 3, Instructions: 77
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,0097E147), ref: 0097659A
Process32First.KERNEL32(?,00000128), ref: 009765AE
FindCloseChangeNotification.KERNELBASE(?), ref: 00976631

Memory Dump Source

Source File: 00000011.00000002.2975005911.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_960000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: ChangeCloseCreateFindFirstNotificationProcess32SnapshotToolhelp32
String ID:
API String ID: 692674288-0
Opcode ID: e11d7204002a17b8c907a44bc60352223171547481fbe75518614a7158960aeb
Instruction ID: 729248a9ee2d177e4a49785533c984983ebf8f3e969ce5601e4ee7315d46fa6d
Opcode Fuzzy Hash: e11d7204002a17b8c907a44bc60352223171547481fbe75518614a7158960aeb
Instruction Fuzzy Hash: EE312D72941618ABCB24EF54DC49FEFB778EF85700F508199B10EA25A0EF346A44CFA1

Function 00975A60 Relevance: 1.6, APIs: 1, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLocaleInfoA.KERNELBASE(?,00000002,?,00000200), ref: 00975B32

Memory Dump Source

Source File: 00000011.00000002.2975005911.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_960000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: d95a2b9391abd2073c9ebf095f9433b9dcef944ffc3aae778abb52030b064444
Instruction ID: 1148646c9004a94be8ba8d79b2128d214a08219f24153d817961e959f288ac90
Opcode Fuzzy Hash: d95a2b9391abd2073c9ebf095f9433b9dcef944ffc3aae778abb52030b064444
Instruction Fuzzy Hash: FB410A72940118ABDB24EB94DC9DBEEB378FB88704F2081D9E50A66190DB746F84CF61

Function 00975900 Relevance: 1.5, APIs: 1, Instructions: 49timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNELBASE(?,?,?,?,00000000,00000000,?,?,00000000,?,0097E7B8,00000000,?,00000000,00000000,?), ref: 0097594D

Memory Dump Source

Source File: 00000011.00000002.2975005911.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_960000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: InformationTimeZone
String ID:
API String ID: 565725191-0
Opcode ID: c4b551a67b4431164524c86da4724499f781a3f76cfdecc35e69631768750508
Instruction ID: 11daeae480d7b64d21101d04726e7b69c58e29de8795857b8a66a1fb342b1fd2
Opcode Fuzzy Hash: c4b551a67b4431164524c86da4724499f781a3f76cfdecc35e69631768750508
Instruction Fuzzy Hash: 2611A171905618EBEB20CB54DC49F99BB78FB44721F104795F61AA32D0DB741A40CF91

Function 00975DA0 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(0097E7D4), ref: 00975DD0

Memory Dump Source

Source File: 00000011.00000002.2975005911.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_960000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 2dde2fca30492c74352d51c118f1549ca9ac629882e26852b8f485f887a909c1
Instruction ID: 20573bb55a7eba74d7515bfb209b7df0b6636fd81b7d168d7f89e95529e60d43
Opcode Fuzzy Hash: 2dde2fca30492c74352d51c118f1549ca9ac629882e26852b8f485f887a909c1
Instruction Fuzzy Hash: 1EF0F6B2900608EBC710CF84DC45FEAF7BCFB48714F004669F509A3280D7781A04CBA1

Function 00977A60 Relevance: 12.7, APIs: 8, Instructions: 674
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,00973E9C,?,00000030,00000064,00974530,?,0000002C,00000064,009744D0,?,00000030,00000064,Function_000143C0,?), ref: 00977E8D
LoadLibraryA.KERNELBASE(?,?,00973E9C,?,00000030,00000064,00974530,?,0000002C,00000064,009744D0,?,00000030,00000064,Function_000143C0,?), ref: 00977E9E
LoadLibraryA.KERNELBASE(?,?,00973E9C,?,00000030,00000064,00974530,?,0000002C,00000064,009744D0,?,00000030,00000064,Function_000143C0,?), ref: 00977EB0
LoadLibraryA.KERNELBASE(?,?,00973E9C,?,00000030,00000064,00974530,?,0000002C,00000064,009744D0,?,00000030,00000064,Function_000143C0,?), ref: 00977EC2
LoadLibraryA.KERNELBASE(?,?,00973E9C,?,00000030,00000064,00974530,?,0000002C,00000064,009744D0,?,00000030,00000064,Function_000143C0,?), ref: 00977ED3
LoadLibraryA.KERNELBASE(?,?,00973E9C,?,00000030,00000064,00974530,?,0000002C,00000064,009744D0,?,00000030,00000064,Function_000143C0,?), ref: 00977EE5
LoadLibraryA.KERNELBASE(?,?,00973E9C,?,00000030,00000064,00974530,?,0000002C,00000064,009744D0,?,00000030,00000064,Function_000143C0,?), ref: 00977EF7
LoadLibraryA.KERNELBASE(?,?,00973E9C,?,00000030,00000064,00974530,?,0000002C,00000064,009744D0,?,00000030,00000064,Function_000143C0,?), ref: 00977F08

Memory Dump Source

Source File: 00000011.00000002.2975005911.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_960000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 41f718e60ea406288c8b4e910d2a9a91f5b84486ff6154767b8c26d942eeff63
Instruction ID: cbbe6a7d1c42e246628564cfadfd1a39f36ed25a6bff8bc0bd9160071a3b9d9e
Opcode Fuzzy Hash: 41f718e60ea406288c8b4e910d2a9a91f5b84486ff6154767b8c26d942eeff63
Instruction Fuzzy Hash: A46250B6510A00EFC369DFA8FD88A1A3BB9FB4C3157108619E609C72B4DF75A841CF65

Function 009761F0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 196
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00020019,00000000,0097E146), ref: 00976274
RegEnumKeyExA.KERNELBASE(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 009762F6
RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00020019,00000000), ref: 0097634B

Strings

?, xrefs: 0097624A

Memory Dump Source

Source File: 00000011.00000002.2975005911.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_960000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: Open$Enum
String ID: ?
API String ID: 462099255-1684325040
Opcode ID: 301f16a5a1038e8d2160e3b229d2d95e32f30a9f6d8dfc20b2e565929ef75572
Instruction ID: 09e0540780efc3e1c21c4563ae3c815b0e112e2d2c66bf426507a74630832f64
Opcode Fuzzy Hash: 301f16a5a1038e8d2160e3b229d2d95e32f30a9f6d8dfc20b2e565929ef75572
Instruction Fuzzy Hash: 2881FB7295011CAADB28EF54CC95FDAB7B8BF48700F00C2D8B10AA6550DF75AB84CFA0

Function 00975430 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeInformationA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 009754AF

Strings

:, xrefs: 0097548C
C, xrefs: 0097547C
\, xrefs: 00975490

Memory Dump Source

Source File: 00000011.00000002.2975005911.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_960000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: InformationVolume
String ID: :$C$\
API String ID: 2039140958-3809124531
Opcode ID: cbdcf20647280870337532ab5df3e0b0a4cf6eacdc2b98f7aaa06e50ad9e520f
Instruction ID: 81f22262d54bcb63425575316d946b215475cdb4f063a941ab95c4dd14b32a24
Opcode Fuzzy Hash: cbdcf20647280870337532ab5df3e0b0a4cf6eacdc2b98f7aaa06e50ad9e520f
Instruction Fuzzy Hash: 634196B2D006489BDB10DF94DC45BDEBBB8EF48700F144499F50967280DB74AB84CBA5

Function 00975FD0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(00000040,00000040,00000000), ref: 00976028
__aulldiv.LIBCMT ref: 00976042
__aulldiv.LIBCMT ref: 00976050

Strings

@, xrefs: 0097601D

Memory Dump Source

Source File: 00000011.00000002.2975005911.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_960000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: __aulldiv$GlobalMemoryStatus
String ID: @
API String ID: 2185283323-2766056989
Opcode ID: 499dad7df0da47ae26f01d6d6ad0e013725348a031996188accee1e51d2047bf
Instruction ID: 2f59166614d4a05c96d8139a6e49a96f00c07b397716184ac36a779fc94f3cf2
Opcode Fuzzy Hash: 499dad7df0da47ae26f01d6d6ad0e013725348a031996188accee1e51d2047bf
Instruction Fuzzy Hash: 5E212EB2E44608ABDB10DFD5CC49FAEB778FB48B14F108519F619BB280C77959008BA5

Function 009611E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNELBASE(00000040,?,00000000,00000040), ref: 009611FE
__aulldiv.LIBCMT ref: 00961218
__aulldiv.LIBCMT ref: 00961226

Strings

@, xrefs: 009611F3

Memory Dump Source

Source File: 00000011.00000002.2975005911.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_960000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: __aulldiv$GlobalMemoryStatus
String ID: @
API String ID: 2185283323-2766056989
Opcode ID: 8a3a56ea433ed1d26845362804a38f1e0114e2e9050fcf4606f59164f394b807
Instruction ID: 14a9d456a3d5446772138216b02bcca1657ec1651f1a7aaadf07a0c8a7ed921d
Opcode Fuzzy Hash: 8a3a56ea433ed1d26845362804a38f1e0114e2e9050fcf4606f59164f394b807
Instruction Fuzzy Hash: 4A011DB1D40208FBEF10DBE0CC9AB9DBB78AF54705F248059E714BB1D0D7B456458B69

Function 00964560 Relevance: 6.5, APIs: 4, Instructions: 479
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00964490: InternetCrackUrlA.WININET(00000000,00000000), ref: 00964526

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000,0097E7AF,0097E7AE,0097E7AB,0097E7AA,0097E7A7), ref: 009645F5
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,00973F7C,00000000,?,0097F1B0), ref: 0096479A
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00964AF8
InternetCloseHandle.WININET(00000000), ref: 00964B8D

Memory Dump Source

Source File: 00000011.00000002.2975005911.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_960000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: Internet$CloseConnectCrackHandleHttpOpenRequestSend
String ID:
API String ID: 852205231-0
Opcode ID: 3ad53fee5aceebde6a8a68ae60f8aec77f9274dee0c55f2c38284f8c2a0962bf
Instruction ID: 9eec16eb40d47158f83918cd03543ecfed9a0b68d98b847f6649bb6261993045
Opcode Fuzzy Hash: 3ad53fee5aceebde6a8a68ae60f8aec77f9274dee0c55f2c38284f8c2a0962bf
Instruction Fuzzy Hash: 9812BD72951118AACB19FB90DD9AFEFB378AF94300F508199B10A62491EF706F48CF65

Function 009776E0 Relevance: 4.7, APIs: 3, Instructions: 212
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,00974930), ref: 0097791A
LoadLibraryA.KERNELBASE(?,?,00974930), ref: 0097792B
LoadLibraryA.KERNELBASE(?,?,00974930), ref: 0097794F

Memory Dump Source

Source File: 00000011.00000002.2975005911.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_960000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e0150a5cf397c239d97fa0415d9632a371dfb9929d5e2d0b36efb43d9a3762ac
Instruction ID: 9a90ecd8388cc0199ac7db8e565dfe693f1b6750de56f5dd2bdbb58e2ba22406
Opcode Fuzzy Hash: e0150a5cf397c239d97fa0415d9632a371dfb9929d5e2d0b36efb43d9a3762ac
Instruction Fuzzy Hash: 4BA131B6511A00EFC369DFA8FDD8A163BB9BB4C3157148619E609C72B0DF769880CF25

Function 00964490 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00976800: malloc.MSVCRT(009644CF,?,?,009644CF,00000400), ref: 00976808

InternetCrackUrlA.WININET(00000000,00000000), ref: 00964526

Strings

<, xrefs: 009644A9

Memory Dump Source

Source File: 00000011.00000002.2975005911.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_960000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: CrackInternetmalloc
String ID: <
API String ID: 1832218326-4251816714
Opcode ID: da293b06650335ce66514fa1d6a7d02861cd4300a9e5048fb0e93bce76b22d26
Instruction ID: 19d8d81273b500d99a511af6772797e86f1eef4f71a71c09814644166837c9ab
Opcode Fuzzy Hash: da293b06650335ce66514fa1d6a7d02861cd4300a9e5048fb0e93bce76b22d26
Instruction Fuzzy Hash: 6521EFB6D00609ABDF14EFA4E845BDE7B74AF44324F108225F629B72D1EF706A05CB91

Function 009762AC Relevance: 3.1, APIs: 2, Instructions: 64
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegEnumKeyExA.KERNELBASE(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 009762F6
RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00020019,00000000), ref: 0097634B
RegQueryValueExA.KERNELBASE(00000000,?,00000000,000F003F,?,00000400), ref: 009763BC
RegQueryValueExA.KERNELBASE(00000000,?,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,0097E500), ref: 00976469
RegCloseKey.KERNELBASE(00000000), ref: 009764D8

Memory Dump Source

Source File: 00000011.00000002.2975005911.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_960000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: QueryValue$CloseEnumOpen
String ID:
API String ID: 2041898428-0
Opcode ID: 8845eaf1226695fa45b4959b47b4662f845d258f1e6fd9cf6545a0d4c80cb508
Instruction ID: c814e022e280afdb18a9cbcbb64ad9692aca1aa97f86d9d5c1e9af5b0d169712
Opcode Fuzzy Hash: 8845eaf1226695fa45b4959b47b4662f845d258f1e6fd9cf6545a0d4c80cb508
Instruction Fuzzy Hash: 0B21FA72A1021CABDB24DB54DC85FD9B3B8FB48704F00C5D8A649A7150DF71AA85CFE4

Function 00975CD0 Relevance: 3.1, APIs: 2, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00020119,?), ref: 00975D2E
RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,000000FF,000000FF), ref: 00975D4F

Memory Dump Source

Source File: 00000011.00000002.2975005911.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_960000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: OpenQueryValue
String ID:
API String ID: 4153817207-0
Opcode ID: 0c29597c3a0090a5a22011df56781039003fddd3123a6bd89eade52c8823b7a8
Instruction ID: c108761f6ae1516841dcae3318d5872c043acf4c38ac03edace05cb6e91b5d54
Opcode Fuzzy Hash: 0c29597c3a0090a5a22011df56781039003fddd3123a6bd89eade52c8823b7a8
Instruction Fuzzy Hash: 531142B2A40609EBD724DB94DD49FBFBBBCFB48710F108119F609A7290DB745900CB90

Function 009755C0 Relevance: 3.1, APIs: 2, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00020119,?), ref: 0097561E
RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,000000FF,000000FF), ref: 0097563F

Memory Dump Source

Source File: 00000011.00000002.2975005911.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_960000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: OpenQueryValue
String ID:
API String ID: 4153817207-0
Opcode ID: 843b4dd0f86c99a0cfe2d67408b7aaa37b6a97d0bf795a1ff8b81db5c0fa0ada
Instruction ID: 57111e482874a5826a7a93c692db9f310cd1c4a218c1c06475fa841063413778
Opcode Fuzzy Hash: 843b4dd0f86c99a0cfe2d67408b7aaa37b6a97d0bf795a1ff8b81db5c0fa0ada
Instruction Fuzzy Hash: B11151B2A40609EFD714CF94DD49FAFBBBCEB48710F108519F609A72A0DB745900CBA1

Function 00974920 Relevance: 1.6, APIs: 1, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00961120: GetSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,00974947,0097E4C7), ref: 0096112A

Part of subcall function 009610D0: VirtualAllocExNuma.KERNELBASE(00000000,?,?,0097494C), ref: 009610F2

Part of subcall function 009611E0: GlobalMemoryStatusEx.KERNELBASE(00000040,?,00000000,00000040), ref: 009611FE
Part of subcall function 009611E0: __aulldiv.LIBCMT ref: 00961218
Part of subcall function 009611E0: __aulldiv.LIBCMT ref: 00961226

GetUserDefaultLangID.KERNELBASE ref: 00974956

Part of subcall function 00975720: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0097576F

Part of subcall function 009757B0: GetComputerNameA.KERNEL32(?,00000104), ref: 009757FF

Memory Dump Source

Source File: 00000011.00000002.2975005911.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_960000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: NameUser__aulldiv$AllocComputerDefaultGlobalInfoLangMemoryNumaStatusSystemVirtual
String ID:
API String ID: 736289943-0
Opcode ID: 59d952824f1edd57e94ba65014c58f89516ca9bbfc1e6fca069db5e4b41cd558
Instruction ID: 1fe045ab79754f266910866614a2609ef60c60ed4e7e1e6ba75a426e636c016e
Opcode Fuzzy Hash: 59d952824f1edd57e94ba65014c58f89516ca9bbfc1e6fca069db5e4b41cd558
Instruction Fuzzy Hash: 15312273A44208AACB14FBF0DC5ABBF7738AF94701F508558F11A66192DF745904C765

Function 00964C90 Relevance: 1.6, APIs: 1, Instructions: 81memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000), ref: 00964CB1

Memory Dump Source

Source File: 00000011.00000002.2975005911.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_960000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5b4aac1e895978af3772fa80dcc616d38c5e0b2948ad3c86690c050f8df8c50f
Instruction ID: ebf5116923e0352d0271b0ab7c0958be72c4e8fb1a27c60dd07adbe2465af43e
Opcode Fuzzy Hash: 5b4aac1e895978af3772fa80dcc616d38c5e0b2948ad3c86690c050f8df8c50f
Instruction Fuzzy Hash: 1E31F6B4E40218ABDB20DF94DC85BDDB7B4BB48704F1085E8B709A7290DB706AC5CF98

Function 009757B0 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetComputerNameA.KERNEL32(?,00000104), ref: 009757FF

Memory Dump Source

Source File: 00000011.00000002.2975005911.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_960000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: db64e339ca52bc4396fbf1bdff8b8e1162051efa974d44fd27c90aec8836fb37
Instruction ID: de926988fdb2a30ef3ec168f251a4854b3e97e743b9699d19369980780439ff5
Opcode Fuzzy Hash: db64e339ca52bc4396fbf1bdff8b8e1162051efa974d44fd27c90aec8836fb37
Instruction Fuzzy Hash: E001A4B2E44609EBCB10DF99DD85BAEBBBCFB04711F104129F60AE3290C7755900CBA2

Function 00975720 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(00000104,00000104), ref: 0097576F

Memory Dump Source

Source File: 00000011.00000002.2975005911.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_960000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 0c80af231dd8d9933c04a42fb20629d3aee84bd9b561cec7dcf14ca922f4943d
Instruction ID: d1a3162f6c7d95020d5495a0f78f54f83d1d259ac6bcbb7342fc9d8c249b5661
Opcode Fuzzy Hash: 0c80af231dd8d9933c04a42fb20629d3aee84bd9b561cec7dcf14ca922f4943d
Instruction Fuzzy Hash: 12F04FB2944609EBCB14DF98DC45BAEBBB8FB08721F100629F609A3690C7741504CBA1

