Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe
Analysis ID:	1502862
MD5:	c1c625415c8141d6e45b74fc6aa5640e
SHA1:	1d4db07132f91c8c75dba8645ec7ff1d9fc2e744
SHA256:	83eaa1b744a80100205ef0df2fc1e0b161ae8e0deae153b9dcad6c889e76fd82
Tags:	exe
Infos:

Detection

LummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Amadeys stealer DLL

Yara detected Clipboard Hijacker

Yara detected CryptOne packer

Yara detected Cryptbot

Yara detected LummaC Stealer

Yara detected Powershell download and execute

Yara detected PureLog Stealer

Yara detected RedLine Stealer

Yara detected Stealc

Yara detected Vidar stealer

Yara detected zgRAT

.NET source code contains very large array initializations

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Creates multiple autostart registry keys

Drops large PE files

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Injects a PE file into a foreign processes

Installs new ROOT certificates

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses process hollowing technique

Sample uses string decryption to hide its real strings

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops certificate files (DER)

Enables debug privileges

Enables security privileges

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found evasive API chain (may stop execution after accessing registry keys)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Suspicious Copy From or To System Directory

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe (PID: 4268 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe" MD5: C1C625415C8141D6E45B74FC6AA5640E)

axplong.exe (PID: 7092 cmdline: "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe" MD5: C1C625415C8141D6E45B74FC6AA5640E)

axplong.exe (PID: 3528 cmdline: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe MD5: C1C625415C8141D6E45B74FC6AA5640E)

crypted.exe (PID: 6696 cmdline: "C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe" MD5: 6134586375C01F97F8777BAE1BF5ED98)

conhost.exe (PID: 3636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 2760 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 6848 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 7116 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

crypteda.exe (PID: 4920 cmdline: "C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe" MD5: 8E74497AFF3B9D2DDB7E7F819DFC69BA)

RegAsm.exe (PID: 6384 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 5500 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

muDv2ygaMe.exe (PID: 6200 cmdline: "C:\Users\user\AppData\Roaming\muDv2ygaMe.exe" MD5: 88367533C12315805C059E688E7CDFE9)

conhost.exe (PID: 5668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

ER1CZAgbcY.exe (PID: 2548 cmdline: "C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe" MD5: 30F46F4476CDC27691C7FDAD1C255037)

Nework.exe (PID: 5960 cmdline: "C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe" MD5: F5D7B79EE6B6DA6B50E536030BCC3B59)

Hkbsse.exe (PID: 7052 cmdline: "C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe" MD5: F5D7B79EE6B6DA6B50E536030BCC3B59)

stealc_default2.exe (PID: 5380 cmdline: "C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe" MD5: 7A02AA17200AEAC25A375F290A4B4C95)

Set-up.exe (PID: 5784 cmdline: "C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe" MD5: 06B767BF2A7DEAC9B9E524C5B6986BF7)

1.exe (PID: 7056 cmdline: "C:\Users\user\AppData\Local\Temp\1000191001\1.exe" MD5: 17D51083CCB2B20074B1DC2CAC5BEA36)

svchost015.exe (PID: 5908 cmdline: C:\Users\user\AppData\Local\Temp\svchost015.exe MD5: B826DD92D78EA2526E465A34324EBEEA)

GetSys.exe (PID: 6820 cmdline: "C:\Users\user\AppData\Local\Temp\1000228001\GetSys.exe" MD5: 87939A5B42854B08804A9A0AE605B260)

BitLockerToGo.exe (PID: 2508 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)

Amadeus.exe (PID: 3560 cmdline: "C:\Users\user\1000238002\Amadeus.exe" MD5: 36A627B26FAE167E6009B4950FF15805)

BitLockerToGo.exe (PID: 1040 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)

build.exe (PID: 2288 cmdline: "C:\Users\user\AppData\Local\Temp\1000241001\build.exe" MD5: 05C1BAAA01BD0AA0CCB5EC1C43A7D853)

conhost.exe (PID: 3324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

runtime.exe (PID: 4080 cmdline: "C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe" MD5: 9D78AB0DA1948DE3977123755EF0FE7C)