Function 00977380 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 009773B5

Memory Dump Source

Source File: 00000011.00000002.2975005911.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_960000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: c765ec20956510e849efb08348fcb29c3b81c95df5d06535cc094e8d4a9d2e19
Instruction ID: 41f86416e3d9f74679269487c2ca2726ab1a277e645d2adb9c4808ff22673942
Opcode Fuzzy Hash: c765ec20956510e849efb08348fcb29c3b81c95df5d06535cc094e8d4a9d2e19
Instruction Fuzzy Hash: 2EF05475A0010CFBDB14DFA4DC4AFED7778EB08700F108498BA0957290DAB0AE84CB90

Function 009610D0 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualAllocExNuma.KERNELBASE(00000000,?,?,0097494C), ref: 009610F2

Memory Dump Source

Source File: 00000011.00000002.2975005911.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_960000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: AllocNumaVirtual
String ID:
API String ID: 4233825816-0
Opcode ID: be1bc67d0e6ffdfd2c112ba3d705d776991427136154d17b7906d0b3b2973393
Instruction ID: 24f546f26504a4c119f7b7c5926562a51ee6d9469de53572ea9c855cc01c9c03
Opcode Fuzzy Hash: be1bc67d0e6ffdfd2c112ba3d705d776991427136154d17b7906d0b3b2973393
Instruction Fuzzy Hash: 61E0E67098930CFBEB109B90DD1EB1977689B05B46F104054F709BB1E0DAB52500D799

Function 00961120 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,00974947,0097E4C7), ref: 0096112A

Memory Dump Source

Source File: 00000011.00000002.2975005911.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_960000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: aa12f28530ffd84b4723fbcb8ebbf9e131eafeced3128b8d134c8b1e1cde2c9d
Instruction ID: a75f52e3b5bb783106214b03e154b6b87a8d97a27eaca9ba502151542c166636
Opcode Fuzzy Hash: aa12f28530ffd84b4723fbcb8ebbf9e131eafeced3128b8d134c8b1e1cde2c9d
Instruction Fuzzy Hash: 97D05E7490520CCBCB10DFE099495DDBB78AB0D611F000455DE0563250DA305440CB65

Function 009643D0 Relevance: 1.3, APIs: 1, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNELBASE(00000040,?,?,?,0097492B), ref: 009643E0

Memory Dump Source

Source File: 00000011.00000002.2975005911.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_960000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: 22aae53f137f6d3c31c73d9661589868ca0daa26311687bc4f3cac1a9d42f4f6
Instruction ID: b4cb8f0f6f164c10efac57eb9a94e0a969d248ac8964833ddcfc9f8f1951b837
Opcode Fuzzy Hash: 22aae53f137f6d3c31c73d9661589868ca0daa26311687bc4f3cac1a9d42f4f6
Instruction Fuzzy Hash: 861100B0A04248EFCF04CF98D8D1BAEBBF5FF49305F148099E90997311C635AA51DB55

Function 00961060 Relevance: 1.3, APIs: 1, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,17C841C0,00003000,00000004,?,?,?,0096110E,?,?,0097494C), ref: 00961073

Memory Dump Source

Source File: 00000011.00000002.2975005911.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_960000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: aca12606acc2e5d62df5b1c57c4ccb3f4b12b811f25488f179af393c3122959e
Instruction ID: 1f515ed9d7a67b916e4fd78ff8e3d3ef2665315f23579d83ae8a00f1b9302f1f
Opcode Fuzzy Hash: aca12606acc2e5d62df5b1c57c4ccb3f4b12b811f25488f179af393c3122959e
Instruction Fuzzy Hash: A5F027B1641208BBEB149AB4AC49FAFF7DCA705B04F304549FA44E7290D6719F00C7A4

Function 00976800 Relevance: 1.3, APIs: 1, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

APIs

malloc.MSVCRT(009644CF,?,?,009644CF,00000400), ref: 00976808

Memory Dump Source

Source File: 00000011.00000002.2975005911.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_960000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 07d99f05e25c8c2818b5db9e26a7b32ce13ff4ae63445b0c786d1b3a3cfa6da1
Instruction ID: 21767af1e42a58faae9fae41a8fd6f8b40c348f484e0d4388dd6449283543296
Opcode Fuzzy Hash: 07d99f05e25c8c2818b5db9e26a7b32ce13ff4ae63445b0c786d1b3a3cfa6da1
Instruction Fuzzy Hash: 08C012B190410CEB8F00CF98E80584D77ECDB04200B004194FC0DC3300D532AE1097D5

Non-executed Functions

Function 0097AD4A Relevance: 129.2, APIs: 86, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0097AD5E
_free.LIBCMT ref: 0097AD66
_free.LIBCMT ref: 0097AD6E
_free.LIBCMT ref: 0097AD76
_free.LIBCMT ref: 0097AD7E
_free.LIBCMT ref: 0097AD86
_free.LIBCMT ref: 0097AD8D
_free.LIBCMT ref: 0097AD95
_free.LIBCMT ref: 0097AD9D
_free.LIBCMT ref: 0097ADA5
_free.LIBCMT ref: 0097ADAD
_free.LIBCMT ref: 0097ADB5
_free.LIBCMT ref: 0097ADBD
_free.LIBCMT ref: 0097ADC5
_free.LIBCMT ref: 0097ADCD
_free.LIBCMT ref: 0097ADD5
_free.LIBCMT ref: 0097ADE0
_free.LIBCMT ref: 0097ADE8
_free.LIBCMT ref: 0097ADF0
_free.LIBCMT ref: 0097ADF8
_free.LIBCMT ref: 0097AE00
_free.LIBCMT ref: 0097AE08
_free.LIBCMT ref: 0097AE10
_free.LIBCMT ref: 0097AE18
_free.LIBCMT ref: 0097AE20
_free.LIBCMT ref: 0097AE28
_free.LIBCMT ref: 0097AE30
_free.LIBCMT ref: 0097AE38
_free.LIBCMT ref: 0097AE40
_free.LIBCMT ref: 0097AE48
_free.LIBCMT ref: 0097AE50
_free.LIBCMT ref: 0097AE58
_free.LIBCMT ref: 0097AE66
_free.LIBCMT ref: 0097AE71
_free.LIBCMT ref: 0097AE7C
_free.LIBCMT ref: 0097AE87
_free.LIBCMT ref: 0097AE92
_free.LIBCMT ref: 0097AE9D
_free.LIBCMT ref: 0097AEA8
_free.LIBCMT ref: 0097AEB3
_free.LIBCMT ref: 0097AEBE
_free.LIBCMT ref: 0097AEC9
_free.LIBCMT ref: 0097AED4
_free.LIBCMT ref: 0097AEDF
_free.LIBCMT ref: 0097AEEA
_free.LIBCMT ref: 0097AEF5
_free.LIBCMT ref: 0097AF00
_free.LIBCMT ref: 0097AF0B
_free.LIBCMT ref: 0097AF19
_free.LIBCMT ref: 0097AF24
_free.LIBCMT ref: 0097AF2F
_free.LIBCMT ref: 0097AF3A
_free.LIBCMT ref: 0097AF45
_free.LIBCMT ref: 0097AF50
_free.LIBCMT ref: 0097AF5B
_free.LIBCMT ref: 0097AF66
_free.LIBCMT ref: 0097AF71
_free.LIBCMT ref: 0097AF7C
_free.LIBCMT ref: 0097AF87
_free.LIBCMT ref: 0097AF92
_free.LIBCMT ref: 0097AF9D
_free.LIBCMT ref: 0097AFA8
_free.LIBCMT ref: 0097AFB3
_free.LIBCMT ref: 0097AFBE
_free.LIBCMT ref: 0097AFCC
_free.LIBCMT ref: 0097AFD7
_free.LIBCMT ref: 0097AFE2
_free.LIBCMT ref: 0097AFED
_free.LIBCMT ref: 0097AFF8
_free.LIBCMT ref: 0097B003
_free.LIBCMT ref: 0097B00E
_free.LIBCMT ref: 0097B019
_free.LIBCMT ref: 0097B024
_free.LIBCMT ref: 0097B02F
_free.LIBCMT ref: 0097B03A
_free.LIBCMT ref: 0097B045
_free.LIBCMT ref: 0097B050
_free.LIBCMT ref: 0097B05B
_free.LIBCMT ref: 0097B066
_free.LIBCMT ref: 0097B071
_free.LIBCMT ref: 0097B07F
_free.LIBCMT ref: 0097B08A
_free.LIBCMT ref: 0097B095
_free.LIBCMT ref: 0097B0A0
_free.LIBCMT ref: 0097B0AB
_free.LIBCMT ref: 0097B0B6

Memory Dump Source

Source File: 00000011.00000002.2975005911.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_960000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 55745e4d8ffa3bcd4bae6bd50e23aa08e34946fc70669168e917a1c48e4fa5ed
Instruction ID: 7bf8cf69e59d0b1641c20eacf669f04ae9ca20610a2b295d08b6c2f48a6b9342
Opcode Fuzzy Hash: 55745e4d8ffa3bcd4bae6bd50e23aa08e34946fc70669168e917a1c48e4fa5ed
Instruction Fuzzy Hash: 6371E5B25B0B00DFD7667B31ED0BB5B76A27F84300F10CB16B1DE205369E236A659B51

Function 00979DC7 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00979DD3

Part of subcall function 0097934C: __getptd_noexit.LIBCMT ref: 0097934F
Part of subcall function 0097934C: __amsg_exit.LIBCMT ref: 0097935C

__getptd.LIBCMT ref: 00979DEA
__amsg_exit.LIBCMT ref: 00979DF8
__lock.LIBCMT ref: 00979E08
__updatetlocinfoEx_nolock.LIBCMT ref: 00979E1C

Memory Dump Source

Source File: 00000011.00000002.2975005911.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_960000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 5f9b52f9d6984d6ff20a8e7a0bbe2a6031013e124844dbd42974b6bc098e7c1e
Instruction ID: 37ff9288fbabe94a1e04772c9fc965f029580adbb4b976585316e666bc0d32d1
Opcode Fuzzy Hash: 5f9b52f9d6984d6ff20a8e7a0bbe2a6031013e124844dbd42974b6bc098e7c1e
Instruction Fuzzy Hash: EBF09033A45610DBDB21BBB8980775E3290EF80B20F21C209F40DA72D2CF2459009B55

Function 0097A063 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0097A06F

Part of subcall function 0097934C: __getptd_noexit.LIBCMT ref: 0097934F
Part of subcall function 0097934C: __amsg_exit.LIBCMT ref: 0097935C

__amsg_exit.LIBCMT ref: 0097A08F
__lock.LIBCMT ref: 0097A09F
_free.LIBCMT ref: 0097A0CF

Memory Dump Source

Source File: 00000011.00000002.2975005911.0000000000960000.00000040.00000400.00020000.00000000.sdmp, Offset: 00960000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_960000_aspnet_regiis.jbxd

Yara matches

Similarity

API ID: __amsg_exit$__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3170801528-0
Opcode ID: 360b5a4f29f6bed054f7a32e45ed7910990010b34b2a76388bdae20d564a5854
Instruction ID: 025fb3deec14f4bc894c9b79b550d22ec21ec93133c991301e49e685a1716671
Opcode Fuzzy Hash: 360b5a4f29f6bed054f7a32e45ed7910990010b34b2a76388bdae20d564a5854
Instruction Fuzzy Hash: 9901C033942712DBDB21BF65980D75E7360BF81B20F168405F82DA7790DB346980EBD2

Analysis Process: Freshbuild.exePID: 8120, Parent PID: 7520COMMON

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	12.9%
Total number of Nodes:	551
Total number of Limit Nodes:	26

Executed Functions

Function 0003A909 Relevance: 33.0, APIs: 15, Strings: 3, Instructions: 1503
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryA.KERNEL32(00000000,6DCF5B57,00000000), ref: 0003A90C

Strings

VUUU, xrefs: 0003AE82
d, xrefs: 0003AF4E
@3P, xrefs: 0003B821

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: CurrentDirectory
String ID: @3P$VUUU$d
API String ID: 1611563598-101208748
Opcode ID: c0aa037e4acc4b585ad4d1784e2be043adeb80f53f25b216bcf7d9ad9f00561f
Instruction ID: cce10dfde1d7a5b3ffd4b392726175bee0aa32191367887cf038709defc9630e
Opcode Fuzzy Hash: c0aa037e4acc4b585ad4d1784e2be043adeb80f53f25b216bcf7d9ad9f00561f
Instruction Fuzzy Hash: 8BC2E471A002189FEB19DF28CC89BDDBBB9EF45304F5081A8F509E7292DB759A84CF51

Function 00039910 Relevance: 24.7, APIs: 16, Instructions: 655
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00038A40: GetTempPathA.KERNEL32(00000104,?,6DCF5B57,?,00000000), ref: 00038A87

GetFileAttributesA.KERNEL32(00000000), ref: 00039983

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: AttributesFilePathTemp
String ID:
API String ID: 3199926297-0
Opcode ID: def0088d54e6d8743e934e244d57377cad698ead2d68b58178d9203fe9ace694
Instruction ID: d1de1241623e3324840df0a832f3812e1e084f595e07b504fbd0b3294c2b5bd3
Opcode Fuzzy Hash: def0088d54e6d8743e934e244d57377cad698ead2d68b58178d9203fe9ace694
Instruction Fuzzy Hash: DB420270A00248DFEF15EBB8C9497DEBBB5AB02314F608258D4517B3D3D7B50A84CBA2

Function 00037CE0 Relevance: 7.9, APIs: 5, Instructions: 388
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(0000011C,6DCF5B57), ref: 00037D5A
GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00037DBB
GetProcAddress.KERNEL32(00000000), ref: 00037DC2
GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00037E83
GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00037E87

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: InfoSystem$AddressHandleModuleNativeProcVersion
String ID:
API String ID: 374719553-0
Opcode ID: edbbaf2e20027710525e3b7a223cf65d98614eebe3a45e32a6beb6759ac52a7e
Instruction ID: 7819afeec4536e2d71f6482c7b65ae233ae072990b0682a182eef76caa762c13
Opcode Fuzzy Hash: edbbaf2e20027710525e3b7a223cf65d98614eebe3a45e32a6beb6759ac52a7e
Instruction Fuzzy Hash: F3D1F9B1E006049BDF25AB68DC5A39EBB75AB46310F9042DCE4196B3D3DB754E848BC2

Function 0006643B Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,0006643A,?,?,?,?,?,0006748E), ref: 0006645D
TerminateProcess.KERNEL32(00000000,?,0006643A,?,?,?,?,?,0006748E), ref: 00066464
ExitProcess.KERNEL32 ref: 00066476

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 92c2e9caec1e4b375ac2cd29a9174ed1ec4083322a469614dd2af9c3eb2f04fc
Instruction ID: dfe614c3f4d06fb3a938956837d4d0cca4ce257a3aba92bc361a8886668756d7
Opcode Fuzzy Hash: 92c2e9caec1e4b375ac2cd29a9174ed1ec4083322a469614dd2af9c3eb2f04fc
Instruction Fuzzy Hash: 31E0B631110648ABDF916F55DC1DA883B6AFF42761F008414F9458A132CB3ADD86CB80

Function 00035B00 Relevance: 23.2, APIs: 8, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

00000419, xrefs: 00035F88
00000422, xrefs: 00035FB9
0000043f, xrefs: 0003601B
Keyboard Layout\Preload, xrefs: 00035F44
00000423, xrefs: 00035FEA

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID:
String ID: 00000419$00000422$00000423$0000043f$Keyboard Layout\Preload
API String ID: 0-3963862150
Opcode ID: a549f283f7cadcd2c8497928e4905b3f7a3c62737b852e13d9e23427af06d296
Instruction ID: b6ea131a7f78f38dbae773211d80f8b4c07b6caff64a1046748afa04edd0f65a
Opcode Fuzzy Hash: a549f283f7cadcd2c8497928e4905b3f7a3c62737b852e13d9e23427af06d296
Instruction Fuzzy Hash: 2EF1037090025CAFEB25DF54CC88BDEBBB9FB44304F5081A9E509A7292DB749B84CF95

Function 0007195C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00071615: CreateFileW.KERNELBASE(00000000,00000000,?,00071A05,?,?,00000000,?,00071A05,00000000,0000000C), ref: 00071632

GetLastError.KERNEL32 ref: 00071A70
__dosmaperr.LIBCMT ref: 00071A77
GetFileType.KERNELBASE(00000000), ref: 00071A83
GetLastError.KERNEL32 ref: 00071A8D
__dosmaperr.LIBCMT ref: 00071A96
CloseHandle.KERNEL32(00000000), ref: 00071AB6
CloseHandle.KERNEL32(0006AB32), ref: 00071C03
GetLastError.KERNEL32 ref: 00071C35
__dosmaperr.LIBCMT ref: 00071C3C

Strings

H, xrefs: 00071BC1

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 39a193f77d3ff1a0634d0c3461e7c2a3a47a31518149872ca4807e7f6eeec5b5
Instruction ID: 97cccf6bf3bb31920abb186dca3d1b8bb37578796db21a68dc30ccd994649b08
Opcode Fuzzy Hash: 39a193f77d3ff1a0634d0c3461e7c2a3a47a31518149872ca4807e7f6eeec5b5
Instruction Fuzzy Hash: FEA14432E041049FDF199F6CDC95BEE3BF1AB06324F14415AF819AB2D2DB388916CB56

Function 0003D67C Relevance: 13.9, APIs: 9, Instructions: 446
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0003D7F3
CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 0003D90F
send.WS2_32(?,?,00000004,00000000), ref: 0003DB0E
send.WS2_32(?,?,00000008,00000000), ref: 0003DB4A

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: send$CreateDirectoryFileModuleName
String ID:
API String ID: 2319890793-0
Opcode ID: a124b015f02607ceaa1eae5fe92948431b0577f3281dcdd203d4957fa33d5790
Instruction ID: 18163dfef3d8a5095b284df7585042cd2fe2689727d3a7520d5ebd441fc47e41
Opcode Fuzzy Hash: a124b015f02607ceaa1eae5fe92948431b0577f3281dcdd203d4957fa33d5790
Instruction Fuzzy Hash: 99F11571E042189BDB25DB38DC4ABDDBBB9AF45314F0042DAE449A7382DB719E84CF91

Function 0003D9AC Relevance: 6.2, APIs: 4, Instructions: 168
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 977faa8a18ce24a62c854e10f98e73f05f84d8168c4b2f26d9839f0bf900cd2a
Instruction ID: 2da3af4e644e02fd2e7546a13c61140f96c21a8cdc7a7a1f4c4f63f1bd20817c
Opcode Fuzzy Hash: 977faa8a18ce24a62c854e10f98e73f05f84d8168c4b2f26d9839f0bf900cd2a
Instruction Fuzzy Hash: 0E410672A001149BDB28DB38DC85BAEB7B9AF85324F11426AE819E73D1DB309940CB94

Function 00037760 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 468
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(000003E8), ref: 00037A29

Strings

runas, xrefs: 000372B3

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: runas
API String ID: 3472027048-4000483414
Opcode ID: c8dc7249c64180fafa9e7b91da2c99e4ca72dd40522f93b9f33bd6806ff2550b
Instruction ID: b5c6ab971bc401074a2766c81facce0e7ef36790a3c40b4673b6a0399be5acb3
Opcode Fuzzy Hash: c8dc7249c64180fafa9e7b91da2c99e4ca72dd40522f93b9f33bd6806ff2550b
Instruction Fuzzy Hash: 29E129B1A14148ABDB19EB78CD4A7DEBB76EB81304F50825CF4089B3C7DB759A40CB91

Function 0003C296 Relevance: 3.5, APIs: 2, Instructions: 532
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00047840: __Cnd_destroy_in_situ.LIBCPMT ref: 00047938
Part of subcall function 00047840: __Mtx_destroy_in_situ.LIBCPMT ref: 00047941

Sleep.KERNEL32(00001388), ref: 0003C6E9

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: Cnd_destroy_in_situMtx_destroy_in_situSleep
String ID:
API String ID: 113500496-0
Opcode ID: 1453f23a91205635d6834f40d84a6bc111988e495f03ce0839ccd6d96c070238
Instruction ID: 2c4d9cc47b3190e2da1d2a83582095732f5f7fe622d7e240283b338534a6a28a
Opcode Fuzzy Hash: 1453f23a91205635d6834f40d84a6bc111988e495f03ce0839ccd6d96c070238
Instruction Fuzzy Hash: F612B071A002089BEF05DF68C889BEDBBBAEF45304F54412DF845E7282DB75DA84CB91

Function 00046B70 Relevance: 3.0, APIs: 2, Instructions: 23
sleepthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00039910: Sleep.KERNELBASE(000003E8), ref: 0003A875
Part of subcall function 00039910: CreateMutexA.KERNELBASE(00000000,00000000,000931DC), ref: 0003A893
Part of subcall function 00039910: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0003A89C
Part of subcall function 00039910: GetLastError.KERNEL32 ref: 0003A8A2

Part of subcall function 00035B00: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,80000001,0000043f,00000008,00000423,00000008,00000422,00000008,00000419,00000008), ref: 0003606D

CreateThread.KERNEL32(00000000,00000000,Function_00016AB0,00000000,00000000,00000000), ref: 00046B50
Sleep.KERNEL32(00007530), ref: 00046B65

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: CreateSleep$ErrorLastMutexObjectOpenSingleThreadWait
String ID:
API String ID: 3106257662-0
Opcode ID: f1fd2dc45e05dc9e791c278b22eeb096e739478d6882eb04b7488ac67725acc4
Instruction ID: 164604418037434de393baca26371c1c1ddc985637f9de1e376a6d40efbe38c5
Opcode Fuzzy Hash: f1fd2dc45e05dc9e791c278b22eeb096e739478d6882eb04b7488ac67725acc4
Instruction Fuzzy Hash: 83E0C2B2B84B04A7F22133A16C07F9D7918AB02B11F200030B7497E1E3AEE174004AFF

Function 0003D039 Relevance: 1.9, APIs: 1, Instructions: 386
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0003D047

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 08c9982d17314195d2842a809e119079014f5632982cbf576d39c32e123a9b56
Instruction ID: e3d30ded9f1ce5ab05f48195b1435d510f3adb305741bb27fd910708d6a6ae11
Opcode Fuzzy Hash: 08c9982d17314195d2842a809e119079014f5632982cbf576d39c32e123a9b56
Instruction Fuzzy Hash: 2FE11771A002549BEB1AEB28DC497DDBB75AF46304F5082DDE408AB3C3DB759B848B91

Function 0003D5B0 Relevance: 1.7, APIs: 1, Instructions: 164
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 265b65407b67313aff29742a12c746ee7e570849135e47bb3dceb2755be8fe01
Instruction ID: cd6dd49e6763ddb711116a178ec687b46cfdbf9bbbc2b0fd9106851cfa8272b5
Opcode Fuzzy Hash: 265b65407b67313aff29742a12c746ee7e570849135e47bb3dceb2755be8fe01
Instruction Fuzzy Hash: 7C51DC709042689FEF26DB24CC89BDEBBB5AB05304F5041EAD44867282DB755FC8CF91

Function 0003C7D0 Relevance: 1.6, APIs: 1, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eccaa5dd34940219f073d8c3b495b5f0a67d07f49d7715c35f1afbcf9a30dd99
Instruction ID: dfa1fd848eb9ee334f75cee4bf4e78b07461fc62857d253d412de23524025dfa
Opcode Fuzzy Hash: eccaa5dd34940219f073d8c3b495b5f0a67d07f49d7715c35f1afbcf9a30dd99
Instruction Fuzzy Hash: F131A071610248AFEB04DF68C989BDEBBB5FF48304F50461AF805E7281DB75D980CB94

Function 0006AAF3 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__wsopen_s.LIBCMT ref: 0006AB2D

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: f4e7b1f0815f37f365a7534cf23bcbe8780e1bc959eca2f68e53bf5e8ac8880f
Instruction ID: 644430ddd2ae357cbb50370c0f3e6381e8c06b6b7ce72270dac1cba74ac074c1
Opcode Fuzzy Hash: f4e7b1f0815f37f365a7534cf23bcbe8780e1bc959eca2f68e53bf5e8ac8880f
Instruction Fuzzy Hash: 25111571A0420AAFCF05DF58E9419DB7BF5EF49304F0540AAF809AB252D670EE15CBA5

Function 0003B0A0 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(?,?), ref: 0003B0ED

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 71655540b5cfd228b06c8a2b7aba8c43cb297ac7b13ec0dccf00f4a1745fe5a1
Instruction ID: 734ef966616acd285da150ce2f60c030fe360ec725500be426736f0c708e1d19
Opcode Fuzzy Hash: 71655540b5cfd228b06c8a2b7aba8c43cb297ac7b13ec0dccf00f4a1745fe5a1
Instruction Fuzzy Hash: 0C212CB181016CDBDB2ADF14CD65BEAB7B8FB09704F0042E9E50A63281D7745B88CFA0

Function 000718CE Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00071931

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: ff89ec45d56ad598fc1cdac097a9ffa15eccbe9b6325dd4b30191e09ed1fe268
Instruction ID: d6fe3c1695d3cf902abc3948c47f2b748bffc7a4930279d2438008bb6ad133ce
Opcode Fuzzy Hash: ff89ec45d56ad598fc1cdac097a9ffa15eccbe9b6325dd4b30191e09ed1fe268
Instruction Fuzzy Hash: 7901FF72C0015DBFCF42AFA88C019EE7FF6AF08310F144165FA18E2192E6358A65DB95

Function 00071615 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00071A05,?,?,00000000,?,00071A05,00000000,0000000C), ref: 00071632

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7910b0ed63aaac4be5b8b517b204be170932a317c0c803f8b66a45c70fde743f
Instruction ID: e8bc3503cee94d18cc12b8964c49f70552f6293d929de59a48779f9810a40d94
Opcode Fuzzy Hash: 7910b0ed63aaac4be5b8b517b204be170932a317c0c803f8b66a45c70fde743f
Instruction Fuzzy Hash: C4D06C3200010DBBDF028F84DC06EDA3BAAFB48714F118000BA5856020C776E821AB94

Function 000386C2 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?), ref: 000386C9

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 25854c9483b117225527f4ff4416dbe15e78cf23a631311f83e96c365d48f154
Instruction ID: aede5d1a83f32bdbe363641ffc9753d6e7b33c63ebb77e339a27f0bb3ca350f3
Opcode Fuzzy Hash: 25854c9483b117225527f4ff4416dbe15e78cf23a631311f83e96c365d48f154
Instruction Fuzzy Hash: 65C080301017000BED5D0638564E055335557433A4FD45BC8F0B14E0F1CB39680FD700

Function 000386C0 Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?), ref: 000386C9

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 9018c8f25c6f1822b90325512aefe2a532da37dd2e96abfc14466bf2ec23d521
Instruction ID: 94b27f2ce1d816c25f5e52b3ded5cb8b6d302acf21e63da4e6be6f729722d59d
Opcode Fuzzy Hash: 9018c8f25c6f1822b90325512aefe2a532da37dd2e96abfc14466bf2ec23d521
Instruction Fuzzy Hash: 60C080301013004BE65D4B38664D0153315AB02319BE04BCCF0714E0F1CB37D40BCB10

Non-executed Functions

Function 0004C66B Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 167libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0004C671
GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0004C67F
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0004C690
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0004C6A1
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0004C6B2
GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 0004C6C3
GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 0004C6D4
GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 0004C6E5
GetProcAddress.KERNEL32(00000000,CreateSemaphoreW), ref: 0004C6F6
GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 0004C707
GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 0004C718
GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 0004C729
GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 0004C73A
GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 0004C74B
GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 0004C75C
GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 0004C76D
GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0004C77E
GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 0004C78F
GetProcAddress.KERNEL32(00000000,FreeLibraryWhenCallbackReturns), ref: 0004C7A0
GetProcAddress.KERNEL32(00000000,GetCurrentProcessorNumber), ref: 0004C7B1
GetProcAddress.KERNEL32(00000000,CreateSymbolicLinkW), ref: 0004C7C2
GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 0004C7D3
GetProcAddress.KERNEL32(00000000,GetTickCount64), ref: 0004C7E4
GetProcAddress.KERNEL32(00000000,GetFileInformationByHandleEx), ref: 0004C7F5
GetProcAddress.KERNEL32(00000000,SetFileInformationByHandle), ref: 0004C806
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 0004C817
GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0004C828
GetProcAddress.KERNEL32(00000000,WakeConditionVariable), ref: 0004C839
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0004C84A
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0004C85B
GetProcAddress.KERNEL32(00000000,InitializeSRWLock), ref: 0004C86C
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 0004C87D
GetProcAddress.KERNEL32(00000000,TryAcquireSRWLockExclusive), ref: 0004C88E
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 0004C89F
GetProcAddress.KERNEL32(00000000,SleepConditionVariableSRW), ref: 0004C8B0
GetProcAddress.KERNEL32(00000000,CreateThreadpoolWork), ref: 0004C8C1
GetProcAddress.KERNEL32(00000000,SubmitThreadpoolWork), ref: 0004C8D2
GetProcAddress.KERNEL32(00000000,CloseThreadpoolWork), ref: 0004C8E3
GetProcAddress.KERNEL32(00000000,CompareStringEx), ref: 0004C8F4
GetProcAddress.KERNEL32(00000000,GetLocaleInfoEx), ref: 0004C905
GetProcAddress.KERNEL32(00000000,LCMapStringEx), ref: 0004C916

Strings

SetThreadpoolWait, xrefs: 0004C762
CreateEventExW, xrefs: 0004C6DA
CreateSymbolicLinkW, xrefs: 0004C7BC
CreateSemaphoreW, xrefs: 0004C6EB
AcquireSRWLockExclusive, xrefs: 0004C872
LCMapStringEx, xrefs: 0004C90B
FreeLibraryWhenCallbackReturns, xrefs: 0004C795
WakeAllConditionVariable, xrefs: 0004C83F
kernel32.dll, xrefs: 0004C66C
GetCurrentPackageId, xrefs: 0004C7C8
GetSystemTimePreciseAsFileTime, xrefs: 0004C80C
GetLocaleInfoEx, xrefs: 0004C8FA
CreateSemaphoreExW, xrefs: 0004C6FC
GetFileInformationByHandleEx, xrefs: 0004C7EA
WakeConditionVariable, xrefs: 0004C82E
FlushProcessWriteBuffers, xrefs: 0004C784
ReleaseSRWLockExclusive, xrefs: 0004C894
FlsSetValue, xrefs: 0004C6A7
GetCurrentProcessorNumber, xrefs: 0004C7A6
GetTickCount64, xrefs: 0004C7D9
CreateThreadpoolWork, xrefs: 0004C8B6
FlsAlloc, xrefs: 0004C679
SubmitThreadpoolWork, xrefs: 0004C8C7
InitializeConditionVariable, xrefs: 0004C81D
CreateThreadpoolTimer, xrefs: 0004C70D
SetFileInformationByHandle, xrefs: 0004C7FB
CloseThreadpoolWork, xrefs: 0004C8D8
CreateThreadpoolWait, xrefs: 0004C751
SleepConditionVariableCS, xrefs: 0004C850
SetThreadpoolTimer, xrefs: 0004C71E
FlsGetValue, xrefs: 0004C696
InitOnceExecuteOnce, xrefs: 0004C6C9
CompareStringEx, xrefs: 0004C8E9
SleepConditionVariableSRW, xrefs: 0004C8A5
InitializeSRWLock, xrefs: 0004C861
WaitForThreadpoolTimerCallbacks, xrefs: 0004C72F
CloseThreadpoolTimer, xrefs: 0004C740
InitializeCriticalSectionEx, xrefs: 0004C6B8
TryAcquireSRWLockExclusive, xrefs: 0004C883
CloseThreadpoolWait, xrefs: 0004C773
FlsFree, xrefs: 0004C685

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
API String ID: 667068680-295688737
Opcode ID: cd02ae7746204614822c63f3f4b10c1b214c7b97b810be878e21d57166c2181f
Instruction ID: c7b2ad53ee9f6efe50ca89c9c52e0ab07eb36eda40c6a41bd0c4a2e50ae87910
Opcode Fuzzy Hash: cd02ae7746204614822c63f3f4b10c1b214c7b97b810be878e21d57166c2181f
Instruction Fuzzy Hash: 15618471952F10ABE7416FB6AC0DA993AACBF0970BB54041BF385E7161E7BC41068F9C

Function 00037050 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 121memoryprocessthreadCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0003707D
CreateProcessA.KERNEL32(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 000370DB
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 000370F4
GetThreadContext.KERNEL32(?,00000000), ref: 00037109
ReadProcessMemory.KERNEL32(?, ,?,00000004,00000000), ref: 00037129
VirtualAllocEx.KERNEL32(?,?,?,00003000,00000040), ref: 0003716B
WriteProcessMemory.KERNEL32(?,00000000,?,?,00000000), ref: 00037188
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00037241

Strings

VUUU, xrefs: 00036EF1
invalid stoi argument, xrefs: 00037040
, xrefs: 00037120

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: ProcessVirtual$AllocMemory$ContextCreateFileFreeModuleNameReadThreadWrite
String ID: $VUUU$invalid stoi argument
API String ID: 3796053839-3954507777
Opcode ID: faace7a7b1ab8967b4173e5495f95a70e5bda52e2e3e18368e52acf817f9f8e8
Instruction ID: bd376473eefa5935059fdd36e249392d38fbbdd1ac8076d2fdbbeebb4dbcd0c9
Opcode Fuzzy Hash: faace7a7b1ab8967b4173e5495f95a70e5bda52e2e3e18368e52acf817f9f8e8
Instruction Fuzzy Hash: 7A417FB1244301BFE7619F54DC05F9A77E8BF48B04F404519F688E61D0D7B4A914CF96

Function 00050D23 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 284COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 00050E26
Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 00050E72

Part of subcall function 0005256D: Concurrency::details::GlobalCore::Initialize.LIBCONCRT ref: 00052660

Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 00050EDE
Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 00050EFA
Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 00050F4E
Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 00050F7B
Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 00050FD1

Strings

(, xrefs: 00050E32

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$GlobalInitialize$Node::$AffinityManager::Resource$CleanupCore::FindGroupInformationRestriction::Topology
String ID: (
API String ID: 2943730970-3887548279
Opcode ID: 6b549eadbabb376fc73f7efcd8b387e69dfda047dcc44ccf74ec3b4dc733b432
Instruction ID: 902a47d9804b34083e4f4e8430f13ad5a1f4ef439c8bc4705fb8ba159ca288d4
Opcode Fuzzy Hash: 6b549eadbabb376fc73f7efcd8b387e69dfda047dcc44ccf74ec3b4dc733b432
Instruction Fuzzy Hash: 86B18B70A00611AFDB28CF68D981B7EB7F4FF48302F24856EE805AB651D734AD84CB94

Function 00051512 Relevance: 13.7, APIs: 9, Instructions: 213memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00052C0C: Concurrency::details::ResourceManager::InitializeRMBuffers.LIBCMT ref: 00052C1F

Concurrency::details::ResourceManager::PreProcessDynamicAllocationData.LIBCONCRT ref: 00051524

Part of subcall function 00052D1F: Concurrency::details::ResourceManager::HandleBorrowedCores.LIBCONCRT ref: 00052D49

Concurrency::details::ResourceManager::IncreaseFullyLoadedSchedulerAllocations.LIBCMT ref: 00051656
Concurrency::details::ResourceManager::AdjustDynamicAllocation.LIBCONCRT ref: 000516B6
Concurrency::details::ResourceManager::PrepareReceiversForCoreTransfer.LIBCMT ref: 000516C2
Concurrency::details::ResourceManager::DistributeExclusiveCores.LIBCONCRT ref: 000516FD
Concurrency::details::ResourceManager::AdjustDynamicAllocation.LIBCONCRT ref: 0005171E
Concurrency::details::ResourceManager::PrepareReceiversForCoreTransfer.LIBCMT ref: 0005172A
Concurrency::details::ResourceManager::DistributeIdleCores.LIBCONCRT ref: 00051733
Concurrency::details::ResourceManager::ResetGlobalAllocationData.LIBCMT ref: 0005174B

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: Concurrency::details::Manager::Resource$Allocation$CoresDynamic$AdjustCoreDataDistributePrepareReceiversTransfer$AllocationsBorrowedBuffersExclusiveFullyGlobalHandleIdleIncreaseInitializeLoadedProcessResetScheduler
String ID:
API String ID: 3189225155-0
Opcode ID: aa9f8f36a8b7b44e1180d435f458fb72d8e9ffd861c0e8264618b64b20c70f21
Instruction ID: d1a78670d3af593db91ad0e2c70ee05532ac13ad0d8c6a1ab449a0fc705ea76d
Opcode Fuzzy Hash: aa9f8f36a8b7b44e1180d435f458fb72d8e9ffd861c0e8264618b64b20c70f21
Instruction Fuzzy Hash: 04815B71E006259FCB18DF68C584AAEB7F6FF88305B1546ADD806AB701DB70ED56CB80

Function 0005EB58 Relevance: 9.1, APIs: 6, Instructions: 139COMMON

Download Yara Rule

APIs

Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 0005EB91

Part of subcall function 00058E3F: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 00058E60

Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 0005EBF7
Concurrency::details::WorkItem::ResolveToken.LIBCONCRT ref: 0005EC0F
Concurrency::details::WorkItem::BindTo.LIBCONCRT ref: 0005EC1C

Part of subcall function 0005E6BF: Concurrency::details::InternalContextBase::ReclaimVirtualProcessor.LIBCONCRT ref: 0005E6E7
Part of subcall function 0005E6BF: Concurrency::details::SchedulerBase::TriggerCommitSafePoints.LIBCMT ref: 0005E77F
Part of subcall function 0005E6BF: Concurrency::details::SchedulerBase::VirtualProcessorActive.LIBCONCRT ref: 0005E789
Part of subcall function 0005E6BF: Concurrency::location::_Assign.LIBCMT ref: 0005E7BD
Part of subcall function 0005E6BF: Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 0005E7C5

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::Context$Scheduler$EventInternalItem::ProcessorVirtualWork$ActiveAssignBindCommitConcurrency::location::_GroupPointsReclaimResolveRunnableSafeScheduleSegmentThrowTokenTraceTrigger
String ID:
API String ID: 2363638799-0
Opcode ID: 923586478bc2a1512a65aeb1a7afb3e6b70da78c5a40a0af8b68a61d20840514
Instruction ID: 7ea5d768f6e7bd469aafb51b09d285ed4eb40ae204874e9dab615b5230eea263
Opcode Fuzzy Hash: 923586478bc2a1512a65aeb1a7afb3e6b70da78c5a40a0af8b68a61d20840514
Instruction Fuzzy Hash: 8C51B571A002059BDF28DF54C886BAEBB75EF44711F154069ED427B382CB71AF0ACB91

Function 0004EF38 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 229COMMONLIBRARYCODE

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 0004F1CB

Strings

pEvents, xrefs: 0004F1C3

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: std::invalid_argument::invalid_argument
String ID: pEvents
API String ID: 2141394445-2498624650
Opcode ID: 2f27de81b94dbed58431cdabad80304424920d004779187dff7dce1a9a356f44
Instruction ID: 890f63eefbb3d96cbd295f7d6dd6d31337fc612454671d62fa2bb20d6e2629ae
Opcode Fuzzy Hash: 2f27de81b94dbed58431cdabad80304424920d004779187dff7dce1a9a356f44
Instruction Fuzzy Hash: A2819CB1D0025ADBCF25DFA8C985BFEB7B5BF45310F144439E401AB282DB70AA45CB99

Function 0006F1FF Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0006F243

Part of subcall function 0006EDDC: _free.LIBCMT ref: 0006EDF9
Part of subcall function 0006EDDC: _free.LIBCMT ref: 0006EE0B
Part of subcall function 0006EDDC: _free.LIBCMT ref: 0006EE1D
Part of subcall function 0006EDDC: _free.LIBCMT ref: 0006EE2F
Part of subcall function 0006EDDC: _free.LIBCMT ref: 0006EE41
Part of subcall function 0006EDDC: _free.LIBCMT ref: 0006EE53
Part of subcall function 0006EDDC: _free.LIBCMT ref: 0006EE65
Part of subcall function 0006EDDC: _free.LIBCMT ref: 0006EE77
Part of subcall function 0006EDDC: _free.LIBCMT ref: 0006EE89
Part of subcall function 0006EDDC: _free.LIBCMT ref: 0006EE9B
Part of subcall function 0006EDDC: _free.LIBCMT ref: 0006EEAD
Part of subcall function 0006EDDC: _free.LIBCMT ref: 0006EEBF
Part of subcall function 0006EDDC: _free.LIBCMT ref: 0006EED1

_free.LIBCMT ref: 0006F238

Part of subcall function 0006AC95: HeapFree.KERNEL32(00000000,00000000,?,0006EF6D,?,00000000,?,?,?,0006EF94,?,00000007,?,?,0006F396,?), ref: 0006ACAB
Part of subcall function 0006AC95: GetLastError.KERNEL32(?,?,0006EF6D,?,00000000,?,?,?,0006EF94,?,00000007,?,?,0006F396,?,?), ref: 0006ACBD

_free.LIBCMT ref: 0006F25A
_free.LIBCMT ref: 0006F26F
_free.LIBCMT ref: 0006F27A
_free.LIBCMT ref: 0006F29C
_free.LIBCMT ref: 0006F2AF
_free.LIBCMT ref: 0006F2BD
_free.LIBCMT ref: 0006F2C8
_free.LIBCMT ref: 0006F300
_free.LIBCMT ref: 0006F307
_free.LIBCMT ref: 0006F324
_free.LIBCMT ref: 0006F33C

Strings

`', xrefs: 0006F215
8", xrefs: 0006F2EB

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: 8"$`'
API String ID: 161543041-2232028047
Opcode ID: f90ad80a20cb27691a0f451246883e715220fe80848eb063635019880ac685e4
Instruction ID: 0581db977097fd90b316c53f8e339ac9481826352fbc96cde0ec1cf6a8cfe0d5
Opcode Fuzzy Hash: f90ad80a20cb27691a0f451246883e715220fe80848eb063635019880ac685e4
Instruction Fuzzy Hash: 4E3180716003069FEB61AA78E905BA773EBAF01361F144439E05AEB192DF70ED84CF11

Function 0004CF2C Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 51libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(00095690,00000FA0,?,?,0004CF0A), ref: 0004CF38
GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,0004CF0A), ref: 0004CF43
GetModuleHandleW.KERNEL32(kernel32.dll,?,?,0004CF0A), ref: 0004CF54
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0004CF66
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0004CF74
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,0004CF0A), ref: 0004CF97
___scrt_fastfail.LIBCMT ref: 0004CFA8
RtlDeleteCriticalSection.NTDLL(00095690), ref: 0004CFB3
CloseHandle.KERNEL32(00000000,?,?,0004CF0A), ref: 0004CFC3

Strings

SleepConditionVariableCS, xrefs: 0004CF60
WakeAllConditionVariable, xrefs: 0004CF6C
kernel32.dll, xrefs: 0004CF4F
api-ms-win-core-synch-l1-2-0.dll, xrefs: 0004CF3E

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin___scrt_fastfail
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 3578986977-3242537097
Opcode ID: 9d43e2f05846d8ce2845953779137e5a374ea24f00ac51207e5b141b7c928bc8
Instruction ID: 3c81bee3877664e324ae78986a575eee87024d0c47e609fc40f43016a00bd3ab
Opcode Fuzzy Hash: 9d43e2f05846d8ce2845953779137e5a374ea24f00ac51207e5b141b7c928bc8
Instruction Fuzzy Hash: 7A01B5B1641A11AFFBE11F71AC0DF5A36A8BF44B51B440131FE84D7254DA7CC8058B68

Function 000625DE Relevance: 22.7, APIs: 15, Instructions: 231COMMON

Download Yara Rule

APIs

Concurrency::details::WorkSearchContext::PreSearch.LIBCONCRT ref: 000625F0

Part of subcall function 000623EE: Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 00062411

Concurrency::details::SchedulerBase::PeriodicScan.LIBCONCRT ref: 00062611
Concurrency::details::WorkSearchContext::CheckPriorityList.LIBCONCRT ref: 0006261E
Concurrency::details::SchedulerBase::GetNextPriorityObject.LIBCMT ref: 0006266C
Concurrency::details::SchedulerBase::AcquireQuickCacheSlot.LIBCMT ref: 000626F3
Concurrency::details::WorkSearchContext::QuickSearch.LIBCMT ref: 00062706
Concurrency::details::WorkSearchContext::SearchCacheLocal_Runnables.LIBCONCRT ref: 00062753

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Search$Work$Context::$Base::Scheduler$CachePriorityQuick$AcquireCheckItemItem::ListLocal_NextObjectPeriodicRunnablesScanSlot
String ID:
API String ID: 2530155754-0
Opcode ID: e96282954911b0462d15d0ccb6477b150b94c2388ababec7c3fa4202555de026
Instruction ID: fafe7df4b5a32a0655c66cad54b5b5f38985bf398e1275e96838a053576038ef
Opcode Fuzzy Hash: e96282954911b0462d15d0ccb6477b150b94c2388ababec7c3fa4202555de026
Instruction Fuzzy Hash: 0F819C3090464AAFDF169F54C991BFE7BB3AF55304F044098FC416B292C7368D69DB62

Function 000543EE Relevance: 21.2, APIs: 14, Instructions: 189timeregistryCOMMONLIBRARYCODE

Download Yara Rule

APIs

ListArray.LIBCONCRT ref: 00054448

Part of subcall function 00054229: RtlInitializeSListHead.NTDLL(?), ref: 000542F5
Part of subcall function 00054229: RtlInitializeSListHead.NTDLL(?), ref: 000542FF

ListArray.LIBCONCRT ref: 0005447C
Hash.LIBCMT ref: 000544E5
Hash.LIBCMT ref: 000544F5
RtlInitializeSListHead.NTDLL(?), ref: 0005458A
RtlInitializeSListHead.NTDLL(?), ref: 00054597
RtlInitializeSListHead.NTDLL(?), ref: 000545A4
RtlInitializeSListHead.NTDLL(?), ref: 000545B1

Part of subcall function 00059B51: std::bad_exception::bad_exception.LIBCMT ref: 00059B73

RegisterWaitForSingleObject.KERNEL32(?,00000000,00057925,?,000000FF,00000000), ref: 00054639
Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 0005465B
GetLastError.KERNEL32(0005539B,?,?,00000000,?,?), ref: 0005466D
Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 0005468A

Part of subcall function 0004FABA: CreateTimerQueueTimer.KERNEL32(?,?,00000000,?,?,0005539B,00000008,?,0005468F,?,00000000,00057916,?,7FFFFFFF,7FFFFFFF,00000000), ref: 0004FAD2

Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 000546B4

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: List$HeadInitialize$Timer$ArrayCreateHashQueueRegister$AsyncConcurrency::details::Concurrency::details::platform::__Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorLastLibraryLoadObjectSingleWaitstd::bad_exception::bad_exception
String ID:
API String ID: 2750799244-0
Opcode ID: 1baba051de5c81a4eb862b838e55fb6d9e0e05d483ebed11b8dd783533b9961d
Instruction ID: 63ee51fd1cd3e0ba01585b616fb1a77a3c0959054165ada5c6e03e961ac306e0
Opcode Fuzzy Hash: 1baba051de5c81a4eb862b838e55fb6d9e0e05d483ebed11b8dd783533b9961d
Instruction Fuzzy Hash: F88181B0A11A12FFD744DF74C945BDAFBA8BF09705F00421AF92897281DBB4A568CBD1

Function 00052742 Relevance: 19.7, APIs: 13, Instructions: 223COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::ResourceManager::RetrieveSystemVersionInformation.LIBCONCRT ref: 00052751

Part of subcall function 00053A3C: GetVersionExW.KERNEL32(?), ref: 00053A60
Part of subcall function 00053A3C: Concurrency::details::WinRT::Initialize.LIBCONCRT ref: 00053AFF

Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 00052765
Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 00052786
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 000527EF
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 00052823

Part of subcall function 000506FD: Concurrency::details::ResourceManager::AffinityRestriction::ApplyAffinityLimits.LIBCMT ref: 0005071D

Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 000528A3

Part of subcall function 0005226C: Concurrency::details::platform::__GetLogicalProcessorInformationEx.LIBCONCRT ref: 00052280

Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 000528EB

Part of subcall function 000506D2: Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 000506EE

Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 000528FF
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 00052910
Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 0005295D
Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 00052982
Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 0005298E

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Manager::Resource$Affinity$Apply$Restrictions$Information$Topology$CaptureProcessRestriction::Version$CleanupConcurrency::details::platform::__FindGroupInitializeLimitsLogicalProcessorRetrieveSystem
String ID:
API String ID: 4140532746-0
Opcode ID: c4142a7e59a448b119079cd135ffd708772c8559b2fb10c8fae7e72633709d4c
Instruction ID: eb99ef4d97c75999df74dbcbe67d089bd39214712a242a69964c41929b27995e
Opcode Fuzzy Hash: c4142a7e59a448b119079cd135ffd708772c8559b2fb10c8fae7e72633709d4c
Instruction Fuzzy Hash: 0A811332A016169BDB19DFA9DCD05BFB7F1FF49302B28412ED841A3750DB386949CB49

Function 0004F981 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 60libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000,00000000,?,?,?,00053AF6), ref: 0004F98F
GetProcAddress.KERNEL32(00000000,SetThreadGroupAffinity), ref: 0004F99D
GetProcAddress.KERNEL32(00000000,GetThreadGroupAffinity), ref: 0004F9AB
GetProcAddress.KERNEL32(00000000,GetCurrentProcessorNumberEx), ref: 0004F9D9
GetLastError.KERNEL32(?,?,?,00053AF6), ref: 0004F9F4
GetLastError.KERNEL32(?,?,?,00053AF6), ref: 0004FA00
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0004FA16

Strings

GetThreadGroupAffinity, xrefs: 0004F9A3
GetCurrentProcessorNumberEx, xrefs: 0004F9CE
SetThreadGroupAffinity, xrefs: 0004F997
kernel32.dll, xrefs: 0004F98A

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorLast$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorHandleModule
String ID: GetCurrentProcessorNumberEx$GetThreadGroupAffinity$SetThreadGroupAffinity$kernel32.dll
API String ID: 1654681794-465693683
Opcode ID: c1bd15226786213f3122530e5839a77ce282a8e00554b9a2f95eb8ec74cc5ebb
Instruction ID: 8a45a36a292849b1e8a52b47dda1ce5515015b0efe973d29c4ae1dc3dda1bd66
Opcode Fuzzy Hash: c1bd15226786213f3122530e5839a77ce282a8e00554b9a2f95eb8ec74cc5ebb
Instruction Fuzzy Hash: 5F01E1B15047026BE7507BB5BC4ABBB36ECFF04304B14043AB685E2152EE7CD8085B6D

Function 0006287D Relevance: 16.7, APIs: 11, Instructions: 222COMMON

Download Yara Rule

APIs

Concurrency::details::WorkSearchContext::PreSearch.LIBCONCRT ref: 0006288F

Part of subcall function 000623EE: Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 00062411

Concurrency::details::SchedulerBase::PeriodicScan.LIBCONCRT ref: 000628B0
Concurrency::details::WorkSearchContext::CheckPriorityList.LIBCONCRT ref: 000628BD
Concurrency::details::SchedulerBase::GetNextPriorityObject.LIBCMT ref: 0006290B
Concurrency::details::WorkSearchContext::SearchCacheLocal_Unrealized.LIBCONCRT ref: 000629B3
Concurrency::details::WorkSearchContext::SearchCacheLocal_Realized.LIBCONCRT ref: 000629E5

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: Concurrency::details::Search$Work$Context::$Base::CacheLocal_PriorityScheduler$CheckItemItem::ListNextObjectPeriodicRealizedScanUnrealized
String ID:
API String ID: 1256429809-0
Opcode ID: 99f0731a03a520eb76c05a8a5b63acfa34a796df7a206028b493af3b63b770f7
Instruction ID: 8ac1d349e605c9f4782816191daaa2c3221f510aef030aad8a970a241a0f6a59
Opcode Fuzzy Hash: 99f0731a03a520eb76c05a8a5b63acfa34a796df7a206028b493af3b63b770f7
Instruction Fuzzy Hash: FC71AD7090064AAFDF25DF94C990BFEBBB7AF85304F044098EC41AB292C7769D16DB61

Function 000651B5 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 308COMMONLIBRARYCODE

Download Yara Rule

APIs

IsInExceptionSpec.LIBVCRUNTIME ref: 000652B0
type_info::operator==.LIBVCRUNTIME ref: 000652D7
___TypeMatch.LIBVCRUNTIME ref: 000653E3
IsInExceptionSpec.LIBVCRUNTIME ref: 000654BE
_UnwindNestedFrames.LIBCMT ref: 00065545
CallUnexpected.LIBVCRUNTIME ref: 00065560

Strings

csm, xrefs: 000651F0
csm, xrefs: 0006530E
csm, xrefs: 0006525D

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2123188842-393685449
Opcode ID: f43af75a9041860fca0eb19b61cfe0be7f4b3b933c0486f4ebce99e03326fa1b
Instruction ID: c5de71e7882c1c88a59fc5f1b1c97fce05d57513ec45c3a50b5193ca4d89362a
Opcode Fuzzy Hash: f43af75a9041860fca0eb19b61cfe0be7f4b3b933c0486f4ebce99e03326fa1b
Instruction Fuzzy Hash: 30C18971800A19DFCF25DFA8CC919EEBBB6FF15316F44415AE8016B252CB31DA91CB92

Function 0006E92E Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 203COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0006E958
_free.LIBCMT ref: 0006EA31
_free.LIBCMT ref: 0006EA5E

Strings

0"v, xrefs: 0006E97F, 0006E9BE, 0006E9CB, 0006EA02, 0006EACA

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: _free$___from_strstr_to_strchr
String ID: 0"v
API String ID: 3409252457-3321802411
Opcode ID: 403b51413f02f1c94c421dc4e9420b135a99a8a3b668a15dcdc1b38020387e92
Instruction ID: d14f5da46090fe3967e3c772975727917e2b62055342f1efc08b04ef71f3af23
Opcode Fuzzy Hash: 403b51413f02f1c94c421dc4e9420b135a99a8a3b668a15dcdc1b38020387e92
Instruction Fuzzy Hash: 38514875904385AFEB25AFB4CC41AAE7BE7AF01324F18416EF5159B283EB329901CB51

Function 000568EA Relevance: 15.1, APIs: 10, Instructions: 144COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 0005692F
Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 00056961
List.LIBCONCRT ref: 0005699C
Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 000569AD
Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 000569C9
List.LIBCONCRT ref: 00056A04
Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 00056A15
Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00056A30
List.LIBCONCRT ref: 00056A6B
Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 00056A78

Part of subcall function 00055DEF: Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00055E07
Part of subcall function 00055DEF: Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00055E19

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: Concurrency::details::Scheduling$Find$GroupNode::ProcessorRing::ScheduleSegmentVirtual$ListNext$AcquireConcurrency::details::_Lock::_ReaderWriteWriter
String ID:
API String ID: 3403738998-0
Opcode ID: 2f7af67c50368df58dbc42c7a39e667be4f9f9c44dd16b3d404a49fb0bf2eeba
Instruction ID: 936df64c3b7f97047a46536aba5bc5c5c7dc6a77c5b6f858b22054d36ad7d0f7
Opcode Fuzzy Hash: 2f7af67c50368df58dbc42c7a39e667be4f9f9c44dd16b3d404a49fb0bf2eeba
Instruction Fuzzy Hash: F2512D71A00219ABDF04DF64C495BEEB3B8BF08315F544069ED55AB242DB35AE49CF90