AppLaunch.exe (PID: 6752 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" MD5: 89D41E1CF478A3D3C2C701A27A5692B2)

AppLaunch.exe (PID: 6828 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" MD5: 89D41E1CF478A3D3C2C701A27A5692B2)

crypted.exe (PID: 7060 cmdline: "C:\Users\user\AppData\Local\Temp\1000281001\crypted.exe" MD5: 7E8C1E8B4C37553A6BC11083B18CEBDF)

conhost.exe (PID: 6540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1264 cmdline: "C:\Windows\System32\cmd.exe" /c copy "C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe" "C:\Users\user\Pictures\Lighter Tech\runtime.exe" && schtasks /Create /SC MINUTE /MO 1 /TN "runtime" /TR "C:\Users\user\Pictures\Lighter Tech\runtime.exe" /F MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 3220 cmdline: schtasks /Create /SC MINUTE /MO 1 /TN "runtime" /TR "C:\Users\user\Pictures\Lighter Tech\runtime.exe" /F MD5: 76CD6626DD8834BD4A42E6A565104DC2)

Hkbsse.exe (PID: 5776 cmdline: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe MD5: F5D7B79EE6B6DA6B50E536030BCC3B59)

joffer2.exe (PID: 2748 cmdline: "C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe" MD5: 1D99EB774773EA9F2E71E0A2E2DABC59)

Amadeus.exe (PID: 6776 cmdline: "C:\Users\user\1000238002\Amadeus.exe" MD5: 36A627B26FAE167E6009B4950FF15805)

runtime.exe (PID: 3696 cmdline: "C:\Users\user\Pictures\Lighter Tech\runtime.exe" MD5: 9D78AB0DA1948DE3977123755EF0FE7C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/ https://censys.com/a-beginners-guide-to-hunting-open-directories/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/ https://asec.ahnlab.com/en/59590/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
CryptBot	A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2.	No Attribution	https://any.run/cybersecurity-blog/cryptbot-infostealer-malware-analysis/ https://asec.ahnlab.com/en/24423/ https://asec.ahnlab.com/en/26052/ https://asec.ahnlab.com/en/31683/ https://asec.ahnlab.com/en/31802/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot

Malware Configuration

Threatname: StealC

{"C2 url": "http://91.202.233.158/e96ea2db21fa9a1b.php"}

Threatname: LummaC

{"C2 url": ["millyscroqwp.shop", "evoliutwoqm.shop", "traineiwnqo.shop", "stagedchheiqwo.shop", "condedqpwqm.shop", "locatedblsoqp.shop", "stamppreewntnq.shop", "caffegclasiqwp.shop"], "Build id": "y1TO5A--QX1"}

Threatname: Vidar

{"C2 url": "http://185.215.113.17/2fb6c2cc8dce150a.php", "Botnet": "default2"}

Threatname: Amadey

{"C2 url": "185.215.113.26/Dem7kTu/index.php", "Version": "4.41", "Install Folder": "054fdc5f70", "Install File": "Hkbsse.exe"}