Function 0006A3F9 Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0006A40F

Part of subcall function 0006AC95: HeapFree.KERNEL32(00000000,00000000,?,0006EF6D,?,00000000,?,?,?,0006EF94,?,00000007,?,?,0006F396,?), ref: 0006ACAB
Part of subcall function 0006AC95: GetLastError.KERNEL32(?,?,0006EF6D,?,00000000,?,?,?,0006EF94,?,00000007,?,?,0006F396,?,?), ref: 0006ACBD

_free.LIBCMT ref: 0006A41B
_free.LIBCMT ref: 0006A426
_free.LIBCMT ref: 0006A431
_free.LIBCMT ref: 0006A43C
_free.LIBCMT ref: 0006A447
_free.LIBCMT ref: 0006A452
_free.LIBCMT ref: 0006A45D
_free.LIBCMT ref: 0006A468
_free.LIBCMT ref: 0006A476

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 334368f1df4c5b574fb2904c41f19e32ddeb8527e01332904fcc474fc96078fc
Instruction ID: 14191416e91198d51364c3d22bd5c6605cc1db24167574cbbdd30fe6315e6245
Opcode Fuzzy Hash: 334368f1df4c5b574fb2904c41f19e32ddeb8527e01332904fcc474fc96078fc
Instruction Fuzzy Hash: 1F216876A0010CAFCB42EF94C881DDE7BBABF09351F014565F515AF122DB31DA588F95

Function 00057274 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 80threadCOMMON

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCONCRT ref: 000572C0
SwitchToThread.KERNEL32(?), ref: 000572E3
Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCONCRT ref: 00057302
Concurrency::details::InternalContextBase::GetAndResetOversubscribedVProc.LIBCMT ref: 0005731E
Concurrency::details::VirtualProcessor::MarkForRetirement.LIBCONCRT ref: 00057329
std::invalid_argument::invalid_argument.LIBCONCRT ref: 00057350

Strings

ppVirtualProcessorRoots, xrefs: 00057348
count, xrefs: 0005728E

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Virtual$FindMatchingNode::ProcessorScheduling$Base::ContextInternalMarkOversubscribedProcProcessor::ResetRetirementSwitchThreadstd::invalid_argument::invalid_argument
String ID: count$ppVirtualProcessorRoots
API String ID: 3791123369-3650809737
Opcode ID: 5d06d9cee43a2f12bb6fb5976aa7cddc07c910883d655f5a4ec4074986be5bb6
Instruction ID: 35de8ed186f0f08ccce6b57d2345843b24ddd7621abb3fd83b43a7c19673ecd7
Opcode Fuzzy Hash: 5d06d9cee43a2f12bb6fb5976aa7cddc07c910883d655f5a4ec4074986be5bb6
Instruction Fuzzy Hash: 05218034A00209AFDF14EF94D8899EEB7B5BF44311F1440A9ED49A7392DB30AE09DB50

Function 00056D2C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00056D46
GetCurrentProcess.KERNEL32 ref: 00056D4E
DuplicateHandle.KERNEL32(00000000,000000FF,00000000,00000000,00000000,00000000,00000002), ref: 00056D63
SafeRWList.LIBCONCRT ref: 00056D83

Part of subcall function 00054D7E: Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00054D8F
Part of subcall function 00054D7E: List.LIBCMT ref: 00054D99

std::invalid_argument::invalid_argument.LIBCONCRT ref: 00056D95
GetLastError.KERNEL32 ref: 00056DA4
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00056DBA

Strings

eventObject, xrefs: 00056D8D

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: CurrentListProcess$AcquireConcurrency::details::_Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateErrorHandleLastLock::_ReaderSafeWriteWriterstd::invalid_argument::invalid_argument
String ID: eventObject
API String ID: 165577817-1680012138
Opcode ID: ef082fd04493210dc96ded75118576c3250505a2465d96f002e7d55db8e46158
Instruction ID: 5477d65c59ff339461f20dc2590cc69a020737b0eee82fe91eb7ceeca5c3710c
Opcode Fuzzy Hash: ef082fd04493210dc96ded75118576c3250505a2465d96f002e7d55db8e46158
Instruction Fuzzy Hash: 1711E371600204EBDB90EBA0CC49FEF37B8AF00312F500425B945A70D1DB74994CCB74

Function 0003BD82 Relevance: 13.8, APIs: 9, Instructions: 341networkfileCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00088D20,00000000,00000000,00000000,00000000), ref: 0003BDBC
InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 0003BDE0
HttpOpenRequestA.WININET(?,00000000), ref: 0003BE2A
HttpSendRequestA.WININET(?,00000000), ref: 0003BEEA
InternetReadFile.WININET(?,?,000003FF,?), ref: 0003BF9C
InternetReadFile.WININET(?,00000000,000003FF,?), ref: 0003C050
InternetCloseHandle.WININET(?), ref: 0003C077
InternetCloseHandle.WININET(?), ref: 0003C07F
InternetCloseHandle.WININET(?), ref: 0003C087

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$FileHttpOpenReadRequest$ConnectSend
String ID:
API String ID: 1354133546-0
Opcode ID: 92ce8b0d91555573153f8c7d2e4d816dd3fa3e972003fe961bbeea171812940c
Instruction ID: 2a36e331a5832c8355f21a97b002ac5ed1aa2246ec513be429585720dfb9b9f3
Opcode Fuzzy Hash: 92ce8b0d91555573153f8c7d2e4d816dd3fa3e972003fe961bbeea171812940c
Instruction Fuzzy Hash: 80C1F9B16001589BEB29DF24CC88BDE7B79EF45304F5081A8F509E7292DB759AC0CF94

Function 00075572 Relevance: 13.8, APIs: 9, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ca43c8ffce3ebac0518b6ea8300c8aa556b638d6b9a43c30adc8501f6cee066
Instruction ID: 584b876a522216add3f288948ce120a163957726b33afef2ce646a0a12483519
Opcode Fuzzy Hash: 1ca43c8ffce3ebac0518b6ea8300c8aa556b638d6b9a43c30adc8501f6cee066
Instruction Fuzzy Hash: 44C12470E04A499FDB55DF98DC84BED7BB1BF08316F108059E50CAB292CBB89941CF29

Function 000577F1 Relevance: 13.6, APIs: 9, Instructions: 106timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 00057813

Part of subcall function 00055BC8: __EH_prolog3_catch.LIBCMT ref: 00055BCF
Part of subcall function 00055BC8: Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 00055C08

Concurrency::details::SchedulerBase::NotifyThrottledContext.LIBCONCRT ref: 00057821

Part of subcall function 0005682D: Concurrency::details::SchedulerBase::FoundAvailableVirtualProcessor.LIBCONCRT ref: 00056852
Part of subcall function 0005682D: Concurrency::details::VirtualProcessor::ClaimTicket::ExerciseWith.LIBCMT ref: 00056875

Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 0005783A
Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 00057846

Part of subcall function 00055BC8: RtlInterlockedPopEntrySList.NTDLL(?), ref: 00055C51
Part of subcall function 00055BC8: Concurrency::details::SchedulerBase::AddContext.LIBCONCRT ref: 00055C80
Part of subcall function 00055BC8: Concurrency::details::InternalContextBase::SpinUntilBlocked.LIBCMT ref: 00055C8E

Concurrency::details::SchedulerBase::GetNextSchedulingRing.LIBCMT ref: 00057892
Concurrency::location::_Assign.LIBCMT ref: 000578B3
Concurrency::details::SchedulerBase::StartupVirtualProcessor.LIBCONCRT ref: 000578BB
Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 000578CD
Concurrency::details::SchedulerBase::ChangeThrottlingTimer.LIBCONCRT ref: 000578FD

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::$Scheduler$Context$Throttling$InternalTimeVirtual$Processor$AssignAvailableBlockedChangeClaimConcurrency::location::_EntryExerciseFoundH_prolog3_catchInterlockedListNextNotifyProcessor::RingSchedulingSpinStartupThrottledTicket::TimerUntilWith
String ID:
API String ID: 2678502038-0
Opcode ID: e5f6ca3cbb7375102534bb9ce9f7030bf6bb821756b29020f3f95bdaa7addcda
Instruction ID: 90587dd3d51a48f2472aa8efc80c6f5e3abfd8fd685d55d02b31ed115ca7f46a
Opcode Fuzzy Hash: e5f6ca3cbb7375102534bb9ce9f7030bf6bb821756b29020f3f95bdaa7addcda
Instruction Fuzzy Hash: 25316730B082556BCF56AA78589AAFFBBF99F41302F0400A9DC49D7243DB244C4DE3A1

Function 00060895 Relevance: 13.6, APIs: 9, Instructions: 69threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 000608AB
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,00055BBE,?), ref: 000608BD
GetCurrentThread.KERNEL32 ref: 000608C5
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,00055BBE,?), ref: 000608CD
DuplicateHandle.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000002,?,?,?,?,?,?,00055BBE,?), ref: 000608E6
Concurrency::details::RegisterAsyncWaitAndLoadLibrary.LIBCONCRT ref: 00060907

Part of subcall function 00050121: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 0005013B

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00055BBE,?), ref: 00060919
GetLastError.KERNEL32(?,?,?,?,?,00055BBE,?), ref: 00060944
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0006095A

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: Current$Concurrency::details::ErrorLastLibraryLoadProcessThread$AsyncConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateHandleReferenceRegisterWait
String ID:
API String ID: 1293880212-0
Opcode ID: 206ee14f01d0838d3f75bfa8ebfaa0b04bc429b27ef48746b8192c2d20f00841
Instruction ID: 72f632f2da7ed1412eb414ae5b916071e757af51884a8d847fb669f7f4e47a81
Opcode Fuzzy Hash: 206ee14f01d0838d3f75bfa8ebfaa0b04bc429b27ef48746b8192c2d20f00841
Instruction Fuzzy Hash: EC110671680301AFEB50ABB49C4EFAB3BAAAF05710F040075F9C9DA153EA74C908CB71

Function 00076649 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 244COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,7FFFFFFF,?,0"v,00076905,?,?,?,?,?,?,?,?,0"v), ref: 000766EC
__alloca_probe_16.LIBCMT ref: 000767A2
__alloca_probe_16.LIBCMT ref: 00076838
__freea.LIBCMT ref: 000768A3
__freea.LIBCMT ref: 000768AF

Strings

0"v, xrefs: 0007664B

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: __alloca_probe_16__freea$Info
String ID: 0"v
API String ID: 2330168043-3321802411
Opcode ID: 9fa8593c7b0dbe803f0893dc820ecde0fdb580a3f801e84c4806196ff94a0b69
Instruction ID: 2acf5816c41294e3bb3c50b60e5192a975de4b83af90009f379ac39b7d2d4bed
Opcode Fuzzy Hash: 9fa8593c7b0dbe803f0893dc820ecde0fdb580a3f801e84c4806196ff94a0b69
Instruction Fuzzy Hash: 3F81F771E04A059FDF609FA4C891EEE7BF5AF09354F188155E80AB7241DB2BDC04CBA9

Function 00064750 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00064787
___except_validate_context_record.LIBVCRUNTIME ref: 0006478F
_ValidateLocalCookies.LIBCMT ref: 00064818
__IsNonwritableInCurrentImage.LIBCMT ref: 00064843
_ValidateLocalCookies.LIBCMT ref: 00064898

Strings

csm, xrefs: 0006482D

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 2d59fb364ed52580cc9084027bea3b02abe44878f814113382c16c1bdb7f02f4
Instruction ID: 9e50f00062a9e488b0f5d6a37610f591c2b5ad18cc98874ab46d2e7e14facbe0
Opcode Fuzzy Hash: 2d59fb364ed52580cc9084027bea3b02abe44878f814113382c16c1bdb7f02f4
Instruction Fuzzy Hash: 72419234A00259AFCF10DF68C884A9EBBF6FF46324F148155E9149B393DB75AA15CB90

Function 00061A36 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 104threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 00061A4F

Part of subcall function 00061D1E: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,00061797), ref: 00061D2E

Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 00061A64
std::invalid_argument::invalid_argument.LIBCONCRT ref: 00061A73
std::invalid_argument::invalid_argument.LIBCONCRT ref: 00061B37

Strings

pContext, xrefs: 00061B2F
switchState, xrefs: 00061A6B

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: Concurrency::details::std::invalid_argument::invalid_argument$ExecutionFreeIdleObjectProcessorProxy::ResetRoot::SingleSuspendThreadVirtualWait
String ID: pContext$switchState
API String ID: 1312548968-2660820399
Opcode ID: 4ccf54979620c963738eeca6ba45efd0b9271e15ee00d460526c5f8969f7ed34
Instruction ID: d824adc99e9d3277ae0d8f88df71ce1363a252d255c3d7ec9aedaeba94d8abe5
Opcode Fuzzy Hash: 4ccf54979620c963738eeca6ba45efd0b9271e15ee00d460526c5f8969f7ed34
Instruction Fuzzy Hash: 8831B475A002149FCF05EFA8C881DFD77BABF44310F284565E915AB282EB70EE05CB91

Function 0005E6BF Relevance: 10.6, APIs: 7, Instructions: 102COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::InternalContextBase::ReclaimVirtualProcessor.LIBCONCRT ref: 0005E6E7

Part of subcall function 0005E454: Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 0005E487
Part of subcall function 0005E454: Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 0005E4A9

Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 0005E764
Concurrency::details::ScheduleGroupSegmentBase::ReleaseInternalContext.LIBCMT ref: 0005E770
Concurrency::details::SchedulerBase::TriggerCommitSafePoints.LIBCMT ref: 0005E77F
Concurrency::details::SchedulerBase::VirtualProcessorActive.LIBCONCRT ref: 0005E789
Concurrency::location::_Assign.LIBCMT ref: 0005E7BD
Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 0005E7C5

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::$Context$Virtual$DeactivateGroupInternalProcessorProcessor::ScheduleSchedulerSegment$ActiveAssignCommitConcurrency::location::_EventPointsReclaimReleaseRunnableSafeTraceTrigger
String ID:
API String ID: 1924466884-0
Opcode ID: 8d3ce2b9a7e6d6cd0d891aab2958b20c4b3f6e2d1ef0b01c64beab3fa39355c2
Instruction ID: 057a500cf3007169e79e3d8bc029cf872862200c19c1b58700ed48157784bc2a
Opcode Fuzzy Hash: 8d3ce2b9a7e6d6cd0d891aab2958b20c4b3f6e2d1ef0b01c64beab3fa39355c2
Instruction Fuzzy Hash: 9D414A35A00249DFDF05EF64C495AAEB7B9FF48301F1484AADD499B382DB34AA05CF91

Function 0006B01D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Strings

api-ms-, xrefs: 0006B074
ext-ms-, xrefs: 0006B088

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 9071f61f692b2fbfba1e0e6510a4d81088a368839190c3c37be0207634ffbcdd
Instruction ID: 3247a8c399a10e7a38109449f7b02d853db24aee39aeaded87bf3d517d462f18
Opcode Fuzzy Hash: 9071f61f692b2fbfba1e0e6510a4d81088a368839190c3c37be0207634ffbcdd
Instruction Fuzzy Hash: A12102B1A41224ABFB718A64DC44A2F3F9AAF01B60F210610ED65EB291D770ED40C7E0

Function 0006EF7B Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0006EF43: _free.LIBCMT ref: 0006EF68

_free.LIBCMT ref: 0006EFC9

Part of subcall function 0006AC95: HeapFree.KERNEL32(00000000,00000000,?,0006EF6D,?,00000000,?,?,?,0006EF94,?,00000007,?,?,0006F396,?), ref: 0006ACAB
Part of subcall function 0006AC95: GetLastError.KERNEL32(?,?,0006EF6D,?,00000000,?,?,?,0006EF94,?,00000007,?,?,0006F396,?,?), ref: 0006ACBD

_free.LIBCMT ref: 0006EFD4
_free.LIBCMT ref: 0006EFDF
_free.LIBCMT ref: 0006F033
_free.LIBCMT ref: 0006F03E
_free.LIBCMT ref: 0006F049
_free.LIBCMT ref: 0006F054

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: f2c9cbcbdea25c70db4e9b8930aae965ae4a61b9cabad425459c8f385a1b4d78
Instruction ID: 3295f36f2a650abb61e70ad0177a1e582b34632189e7d239a4db7543e9df518f
Opcode Fuzzy Hash: f2c9cbcbdea25c70db4e9b8930aae965ae4a61b9cabad425459c8f385a1b4d78
Instruction Fuzzy Hash: 0B112171641B88EBD921B7B0CC0BFCBB7DE5F05710F484865B29EAA093EA75B6044A51

Function 00046C40 Relevance: 9.3, APIs: 6, Instructions: 336COMMON

Download Yara Rule

APIs

Part of subcall function 0004C5AF: mtx_do_lock.LIBCPMT ref: 0004C5B7

__Mtx_unlock.LIBCPMT ref: 00046D11
std::_Rethrow_future_exception.LIBCPMT ref: 00046D62
std::_Rethrow_future_exception.LIBCPMT ref: 00046D72
__Mtx_unlock.LIBCPMT ref: 00046E15
__Mtx_unlock.LIBCPMT ref: 00046F1B
__Mtx_unlock.LIBCPMT ref: 00046F56

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: Mtx_unlock$Rethrow_future_exceptionstd::_$mtx_do_lock
String ID:
API String ID: 95294986-0
Opcode ID: b87b7f09aed5912b241aaa418a38ecd6138fbf6cb52fb548875ec160b4f51eea
Instruction ID: 943b1a710e423fdde8857181eb89865293832a311a7681342d0411f999ba9bc3
Opcode Fuzzy Hash: b87b7f09aed5912b241aaa418a38ecd6138fbf6cb52fb548875ec160b4f51eea
Instruction Fuzzy Hash: CDC1F3B0D007489BDB24DF64C845BAFBBF4AF06300F00457EE85697692EB36A948CB56

Function 0006FB5F Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,000386B0,00000000), ref: 0006FBA7
__fassign.LIBCMT ref: 0006FD86
__fassign.LIBCMT ref: 0006FDA3
WriteFile.KERNEL32(?,000386B0,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0006FDEB
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0006FE2B
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0006FED7

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ConsoleErrorLast
String ID:
API String ID: 4031098158-0
Opcode ID: cba48b678d261cd8832a4209b783a87053737451b257fb47292b4b044e44f735
Instruction ID: dba271ff970223d515fd124d471b2db9ca3e041a0a4744db9d3b8acd4d5e6959
Opcode Fuzzy Hash: cba48b678d261cd8832a4209b783a87053737451b257fb47292b4b044e44f735
Instruction Fuzzy Hash: A8D19B71D002599FDF15CFA8E8809FDBBB6BF48314F28016AE859FB252D731A946CB50