Threatname: Cryptbot

{"C2 list": ["sevxv17pn.top", "@sevxv17pn.top", "analforeverlovyu.top"]}

Threatname: RedLine

{"C2 url": "95.179.250.45:26212", "Bot Id": "LiveTraffic", "Message": "Error! Disable antivirus and try again!", "Authorization Header": "143feb5082f9936e624c1e27545e7d19"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x45693:$s1: file:/// 0x455ef:$s2: {11111-22222-10009-11112} 0x45623:$s3: {11111-22222-50001-00000} 0x4264e:$s4: get_Module 0x3cd3c:$s5: Reverse 0x3da37:$s6: BlockCopy 0x3cd0a:$s7: ReadByte 0x456a5:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\build[1].exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\build[1].exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\build[1].exe	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x58137:$s1: file:/// 0x5806f:$s2: {11111-22222-10009-11112} 0x580c7:$s3: {11111-22222-50001-00000} 0x54b4c:$s4: get_Module 0x4e8e2:$s5: Reverse 0x4f6bc:$s6: BlockCopy 0x4e7bb:$s7: ReadByte 0x58149:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
C:\Users\user\AppData\Local\Temp\1000241001\build.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Users\user\AppData\Local\Temp\1000241001\build.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\1000241001\build.exe	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x58137:$s1: file:/// 0x5806f:$s2: {11111-22222-10009-11112} 0x580c7:$s3: {11111-22222-50001-00000} 0x54b4c:$s4: get_Module 0x4e8e2:$s5: Reverse 0x4f6bc:$s6: BlockCopy 0x4e7bb:$s7: ReadByte 0x58149:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\stealc_default2[1].exe	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\Nework[1].exe	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
C:\Users\user\AppData\Local\Temp\svchost015.exe	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Click to see the 11 entries

Memory Dumps

Source	Rule	Description	Author	Strings
0000001E.00000002.2626655297.000000000260A000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000006.00000002.3937837542.0000000000711000.00000040.00000001.01000000.00000008.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000011.00000002.1984060520.0000000000479000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000001D.00000002.2273964707.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0000001E.00000002.2626655297.000000000238E000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000009.00000002.1948777736.0000000003F95000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000019.00000002.2212357774.0000000001107000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001F.00000002.2688945254.0000000001706000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000025.00000002.2725651381.0000000001610000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0000001E.00000002.2626655297.000000000254C000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000025.00000002.2661614424.0000000001494000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0000001A.00000003.3140000961.0000000003E8E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security
00000012.00000000.1981672290.0000000000142000.00000002.00000001.01000000.0000000E.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000017.00000000.2008973826.0000000000071000.00000020.00000001.01000000.00000014.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000023.00000002.2609308568.00000000131C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000001F.00000002.2627787489.0000000001552000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0000002D.00000002.2654323842.0000000003E64000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000016.00000002.2011003083.0000000000CE1000.00000020.00000001.01000000.00000013.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000001C.00000002.2269545389.0000000003199000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Crypt	Yara detected CryptOne packer	Joe Security
00000002.00000002.1579348090.0000000000711000.00000040.00000001.01000000.00000008.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000018.00000002.3937835844.0000000000071000.00000020.00000001.01000000.00000014.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000016.00000000.2003355241.0000000000CE1000.00000020.00000001.01000000.00000013.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000001D.00000000.2252940170.0000000000401000.00000020.00000001.01000000.0000001C.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
0000001B.00000003.3297043789.0000000001564000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security
00000021.00000000.2421089096.0000000000A82000.00000002.00000001.01000000.0000001F.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000028.00000002.3937747782.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000001E.00000002.2496293194.00000000020BC000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000006.00000003.1911621771.0000000005090000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000014.00000000.1982243767.00000000007C2000.00000002.00000001.01000000.0000000F.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000002.00000003.1539084353.0000000005090000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000023.00000002.2651827464.000000001DAF0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000026.00000002.2582962886.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000019.00000002.2212357774.00000000010AE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
00000019.00000002.2212357774.00000000010AE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000020.00000002.2474240837.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000003.1486966046.0000000004A10000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000018.00000000.2024822913.0000000000071000.00000020.00000001.01000000.00000014.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000000D.00000002.2084760629.0000000000421000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.1541104272.0000000000221000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000017.00000002.2011664885.0000000000071000.00000020.00000001.01000000.00000014.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000001C.00000002.2269545389.0000000002E90000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
0000001C.00000002.2269545389.0000000002E90000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Process Memory Space: crypted.exe PID: 6696	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 7116	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 7116	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 5500	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: muDv2ygaMe.exe PID: 6200	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: ER1CZAgbcY.exe PID: 2548	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: ER1CZAgbcY.exe PID: 2548	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: stealc_default2.exe PID: 5380	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: stealc_default2.exe PID: 5380	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: stealc_default2.