Function 0005E7ED Relevance: 9.1, APIs: 6, Instructions: 117COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::location::_Assign.LIBCMT ref: 0005E82E
Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 0005E836
Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 0005E860
Concurrency::details::ScheduleGroupSegmentBase::ReleaseInternalContext.LIBCMT ref: 0005E869
Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 0005E8EC
Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 0005E8F4

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: Concurrency::details::Context$Base::$GroupInternalScheduleSegment$AssignAvailableConcurrency::location::_DeferredEventMakeProcessor::ReleaseRunnableSchedulerTraceVirtual
String ID:
API String ID: 3929269971-0
Opcode ID: 18d5e992c50f82fbc5a7a9962ace9fb829c8c4a8d43b1fbaa5b6290b68c92bf8
Instruction ID: 23c96f82c0c069025153b38569ad97c471f0001d4d0a7346c65d2b6c0fca622b
Opcode Fuzzy Hash: 18d5e992c50f82fbc5a7a9962ace9fb829c8c4a8d43b1fbaa5b6290b68c92bf8
Instruction Fuzzy Hash: 0F415075A00519AFDF09DF64C458AAEB7B6FF88311F148059E846AB391CB74AE05CF81

Function 0004EBF6 Relevance: 9.1, APIs: 6, Instructions: 101COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0004EBFD
Concurrency::details::_NonReentrantPPLLock::_Scoped_lock::_Scoped_lock.LIBCONCRT ref: 0004EC27

Part of subcall function 0004F2ED: Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 0004F30A

__alloca_probe_16.LIBCMT ref: 0004EC63
Concurrency::details::EventWaitNode::Satisfy.LIBCONCRT ref: 0004ECA4
Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 0004ECD6
__freea.LIBCMT ref: 0004ECFC

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: Concurrency::details::_Lock::_Scoped_lock$Acquire_lockConcurrency::critical_section::_Concurrency::details::EventH_prolog3_Node::ReaderReentrantSatisfyScoped_lock::_Scoped_lock::~_WaitWriter__alloca_probe_16__freea
String ID:
API String ID: 1319684358-0
Opcode ID: 89ba845cd7799b35b31bf69120c5368731ec8d9d0540cf6474e904fea88bb6cb
Instruction ID: 23fd299f0c676e0a3eeb68fd6294290a8788c08af50f17acfd43cfbf36c1b553
Opcode Fuzzy Hash: 89ba845cd7799b35b31bf69120c5368731ec8d9d0540cf6474e904fea88bb6cb
Instruction Fuzzy Hash: F3318DB1E001468FDB15EFA8C9815ADB7F5BF08310B64407EE405E7341DB349E02CBA9

Function 0004ED6F Relevance: 9.1, APIs: 6, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

_SpinWait.LIBCONCRT ref: 0004EDCC
Concurrency::details::WaitBlock::WaitBlock.LIBCMT ref: 0004EDD8
Concurrency::details::_NonReentrantPPLLock::_Scoped_lock::_Scoped_lock.LIBCONCRT ref: 0004EDF1
Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 0004EE1F
Concurrency::Context::Block.LIBCONCRT ref: 0004EE41

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: Wait$BlockConcurrency::details::_Lock::_Scoped_lock$Block::Concurrency::Concurrency::details::Context::ReaderReentrantScoped_lock::_Scoped_lock::~_SpinWriter
String ID:
API String ID: 1182035702-0
Opcode ID: 8cc57fc10746153bb72195959137fc22ee18f5b316384e204fb54ba8150cd5b3
Instruction ID: a5e78b3a5646f88e5ed0e61c918b088fdb036deef28c9e27137a043246d880b2
Opcode Fuzzy Hash: 8cc57fc10746153bb72195959137fc22ee18f5b316384e204fb54ba8150cd5b3
Instruction Fuzzy Hash: 4C214FF1C0024ADADF64DFA4C8456EEB7F0BF14320F240A3EE155A61D1EBB14A45CB98

Function 00059F36 Relevance: 9.1, APIs: 6, Instructions: 73threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::IncrementFixedCoreCount.LIBCONCRT ref: 00059F79

Part of subcall function 0005B470: Concurrency::details::SchedulerProxy::ToggleBorrowedState.LIBCONCRT ref: 0005B4BF

GetCurrentThread.KERNEL32 ref: 00059F83
Concurrency::details::HardwareAffinity::HardwareAffinity.LIBCMT ref: 00059F8F

Part of subcall function 00050298: Concurrency::details::platform::__GetThreadGroupAffinity.LIBCONCRT ref: 000502AA

Part of subcall function 00050724: Concurrency::details::platform::__SetThreadGroupAffinity.LIBCONCRT ref: 0005072B

Concurrency::details::SchedulerProxy::IncrementCoreSubscription.LIBCONCRT ref: 00059FD2

Part of subcall function 0005B422: SetEvent.KERNEL32(?,?,00059FD7,0005AD6B,00000000,?,00000000,0005AD6B,00000004,0005B417,?,00000000,?,?,00000000), ref: 0005B466

Concurrency::details::SchedulerProxy::AddExecutionResource.LIBCONCRT ref: 00059FDB

Part of subcall function 0005AA51: List.LIBCONCRT ref: 0005AA87

Concurrency::details::ExecutionResource::SetAsCurrent.LIBCMT ref: 00059FEB

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Proxy::Scheduler$AffinityThread$Concurrency::details::platform::__CoreCurrentExecutionGroupHardwareIncrement$Affinity::BorrowedCountEventFixedListResourceResource::StateSubscriptionToggle
String ID:
API String ID: 318399070-0
Opcode ID: ae102e85803821594dfc023a5fe6abef0712ad5a004df132498d7fd919e48302
Instruction ID: 6a3fb14b9e7c1d8c6f78cd475400938f48c73575f6fe704ad18f716bb2168de4
Opcode Fuzzy Hash: ae102e85803821594dfc023a5fe6abef0712ad5a004df132498d7fd919e48302
Instruction Fuzzy Hash: A3218C35500A149FCB64EF65D9908AFB3F9FF483017004A2DE84297662DB74F909CBA1

Function 00064E47 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00064E3E,000639FF,0004B455,6DCF5B57,?,00000000,0007B248,000000FF,?,0003232A,?,?), ref: 00064E55
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00064E63
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00064E7C
SetLastError.KERNEL32(00000000,?,00064E3E,000639FF,0004B455,6DCF5B57,?,00000000,0007B248,000000FF,?,0003232A,?,?), ref: 00064ECE

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: e7c800b293c90c3992e4bbdbb761b9adf8889e2f17a8fbbac3db25a13a1e266a
Instruction ID: 749e06fee6b2a57e62b1a112ed598173ac2b798d497fd75ccb7f042c479ffaa6
Opcode Fuzzy Hash: e7c800b293c90c3992e4bbdbb761b9adf8889e2f17a8fbbac3db25a13a1e266a
Instruction Fuzzy Hash: 440184362096116EFA742BB4AC85AAB2A87FB41774720033AF534951E3EF574C559680

Function 0004FB2B Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 0004FB39
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 0004FB3F
GetLogicalProcessorInformation.KERNEL32(00000000,?,?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 0004FB6C
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 0004FB76
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,?,00000000,?,?), ref: 0004FB88
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0004FB9E

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error
String ID:
API String ID: 2808382621-0
Opcode ID: fec54d07362302fc666ddecc53b1738f2a7520d5d184b07538588235610f1a84
Instruction ID: 51de3579b6495ae580cc4aba983eb23d58411b810f669a0d33fb787b24926990
Opcode Fuzzy Hash: fec54d07362302fc666ddecc53b1738f2a7520d5d184b07538588235610f1a84
Instruction Fuzzy Hash: 3D01F7B1640106ABEB90BB61EC59EBF37BCFF827A1F100435F585D2052EB64D90897E9

Function 0003DAC0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 154COMMON

Download Yara Rule

Strings

list too long, xrefs: 0003DF7D

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: mtx_do_lock
String ID: list too long
API String ID: 1389037287-1124181908
Opcode ID: 3f06020163df6513e43764db49acd0ef0aff0f73f7215c58cc8ba720d39a5255
Instruction ID: 4bb15d41ac107a33053536713654648b3b02b32778a12e9f32906616b13f85ec
Opcode Fuzzy Hash: 3f06020163df6513e43764db49acd0ef0aff0f73f7215c58cc8ba720d39a5255
Instruction Fuzzy Hash: 7551C5B1D04758ABEB50EB64CC45F9AB3F8EF05700F0041AAF908A7242EB74AA85CB55

Function 00064D2A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

FindSITargetTypeInstance.LIBVCRUNTIME ref: 00064D7D
FindMITargetTypeInstance.LIBVCRUNTIME ref: 00064D96
PMDtoOffset.LIBCMT ref: 00064DBC

Strings

Bad dynamic_cast!, xrefs: 00064DFE

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: FindInstanceTargetType$Offset
String ID: Bad dynamic_cast!
API String ID: 1467055271-2956939130
Opcode ID: fd14c16333e5d17cd1ee9ef1cd2884577ff26779aba9e9940d550e339ba32534
Instruction ID: 40179fcfa4348d9b4b361c2293209e12124caf0d055b108002be13a8399b2c69
Opcode Fuzzy Hash: fd14c16333e5d17cd1ee9ef1cd2884577ff26779aba9e9940d550e339ba32534
Instruction Fuzzy Hash: 7C21FB72A00205AFDF25DFA4DD46EEE77EAFB54720F208219F910D7281DB31E90087A1

Function 00061737 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 00061792
std::invalid_argument::invalid_argument.LIBCONCRT ref: 000617B1
Concurrency::details::FreeVirtualProcessorRoot::SpinUntilIdle.LIBCONCRT ref: 000617F8

Strings

pContext, xrefs: 000617A9

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$ExecutionFreeIdleProcessorProxy::Root::SpinSuspendThreadUntilVirtualstd::invalid_argument::invalid_argument
String ID: pContext
API String ID: 1284976207-2046700901
Opcode ID: ad726a59c7c6cb248efa78a1e9fd7249a450753f729422fbb6abe063995bbdda
Instruction ID: 1fa4fe4061fa524f1056bae05cdbd3d3918e2ec45673b72d6d03fd9edaf152dd
Opcode Fuzzy Hash: ad726a59c7c6cb248efa78a1e9fd7249a450753f729422fbb6abe063995bbdda
Instruction Fuzzy Hash: 8B2128357046159FCB15AB68C895AFEB3FBBF90324B08002AF512872D2DF74ED468B91

Function 0006DE83 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

C:\Users\user~1\AppData\Local\Temp\1000125001\Freshbuild.exe, xrefs: 0006DE88

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Users\user~1\AppData\Local\Temp\1000125001\Freshbuild.exe
API String ID: 0-140056645
Opcode ID: 95d5d4feed2c94f8402592d9cb2196d9e2ef5c004dbd7b5a0b9be0de6bd5b8c9
Instruction ID: dab619a899b794f32b64cdd2bf575a599d3ee716122ad77fe5e6bef89156c8b8
Opcode Fuzzy Hash: 95d5d4feed2c94f8402592d9cb2196d9e2ef5c004dbd7b5a0b9be0de6bd5b8c9
Instruction Fuzzy Hash: F321C371B08205AFEB60AF719C81EAB77EFEF403647104526F929D7252EB31ED5087A0

Function 000670A9 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 000670EB

Strings

.com, xrefs: 0006712B
.bat, xrefs: 0006711A
.cmd, xrefs: 00067109
.exe, xrefs: 000670F8

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: _wcsrchr
String ID: .bat$.cmd$.com$.exe
API String ID: 1752292252-4019086052
Opcode ID: c537e623fc5eabbe51ca8389ffc94199a2a1e6bf3f2bf346047d0abc542d7ada
Instruction ID: 5b596218f1c72d72af37199ab673a394dc84bb21041fbe8ac49d8dc933fb6180
Opcode Fuzzy Hash: c537e623fc5eabbe51ca8389ffc94199a2a1e6bf3f2bf346047d0abc542d7ada
Instruction Fuzzy Hash: 1E010437B08625252654602C9C026776BCA9F93BB8B2A002BF958FF2C3EF54DC4246A4

Function 00054DB2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::AddVirtualProcessor.LIBCONCRT ref: 00054E11
std::invalid_argument::invalid_argument.LIBCONCRT ref: 00054E34
Concurrency::details::CacheLocalScheduleGroupSegment::CacheLocalScheduleGroupSegment.LIBCONCRT ref: 00054E76

Strings

ppVirtualProcessorRoots, xrefs: 00054E2C
count, xrefs: 00054DCA

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: CacheConcurrency::details::GroupLocalSchedule$Node::ProcessorSchedulingSegmentSegment::Virtualstd::invalid_argument::invalid_argument
String ID: count$ppVirtualProcessorRoots
API String ID: 18808576-3650809737
Opcode ID: bcd6f1e6b06630c5c24201a96081b2a1f9bd7f6e0383712f7743feae78257cfd
Instruction ID: 25cac86bc6a31a2e5483e194d2603facfe381f6708fc57cb7ca10d6c10d710f1
Opcode Fuzzy Hash: bcd6f1e6b06630c5c24201a96081b2a1f9bd7f6e0383712f7743feae78257cfd
Instruction Fuzzy Hash: E721D035A00105EFCB04EFA8C892EEE77B5FF48305F00406AE9469B692DB70EE45CB55

Function 00065EC7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

Strings

api-ms-, xrefs: 00065F17

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID:
String ID: api-ms-
API String ID: 0-2084034818
Opcode ID: b91c3c96b7efd5e1615805f63a5b1a071fd520d5ac61e182a7b3abe0a4913442
Instruction ID: fe24a0cdd94ecc4f51b853821441e0746fe14740b88632425474eb21007eec8c
Opcode Fuzzy Hash: b91c3c96b7efd5e1615805f63a5b1a071fd520d5ac61e182a7b3abe0a4913442
Instruction Fuzzy Hash: EC11C831A01A25EBDB719B28DC44A5E7796AF11772F250131FD56A7290E774ED0087E0

Function 00061FA4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

StructuredWorkStealingQueue.LIBCMT ref: 00061FC4
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 00061FD5
StructuredWorkStealingQueue.LIBCMT ref: 0006200B
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 0006201C

Strings

e, xrefs: 00061FE6

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: Work$Concurrency::details::ItemItem::QueueStealingStructured
String ID: e
API String ID: 3804418703-4024072794
Opcode ID: 1b6716c63c17d6c6149872910042524b7f9ebb3f5e3c7538eb01a51a2faaeb53
Instruction ID: f0524c3fd007c8b4a35b55d767dca94a575bc447d32eb796ce0ac69c16419d2d
Opcode Fuzzy Hash: 1b6716c63c17d6c6149872910042524b7f9ebb3f5e3c7538eb01a51a2faaeb53
Instruction Fuzzy Hash: E0119131100505ABEB65DF78C845AEF77A69F123A4B28C06AAC01DF253DB72DD05DBA1

Function 0006647D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,00066472,?,?,0006643A,?,?,?), ref: 00066492
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 000664A5
FreeLibrary.KERNEL32(00000000,?,?,00066472,?,?,0006643A,?,?,?), ref: 000664C8

Strings

CorExitProcess, xrefs: 0006649D
mscoree.dll, xrefs: 0006648B

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: d76f6c07c0f1f4d9dfa51b5873731b04e4e2385c200d57be693014b13e768503
Instruction ID: 5abedc294149fc6f5b02c7f3769a524c3b5e6be83e699daadc4f7f31d8b1d7ac
Opcode Fuzzy Hash: d76f6c07c0f1f4d9dfa51b5873731b04e4e2385c200d57be693014b13e768503
Instruction Fuzzy Hash: ACF0A03150161DFBEB919B90DD0EB9E7BBAFF40756F144060F945B21A0CBB98E04DB94

Function 000723B7 Relevance: 7.9, APIs: 5, Instructions: 373timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00072439
_free.LIBCMT ref: 0007245D
_free.LIBCMT ref: 000725EA
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00086748), ref: 000725FC
_free.LIBCMT ref: 000727B6

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: _free$InformationTimeZone
String ID:
API String ID: 597776487-0
Opcode ID: f74c40a16622f853894b1cabb89331cc3dda3fe3c437b8d3be793d129016c3ad
Instruction ID: 9f8a5a52985c030af7548f20d0d75dc2edec6bef1992f8bbd9ad4c0549a651a2
Opcode Fuzzy Hash: f74c40a16622f853894b1cabb89331cc3dda3fe3c437b8d3be793d129016c3ad
Instruction Fuzzy Hash: C1C13771E042059FDB24EF68CC51AEE7BE9EF45310F24816AE489D7282E73D8E41C758

Function 00074AB4 Relevance: 7.7, APIs: 5, Instructions: 199COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00074B38
__alloca_probe_16.LIBCMT ref: 00074BFE
__freea.LIBCMT ref: 00074C6A

Part of subcall function 0006AEEB: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 0006AF1D

__freea.LIBCMT ref: 00074C73
__freea.LIBCMT ref: 00074C96

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: 0a670a3d3b877f140924d440ddd8d00ddac3d3ec81bf58bf54274159fd03259a
Instruction ID: 81fe56ac8110f225e292dff8d424f3fb6f2a74f8ab8a58b10072deb82e194024
Opcode Fuzzy Hash: 0a670a3d3b877f140924d440ddd8d00ddac3d3ec81bf58bf54274159fd03259a
Instruction Fuzzy Hash: 4F510572A01216ABEF629F54CC41EBF36EAEF85750F158129FD0897141D739DC0087A9

Function 0003DDBE Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 0003DE2D
recv.WS2_32(?,?,00001F40,00000000), ref: 0003DE66
recv.WS2_32(?,?,00001F40,00000000), ref: 0003DE94
closesocket.WS2_32(?), ref: 0003DF08
__Mtx_unlock.LIBCPMT ref: 0003DF3D

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: Mtx_unlockrecv$closesocket
String ID:
API String ID: 1157980791-0
Opcode ID: e59e5c2fa211869ad121474b3d6fb62d296e8a4a02ffb0893dbc306563adac6b
Instruction ID: e5b8ad5f1dec527012d7c02a6488ac4fc6090d379bc61453d43e124d9bc491fe
Opcode Fuzzy Hash: e59e5c2fa211869ad121474b3d6fb62d296e8a4a02ffb0893dbc306563adac6b
Instruction Fuzzy Hash: 0151F3B0A056059FEB62DF20DD45E99B7B9FF15300F0481BBE8099B2A3EB31AC50CB45

Function 00066DE1 Relevance: 7.6, APIs: 5, Instructions: 141pipeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetFileType.KERNEL32(?,?,00000000,00000000), ref: 00066E03
GetFileInformationByHandle.KERNEL32(?,?), ref: 00066E5D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00066D13,?,000000FF), ref: 00066EEB
__dosmaperr.LIBCMT ref: 00066EF2
PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 00066F2F

Part of subcall function 00067157: __dosmaperr.LIBCMT ref: 0006718C

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: File__dosmaperr$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 1206951868-0
Opcode ID: ed430199abf02683060065f2c27154f1c0a4395ed94250ed42e45b17fc01e872
Instruction ID: 7733834b8020f0cdd99fc98a294a9099d34ad0f90524a931c7990b1484f0793c
Opcode Fuzzy Hash: ed430199abf02683060065f2c27154f1c0a4395ed94250ed42e45b17fc01e872
Instruction Fuzzy Hash: B7415A75900644ABDB64DFB5EC459AFBBFAEF88300B00442EF856D3611EB36A804CB60

Function 00061302 Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00061309
Concurrency::details::_TaskCollectionBase::_GetTokenState.LIBCONCRT ref: 00061354
Concurrency::details::_CancellationTokenState::_RegisterCallback.LIBCONCRT ref: 00061387
Concurrency::details::_StructuredTaskCollection::_CountUp.LIBCMT ref: 00061437

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: Concurrency::details::_$TaskToken$Base::_CallbackCancellationCollectionCollection::_CountH_prolog3_catchRegisterStateState::_Structured
String ID:
API String ID: 2092016602-0
Opcode ID: 5a52e5e970a97a2124aa2d43e0d54c3248f30df45dfa46e39049be27ea2270fc
Instruction ID: 27c91486d47a778c4c881922d624719a55f12079613b47ff22090615bff904d2
Opcode Fuzzy Hash: 5a52e5e970a97a2124aa2d43e0d54c3248f30df45dfa46e39049be27ea2270fc
Instruction Fuzzy Hash: 25416471A00616AFCB14DF69C8919EEFBF6FF48310B14822DE51697751DB34AA05CB90

Function 0005DA40 Relevance: 7.6, APIs: 5, Instructions: 123COMMON

Download Yara Rule

APIs

Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 0005DA74

Part of subcall function 00058E3F: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 00058E60

Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 0005DAD3
Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 0005DAF9
Concurrency::details::SchedulerBase::ReleaseInternalContext.LIBCONCRT ref: 0005DB19
Concurrency::location::_Assign.LIBCMT ref: 0005DB66

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: Context$Base::Concurrency::details::$Internal$Event$AssignBlockingConcurrency::location::_FindNestingPrepareReleaseSchedulerThrowTraceWork
String ID:
API String ID: 1794448563-0
Opcode ID: 22594aed5dcb946aa646633bf4e0ba4593646960745e1f4b1ac3a706e8ffe0e4
Instruction ID: 68b71113242553433b1f8daf5bd8429082e97f9ea3867883070d5e508654de09
Opcode Fuzzy Hash: 22594aed5dcb946aa646633bf4e0ba4593646960745e1f4b1ac3a706e8ffe0e4
Instruction Fuzzy Hash: AE41D5B0604210ABDF29AB24C896BAFBBB6DF45311F15409BE8069B382CF749D49C791

Function 000585D9 Relevance: 7.6, APIs: 5, Instructions: 88COMMON

Download Yara Rule

APIs

_SpinWait.LIBCONCRT ref: 000585FE

Part of subcall function 0004E9E0: _SpinWait.LIBCONCRT ref: 0004E9F8

Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 00058612
Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00058644
List.LIBCMT ref: 000586C7
List.LIBCMT ref: 000586D6

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
String ID:
API String ID: 3281396844-0
Opcode ID: b3e9c751aec4b551a3c6175a4a787b5b6af90911a9007e9de8cf14e29bafa8be
Instruction ID: ae2ba95645b748085206be00641a536da47e5f99647e4e1fa0ceab35e198bad8
Opcode Fuzzy Hash: b3e9c751aec4b551a3c6175a4a787b5b6af90911a9007e9de8cf14e29bafa8be
Instruction Fuzzy Hash: 653158B2905656DFCB24EFA4D5916EEBBB0BF14309F14806ADC417B292DF31AD08CB94

Function 0003DCAF Relevance: 7.6, APIs: 5, Instructions: 80networkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000000,?,?), ref: 0003DD0C
FreeAddrInfoW.WS2_32(?), ref: 0003DD2D
socket.WS2_32(00000002,00000001,00000000), ref: 0003DD55
connect.WS2_32(00000000,?,00000010), ref: 0003DD67
closesocket.WS2_32(00000000), ref: 0003DD81

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: AddrFreeInfoclosesocketconnectgetaddrinfosocket
String ID:
API String ID: 242599585-0
Opcode ID: 885582173fe18dce3f91d72581c24a385b21f0484d6ea028ea00739ac10b8cde
Instruction ID: 342716f9ca710e537f11823d31c431fcc6e822558e7ee08b71d9a9dce758c67e
Opcode Fuzzy Hash: 885582173fe18dce3f91d72581c24a385b21f0484d6ea028ea00739ac10b8cde
Instruction Fuzzy Hash: AB21A871D182149BEB65DB50EC49BED73BDEF04300F0011ABF90DD6182DBB559449F55

Function 0006EEDA Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0006EEF2

Part of subcall function 0006AC95: HeapFree.KERNEL32(00000000,00000000,?,0006EF6D,?,00000000,?,?,?,0006EF94,?,00000007,?,?,0006F396,?), ref: 0006ACAB
Part of subcall function 0006AC95: GetLastError.KERNEL32(?,?,0006EF6D,?,00000000,?,?,?,0006EF94,?,00000007,?,?,0006F396,?,?), ref: 0006ACBD

_free.LIBCMT ref: 0006EF04
_free.LIBCMT ref: 0006EF16
_free.LIBCMT ref: 0006EF28
_free.LIBCMT ref: 0006EF3A

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 15d65adabfcb8e634353f3db5f8be63aa8ce5a8c863fb4460248256de7fa5ab2
Instruction ID: 5f780f42cb32bfd3d5ca019efcc0f3b0501ae9bd8280b81143062f64cfb29a0a
Opcode Fuzzy Hash: 15d65adabfcb8e634353f3db5f8be63aa8ce5a8c863fb4460248256de7fa5ab2
Instruction Fuzzy Hash: 39F09636608744BFD665FB94EA81C47B3EBFB413213680816F009FB542CB34FC848A55

Function 0006D8BE Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0006DA58

Strings

*?, xrefs: 0006D901

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: 325afc00bb60ee3a94fc5eb9cb9f72fa75536f813325374459f70a58a738c4d1
Instruction ID: 0436ff635f73f32e5fbf85090bde46321234f99439a4af9e216244537da91384
Opcode Fuzzy Hash: 325afc00bb60ee3a94fc5eb9cb9f72fa75536f813325374459f70a58a738c4d1
Instruction Fuzzy Hash: 7F612C75E042199FCB14DFA9C8815EEFBF6EF48310B24816AE855E7301E675AE418B90

Function 00068EBA Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Users\user~1\AppData\Local\Temp\1000125001\Freshbuild.exe, xrefs: 00068EFD, 00068F3A
x7u, xrefs: 00068F0B

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID:
String ID: C:\Users\user~1\AppData\Local\Temp\1000125001\Freshbuild.exe$x7u
API String ID: 0-1069797362
Opcode ID: 3235cb91fcafab65fb66be8d0893e7c62adecb6808c3a0cffc10bbb7d4240a13
Instruction ID: 6a5356986f97ef3520102d7a52aa508a29823d8f1f1576d23f94827bff640e14
Opcode Fuzzy Hash: 3235cb91fcafab65fb66be8d0893e7c62adecb6808c3a0cffc10bbb7d4240a13
Instruction Fuzzy Hash: E8419371A00218AFDB26EB99DC85D9FBBFBEB89310B148166F505A7252DB718A40CB50

Function 0006E350 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 0006E0F9: GetOEMCP.KERNEL32(00000000,0006E36B,?,?,0006748E,0006748E,?), ref: 0006E124

_free.LIBCMT ref: 0006E3C8

Strings

@", xrefs: 0006E3F0
h%w, xrefs: 0006E45F

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: _free
String ID: @"$h%w
API String ID: 269201875-3507878594
Opcode ID: e4d6951a566ca989b78cb468cdb7b827eca39b2ee0fd1c46b47b05286a8eef55
Instruction ID: ece25ec8f90fb4e939023d1478abee83916f961484041a2201292052fc525b1a
Opcode Fuzzy Hash: e4d6951a566ca989b78cb468cdb7b827eca39b2ee0fd1c46b47b05286a8eef55
Instruction Fuzzy Hash: 0C31C175900389AFDB01DF68D844ADE7BF6AF40324F10446AF911AB2A2EB71DD50CB50

Function 0005AD75 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

List.LIBCONCRT ref: 0005ADFA
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0005AE1F
Concurrency::details::FreeVirtualProcessorRoot::FreeVirtualProcessorRoot.LIBCONCRT ref: 0005AE5E

Strings

pExecutionResource, xrefs: 0005AE17

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: FreeProcessorVirtual$Concurrency::details::ListRootRoot::std::invalid_argument::invalid_argument
String ID: pExecutionResource
API String ID: 1772865662-359481074
Opcode ID: b87969130aa40171c21c611d5513232a8b7429e4f71c9f83e6bb5fd959fa74bc
Instruction ID: 91458a28de63e53cef9054c2f0abe41479502e4e444bb1fcd225b18d6b560386
Opcode Fuzzy Hash: b87969130aa40171c21c611d5513232a8b7429e4f71c9f83e6bb5fd959fa74bc
Instruction Fuzzy Hash: 452165B5A402059BCB08EF64C852BFE77A5BF58300F54416DFA056B282DBB4AE05CB95

Function 00059FFE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35threadCOMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 0005A012
Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 0005A036
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0005A049

Strings

pScheduler, xrefs: 0005A041

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: Resource$Concurrency::details::Execution$CurrentManager::Proxy::RemoveSchedulerThreadstd::invalid_argument::invalid_argument
String ID: pScheduler
API String ID: 246774199-923244539
Opcode ID: ba3e7630d22aab902b580eb3fe1e7093686e659a2ef97a38c9bd937f98f4356f
Instruction ID: ac710ea70a45008f0c70603d891414337d1555cee560eb48ff61a8515691b4fa
Opcode Fuzzy Hash: ba3e7630d22aab902b580eb3fe1e7093686e659a2ef97a38c9bd937f98f4356f
Instruction Fuzzy Hash: B6F0E935A00604A7C720F650DC42CDFB379AF91B127148129ED55171C3EB71EE0DC692

Function 000691ED Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00069235

Strings

0"v, xrefs: 00069220
0"v, xrefs: 00069227

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: _free
String ID: 0"v$0"v
API String ID: 269201875-471237806
Opcode ID: aa7d546268fdc8af87d3887e978332f93ed2b20d85a8686fdd5827e88a9db14e
Instruction ID: 26859b2f4aa00b30aadea1c86199904852a1a7daf85d6bc2930effe5a633d080
Opcode Fuzzy Hash: aa7d546268fdc8af87d3887e978332f93ed2b20d85a8686fdd5827e88a9db14e
Instruction Fuzzy Hash: FBE02B33646A1226F326773EBC252AE36CB5BD2336F290327F4108B4D2DF744942C162

Function 0006C990 Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0006CA17

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 6ce9b122a8b3e71e1b9d85e24c4c8e5c2461f141074a280fd85b1d8695520d9e
Instruction ID: 4c517eb4b1040ef90715cb2927065555b9b24a575e3a74fe797718235f9c5ac6
Opcode Fuzzy Hash: 6ce9b122a8b3e71e1b9d85e24c4c8e5c2461f141074a280fd85b1d8695520d9e
Instruction Fuzzy Hash: F2B137329002859FEB15CF68C892FFEBBE6EF55350F14816AE499EB342D6349D01CB61

Function 00064F5E Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00065025
___AdjustPointer.LIBCMT ref: 00065048
___AdjustPointer.LIBCMT ref: 000650E4

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 261ca088e338e6e324acc853956d5bed98fbbfc7afe8de7e7d5866bc42b81e9c
Instruction ID: 0bbda92442e8370a2d885769dceed2719a589a58ada2fca767bc000266922a7a
Opcode Fuzzy Hash: 261ca088e338e6e324acc853956d5bed98fbbfc7afe8de7e7d5866bc42b81e9c
Instruction Fuzzy Hash: 3151E272601A06AFFB299F20DC51BBA77E6EF14312F14452DE9464B292E732EC40CBD0

Function 00038290 Relevance: 6.2, APIs: 4, Instructions: 155libraryloaderCOMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(0000011C,?,6DCF5B57), ref: 00038309
GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00038370
GetProcAddress.KERNEL32(00000000), ref: 00038377

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProcVersion
String ID:
API String ID: 3310240892-0
Opcode ID: 36a141bc672d5187d5d93250594df5c1453b98218899bd4d4d79a7a8cd80c186
Instruction ID: 8cc6767e3f1190e7113ab85f26dcf01a510c65fba57b05ffe5bc241eda6814b3
Opcode Fuzzy Hash: 36a141bc672d5187d5d93250594df5c1453b98218899bd4d4d79a7a8cd80c186
Instruction Fuzzy Hash: 805107709003089BEB15EB68CD497DDBB79EB45710F5082E8F808A73D2EF749A848F91

Function 00064B25 Relevance: 6.1, APIs: 4, Instructions: 141COMMON

Download Yara Rule

APIs

TypeidsEqual.LIBVCRUNTIME ref: 00064B76
TypeidsEqual.LIBVCRUNTIME ref: 00064B9B
PMDtoOffset.LIBCMT ref: 00064BB1
PMDtoOffset.LIBCMT ref: 00064C32

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: EqualOffsetTypeids
String ID:
API String ID: 1707706676-0
Opcode ID: f8ad74cfaf4da85e0defff2bffeebfbe5beaccf25cb2e0bdfe85511ce37fdb4b
Instruction ID: 8016f26954488d56318b0d55368556ac1fce3f9c6e9324177fb91391c79af0d1
Opcode Fuzzy Hash: f8ad74cfaf4da85e0defff2bffeebfbe5beaccf25cb2e0bdfe85511ce37fdb4b
Instruction Fuzzy Hash: FA51AA35E052099FCF94CF68C590AEEBBFAEF55320F14449AE850A7351D732AE45CB90

Function 00032DC0 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 00032E5F
GetCurrentThreadId.KERNEL32 ref: 00032E7E
__Mtx_unlock.LIBCPMT ref: 00032ECC
__Cnd_broadcast.LIBCPMT ref: 00032EE3

Part of subcall function 0004C5AF: mtx_do_lock.LIBCPMT ref: 0004C5B7

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: Mtx_unlock$Cnd_broadcastCurrentThreadmtx_do_lock
String ID:
API String ID: 3471820992-0
Opcode ID: 8f87e7c72791fd3166859ddc9e915d37bae2c3aeedc0458ead12994b27f98dc0
Instruction ID: 5ac9ba2cd33f3912956834f42811190d3b539ad8d491bb4d6463e4bf607f6c84
Opcode Fuzzy Hash: 8f87e7c72791fd3166859ddc9e915d37bae2c3aeedc0458ead12994b27f98dc0
Instruction Fuzzy Hash: F14110B0A01605AFEB61DF64C941B9AB3F8FF05320F008639E815D7792EB34E900CB80

Function 00075E6E Relevance: 6.1, APIs: 4, Instructions: 132fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00075F3E
_free.LIBCMT ref: 00075F67
SetEndOfFile.KERNEL32(00000000,000718AA,00000000,0006AB32,?,?,?,?,?,?,?,000718AA,0006AB32,00000000), ref: 00075F99
GetLastError.KERNEL32(?,?,?,?,?,?,?,000718AA,0006AB32,00000000,?,?,?,?,00000000), ref: 00075FB5

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: _free$ErrorFileLast
String ID:
API String ID: 1547350101-0
Opcode ID: cd11d7eb4a775d08fb47c03158719fe42f44e73daa1d460f47cc51f396d61be6
Instruction ID: f4f4e7f2453b991c4d345fd8b3f942c695499d7a16f8766510ad5edf66990a28
Opcode Fuzzy Hash: cd11d7eb4a775d08fb47c03158719fe42f44e73daa1d460f47cc51f396d61be6
Instruction Fuzzy Hash: 8741F772D04A059BDB51ABB8CC46BDE37B6AF44322F148521F42CE7293EBB8C9504769

Function 00052C0C Relevance: 6.1, APIs: 4, Instructions: 101COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::ResourceManager::InitializeRMBuffers.LIBCMT ref: 00052C1F

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: BuffersConcurrency::details::InitializeManager::Resource
String ID:
API String ID: 3433162309-0
Opcode ID: 4acb82987dd1cf1a665000300d3f6c0d6cfdaaa31dc4359ca39871f149f5beab
Instruction ID: 52303757ebe2a43796ae2425358fe8131048d6059bd1b98bab951de8d169417f
Opcode Fuzzy Hash: 4acb82987dd1cf1a665000300d3f6c0d6cfdaaa31dc4359ca39871f149f5beab
Instruction Fuzzy Hash: 8B313775A00309DFDF10DF94C5C0BAEBBB9AF46312F1404AADD45AB247D771A948DBA0

Function 0006D7EF Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 000668DC: _free.LIBCMT ref: 000668EA

Part of subcall function 0006E7C6: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00000000,00000000,?,00074C60,?,00000000,00000000), ref: 0006E868

GetLastError.KERNEL32 ref: 0006D857
__dosmaperr.LIBCMT ref: 0006D85E
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0006D89D
__dosmaperr.LIBCMT ref: 0006D8A4

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: ac54d844969af8ad367e3e76292ca755702ddaa6b25508b823200156fae2d39f
Instruction ID: 38fc252ba4c1e2ff8853e9e6a306092c91927407a262186a64339e7c3396086d
Opcode Fuzzy Hash: ac54d844969af8ad367e3e76292ca755702ddaa6b25508b823200156fae2d39f
Instruction Fuzzy Hash: 1021B371F04215AFEB606F659C84DABB7AFEF103687108527F82997241DF31ED509BA0

Function 000609A8 Relevance: 6.1, APIs: 4, Instructions: 80threadCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,00000000,?), ref: 000609F9
Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 000609E1

Part of subcall function 00058E3F: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 00058E60

Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00060A5C
SwitchToThread.KERNEL32(00000005,00000004,00000000,?,?,?,?,?,?,?,0008F490), ref: 00060A61

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: Context$Event$Base::Concurrency::details::$Trace$SwitchThreadThrow
String ID:
API String ID: 2734100425-0
Opcode ID: 8fa0f6ac6c65e4a7003e3cf3b4e89ae75f419b8defe1b0d37029ae139e7879d7
Instruction ID: 03823b1b55f06d6447ca5f1c724fd5b57f5f161d4b156d04f763e8d24bb8e3e4
Opcode Fuzzy Hash: 8fa0f6ac6c65e4a7003e3cf3b4e89ae75f419b8defe1b0d37029ae139e7879d7
Instruction Fuzzy Hash: 16212671700215AFDB10EBA8CC45DBFB7BDEF48361B104056FA16A3292DB70AD018BA1

Function 00059BA5 Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00059BAC
Concurrency::SchedulerPolicy::_ValidPolicyValue.LIBCONCRT ref: 00059BF8
std::bad_exception::bad_exception.LIBCMT ref: 00059C0E
std::bad_exception::bad_exception.LIBCMT ref: 00059C7A

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: std::bad_exception::bad_exception$Concurrency::H_prolog3_catchPolicyPolicy::_SchedulerValidValue
String ID:
API String ID: 2033596534-0
Opcode ID: 1650aa98f41708a7fb6b046281858a6695102b9bfd1daec69d75f27c2f5c9815
Instruction ID: 2a0eae4b4fe189efdbcb1b09eb8daff7e16f0a89432e67084448a5fef447dec0
Opcode Fuzzy Hash: 1650aa98f41708a7fb6b046281858a6695102b9bfd1daec69d75f27c2f5c9815
Instruction Fuzzy Hash: 2021F571900204DFDB04FFA4D982DEEBBF4BF05311B10402AF945AB242EB316E09CB95

Function 0006A511 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0006685A,?,?,?,?,0006748E,?), ref: 0006A516
_free.LIBCMT ref: 0006A573
_free.LIBCMT ref: 0006A5A9
SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,0006685A,?,?,?,?,0006748E,?), ref: 0006A5B4

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 47b6d476324dcd0d9ac4ed8987c4e50eccd3231fb0aa54a41b23fb9f5279d842
Instruction ID: cd2bfec820feab0d65aa93d3be15596abee6bf58519a1a9254e437f4938438c2
Opcode Fuzzy Hash: 47b6d476324dcd0d9ac4ed8987c4e50eccd3231fb0aa54a41b23fb9f5279d842
Instruction Fuzzy Hash: 49112C72300B013FEE5176756C92D7F329BABD23B17240225F216B61E2EF25CC064A22

Function 0006A668 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00067428,00032147), ref: 0006A66D
_free.LIBCMT ref: 0006A6CA
_free.LIBCMT ref: 0006A700
SetLastError.KERNEL32(00000000,00000006,000000FF,?,00067428,00032147), ref: 0006A70B

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: da9464dad248b6117ce892e18f3f7b65b301416d35d7145cc51c50512d10e834
Instruction ID: e4c1446651f1b6a52ec5784c8ca3794c88302c78f738c280e33dc276e4900fac
Opcode Fuzzy Hash: da9464dad248b6117ce892e18f3f7b65b301416d35d7145cc51c50512d10e834
Instruction Fuzzy Hash: 8A110C723047013BEB5136759C96E6F329FBBD23B1B280225F214E61E2DE358C165916

Function 0004F1FD Relevance: 6.1, APIs: 4, Instructions: 55timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 0004F21F

Part of subcall function 0004F3DB: Concurrency::details::SchedulerBase::GetDefaultScheduler.LIBCONCRT ref: 00055396

Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 0004F240

Part of subcall function 000500C2: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 000500DE

Concurrency::details::GetSharedTimerQueue.LIBCONCRT ref: 0004F25C
Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 0004F263

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Timer$Scheduler$Base::LibraryLoadQueue$AsyncConcurrency::details::platform::__ContextCreateCurrentDefaultReferenceRegisterShared
String ID:
API String ID: 1684785560-0
Opcode ID: 3ed461ec7ad54651848aece45e9dc850fb06838e606f7e32f52a7efe641243c5
Instruction ID: 4d8a67110d7fcfa4dd028f9ccbd050882256d6f2d6bc9214680851c2a888ed32
Opcode Fuzzy Hash: 3ed461ec7ad54651848aece45e9dc850fb06838e606f7e32f52a7efe641243c5
Instruction Fuzzy Hash: 270196F5500306BBD7207F64CC858FBBBACEF51350B10893AF955D6183D7B0990487A6

Function 000632CE Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 000632E8
Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 000632FC
Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 00063314
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 0006332C

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
String ID:
API String ID: 78362717-0
Opcode ID: ed5c3284882ece478fbb3367f1f8f5dbd69f78bf790bb9c4c006e6817b181867
Instruction ID: b0700bfdd5cd6787ec0e36cfb888060c5f4c1afedf51e5305014fc8f4bf9aada
Opcode Fuzzy Hash: ed5c3284882ece478fbb3367f1f8f5dbd69f78bf790bb9c4c006e6817b181867
Instruction Fuzzy Hash: 0E01D132600624B7CF26AE65CC52AEFB7AF9F55350F000056FC12AB382DA31EF1096E0

Function 0006B5EC Relevance: 6.0, APIs: 4, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,?,?,00000000,0006B751,00000000,?,00071E4B,00000000,00000000,?,?,00000000,00000000,00000001,00000000), ref: 0006B602
GetLastError.KERNEL32(?,00071E4B,00000000,00000000,?,?,00000000,00000000,00000001,00000000,00000000,?,0006B751,00000000,00000104,?), ref: 0006B60C
__dosmaperr.LIBCMT ref: 0006B613

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: ErrorFullLastNamePath__dosmaperr
String ID:
API String ID: 2398240785-0
Opcode ID: e1e542092e8f69411571bd8c26dfab58d448f389c4a9bc9442559dd8ee97b7dd
Instruction ID: 3cf21884c1f23e20af415459ae67e7bb36546a7a992312076bf01bfc4b707b79
Opcode Fuzzy Hash: e1e542092e8f69411571bd8c26dfab58d448f389c4a9bc9442559dd8ee97b7dd
Instruction Fuzzy Hash: 72F031B2604515BBDB601FA2DC08D9ABFABFF443A03108511F51DC6121DB35E8A1DBD0

Function 0006B655 Relevance: 6.0, APIs: 4, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,?,?,00000000,0006B751,00000000,?,00071DD6,00000000,00000000,0006B751,?,?,00000000,00000000,00000001), ref: 0006B66B
GetLastError.KERNEL32(?,00071DD6,00000000,00000000,0006B751,?,?,00000000,00000000,00000001,00000000,00000000,?,0006B751,00000000,00000104), ref: 0006B675
__dosmaperr.LIBCMT ref: 0006B67C

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: ErrorFullLastNamePath__dosmaperr
String ID:
API String ID: 2398240785-0
Opcode ID: afe4ce89b3cec74427117b5f99bd826608147cd26ee588eb1315b866253589e0
Instruction ID: 553d9d4e94ec36c9347d1eeb7555a3f0a9211552135dbbe7b412b7331ba77d33
Opcode Fuzzy Hash: afe4ce89b3cec74427117b5f99bd826608147cd26ee588eb1315b866253589e0
Instruction Fuzzy Hash: 5EF01D72604515BBDB601BA2DC0899ABFAAFF843A13154511F91DC6121CB39E8A09BD0

Function 00054F15 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0004FE76: TlsGetValue.KERNEL32(?,?,0004F3F7,0004F224,?,?), ref: 0004FE7C

Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 00054F3F

Part of subcall function 0005E21E: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 0005E245
Part of subcall function 0005E21E: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 0005E25E
Part of subcall function 0005E21E: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 0005E2D4
Part of subcall function 0005E21E: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 0005E2DC

Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 00054F4D
Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 00054F57
Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 00054F61

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceValueVirtualWork
String ID:
API String ID: 2616382602-0
Opcode ID: 9f3beefa70edc931a04725532aa6d3a5bb8fc6958afcddb0dec0fa06bf33aa4d
Instruction ID: 676525848d25f2696e0b8298af268c5e61073055790cf3bc1423ebbd0710ec8e
Opcode Fuzzy Hash: 9f3beefa70edc931a04725532aa6d3a5bb8fc6958afcddb0dec0fa06bf33aa4d
Instruction Fuzzy Hash: 2AF0F032A0061467CB25B669DC168EFB7A9AF90B12B04402AFD0163293EF248E4CC7C6

Function 00059420 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 00059429

Part of subcall function 0004F3DB: Concurrency::details::SchedulerBase::GetDefaultScheduler.LIBCONCRT ref: 00055396

Concurrency::details::ContextBase::CancelCollection.LIBCONCRT ref: 0005944D
Concurrency::details::_TaskCollectionBase::_FinishCancelState.LIBCMT ref: 00059460
Concurrency::details::ContextBase::CancelStealers.LIBCMT ref: 00059469

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: Base::Concurrency::details::$CancelContextScheduler$Collection$Base::_Concurrency::details::_CurrentDefaultFinishStateStealersTask
String ID:
API String ID: 218105897-0
Opcode ID: 286b84610833cc548c653b23f9a84c5695ef3105fb3579eb3866e9586b336a7e
Instruction ID: 003db811838ab146e5ae2ee4a2c3de3b8963c0b99d8f82c478ffb4a69cffb46b
Opcode Fuzzy Hash: 286b84610833cc548c653b23f9a84c5695ef3105fb3579eb3866e9586b336a7e
Instruction Fuzzy Hash: EDF03071600A208FE661AB648811FAF23D99F44727F01C519ED5A96683CB64ED4B8B51

Function 0007696F Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(000386B0,0000000F,0008FAF0,00000000,000386B0,?,0007505A,000386B0,00000001,000386B0,000386B0,?,0006FF34,00000000,?,000386B0), ref: 00076986
GetLastError.KERNEL32(?,0007505A,000386B0,00000001,000386B0,000386B0,?,0006FF34,00000000,?,000386B0,00000000,000386B0,?,00070488,000386B0), ref: 00076992

Part of subcall function 00076958: CloseHandle.KERNEL32(FFFFFFFE,000769A2,?,0007505A,000386B0,00000001,000386B0,000386B0,?,0006FF34,00000000,?,000386B0,00000000,000386B0), ref: 00076968

___initconout.LIBCMT ref: 000769A2

Part of subcall function 0007691A: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00076949,00075047,000386B0,?,0006FF34,00000000,?,000386B0,00000000), ref: 0007692D

WriteConsoleW.KERNEL32(000386B0,0000000F,0008FAF0,00000000,?,0007505A,000386B0,00000001,000386B0,000386B0,?,0006FF34,00000000,?,000386B0,00000000), ref: 000769B7

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 3081ef1b5ef34ae75d5da462e9b6708597e853b8ac89670ed3c1bef99f620c7b
Instruction ID: 63620d237476d43b1a2f26ff00cf0e59651ea112a051a186275e15d952458f13
Opcode Fuzzy Hash: 3081ef1b5ef34ae75d5da462e9b6708597e853b8ac89670ed3c1bef99f620c7b
Instruction Fuzzy Hash: B6F03036401569BBDFA21FA5EC08A893F6AFF483A1F048011FA1E85131D63B8824EB94

Function 0004D09F Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

SleepConditionVariableCS.KERNELBASE(?,0004D03C,00000064), ref: 0004D0C2
RtlLeaveCriticalSection.NTDLL(00095690), ref: 0004D0CC
WaitForSingleObjectEx.KERNEL32(000985C0,00000000,?,0004D03C,00000064,?,771B0F00,?,0003759D,000985C0), ref: 0004D0DD
RtlEnterCriticalSection.NTDLL(00095690), ref: 0004D0E4

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID:
API String ID: 3269011525-0
Opcode ID: 5355f30159515bf56649ba7c77c1fae059b071a6e8cf809e674914eb6ffba9ad
Instruction ID: 6b262529fca21a46c3c8115cf712b3bb462bc619add84d2b56432df96a0e2dbb
Opcode Fuzzy Hash: 5355f30159515bf56649ba7c77c1fae059b071a6e8cf809e674914eb6ffba9ad
Instruction Fuzzy Hash: 4DE01232942624BBEF531F51EC1CA9D3F24FB04B62B954021F64967160C77918019BD8

Function 0006556B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 00065590

Strings

MOC, xrefs: 000655A2
RCC, xrefs: 000655AA

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: e3e8685ee6b9ca2385903b345441d44d8001a7ea81fd89040f07f3cf0b072cb7
Instruction ID: 4f018f787a8ef9a71a3ff00fb51a164cc2bfd0ec9574bb7e1e78810733583b1b
Opcode Fuzzy Hash: e3e8685ee6b9ca2385903b345441d44d8001a7ea81fd89040f07f3cf0b072cb7
Instruction Fuzzy Hash: 50419A72900609AFCF16CF98CC85AEEBBB6FF48301F198159F915A7221D735AA60CF50

Function 0006EB6C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0006EBCE
_free.LIBCMT ref: 0006EBFC

Part of subcall function 00068A8F: IsProcessorFeaturePresent.KERNEL32(00000017,0006A5CD,?,?,0006685A,?,?,?,?,0006748E,?), ref: 00068AAB

Part of subcall function 00066B97: IsProcessorFeaturePresent.KERNEL32(00000017,00066B69,00000000,00000000,00000000,00000000,00000000,?,?,00066B76,00000000,00000000,00000000,00000000,00000000,00032152), ref: 00066B99
Part of subcall function 00066B97: GetCurrentProcess.KERNEL32(C0000417,00000000,00000000,00032152), ref: 00066BBC
Part of subcall function 00066B97: TerminateProcess.KERNEL32(00000000), ref: 00066BC3

Strings

0"v, xrefs: 0006EC1C, 0006EC30

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessProcessor_free$CurrentTerminate
String ID: 0"v
API String ID: 1729132349-3321802411
Opcode ID: 347538639c30cbf7fb4e138b9a7b079ba1a3a7c23293c90cd14adf2dedb346d3
Instruction ID: 2b2a127cd283ce74edce12941a7b2e85ce3f4decd9479abfd34eac863265955e
Opcode Fuzzy Hash: 347538639c30cbf7fb4e138b9a7b079ba1a3a7c23293c90cd14adf2dedb346d3
Instruction Fuzzy Hash: E321047A6043469BEF599F64D845BAA73DBEF94320F280069E806DB142EB72CD41CB10

Function 0004B4D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 0004B55E
RaiseException.KERNEL32(?,?,?,?), ref: 0004B583

Part of subcall function 00063A11: RaiseException.KERNEL32(E06D7363,00000001,00000003,0008E380,?,?,?,0008E380), ref: 00063A71

Part of subcall function 00068A8F: IsProcessorFeaturePresent.KERNEL32(00000017,0006A5CD,?,?,0006685A,?,?,?,?,0006748E,?), ref: 00068AAB

Strings

csm, xrefs: 0004B512

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: ExceptionRaise$FeaturePresentProcessor__alloca_probe_16
String ID: csm
API String ID: 1924019822-1018135373
Opcode ID: a92f1b28dfd1ef18de8bbae261a4bc73248c95dc105ecb463d5380fa9a6cd313
Instruction ID: 69922c178fb5ffe24c9660a60290528379c33d2ab2ec949956e018c663269589
Opcode Fuzzy Hash: a92f1b28dfd1ef18de8bbae261a4bc73248c95dc105ecb463d5380fa9a6cd313
Instruction Fuzzy Hash: D32195B2E00618ABCF24DF95D845AAEB3B9AF04310F440429E805AB212CB30ED45CB95

Function 00061611 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

Concurrency::details::FreeVirtualProcessorRoot::SpinUntilIdle.LIBCONCRT ref: 00061671
std::invalid_argument::invalid_argument.LIBCONCRT ref: 000616BC

Strings

pContext, xrefs: 000616B4

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: Concurrency::details::FreeIdleProcessorRoot::SpinUntilVirtualstd::invalid_argument::invalid_argument
String ID: pContext
API String ID: 3390424672-2046700901
Opcode ID: 2f13a124b945054afef607efeda454bf8202fa5d7ae67456377c91407bb08485
Instruction ID: 2ba8387585db331e166efd1b6275b4f4ed6f555450c4271e127c742b6c2c063a
Opcode Fuzzy Hash: 2f13a124b945054afef607efeda454bf8202fa5d7ae67456377c91407bb08485
Instruction Fuzzy Hash: A311EE3AA002149BCB55BF28C8949ED77AAAF84360B1C4065FD42AB382DB74ED058BD0

Function 0005B83C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28threadCOMMON

Download Yara Rule

APIs

Concurrency::details::FreeThreadProxy::ReturnIdleProxy.LIBCONCRT ref: 0005B85E
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0005B871

Strings

pContext, xrefs: 0005B869

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: Concurrency::details::FreeIdleProxyProxy::ReturnThreadstd::invalid_argument::invalid_argument
String ID: pContext
API String ID: 548886458-2046700901
Opcode ID: 342c54d037b7ea5c9f2aafffab790c1e0fda7cd4253fd01d3792ecba0f1d2a68
Instruction ID: fc4951877fbfe722e78a1293adcd3c63409839d51bc9ea9a60c1af0bad95f497
Opcode Fuzzy Hash: 342c54d037b7ea5c9f2aafffab790c1e0fda7cd4253fd01d3792ecba0f1d2a68
Instruction Fuzzy Hash: D5E02235B0010867CB00BBA4DC0ACEEB7ADAF80710B040026EA11A7292EB70EA0987C1

Function 000533DC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 0005340C

Strings

version, xrefs: 000533F1
pScheduler, xrefs: 00053404

Memory Dump Source

Source File: 00000012.00000002.1572460510.0000000000031000.00000020.00000001.01000000.0000000D.sdmp, Offset: 00030000, based on PE: true

Associated: 00000012.00000002.1572442434.0000000000030000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572492592.0000000000080000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572511545.0000000000092000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572529710.0000000000094000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572545268.0000000000095000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000012.00000002.1572560826.0000000000099000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_30000_Freshbuild.jbxd

Yara matches

Similarity

API ID: std::invalid_argument::invalid_argument
String ID: pScheduler$version
API String ID: 2141394445-3154422776
Opcode ID: 7d92ac4ac33f7b22b702c3676b9d5aae5d2ed2bd23212d270b1ed2668ec6cad0
Instruction ID: 3ab6085dc3980dbcc26f821350d74aa9bfe45752cd478f38d34e822ece08de20
Opcode Fuzzy Hash: 7d92ac4ac33f7b22b702c3676b9d5aae5d2ed2bd23212d270b1ed2668ec6cad0
Instruction Fuzzy Hash: 46E08634540208F6CB19FA54C80BEDE7768AB1074AF048021BA5129092ABB4D7CDCF81

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report setup.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Threatname: LummaC

Threatname: Vidar

Threatname: SmokeLoader

Threatname: Amadey

Threatname: RedLine

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\34vgn892c.exe

C:\ProgramData\AAKKECFBGIIIEBGDGDAK

C:\ProgramData\AEBAFBGI

C:\ProgramData\AEBAFBGIDHCBFHIECFCB

C:\ProgramData\EHCFBFBAEBKJKEBGCAEHCFCBAE

Windows Analysis Report
setup.exe

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre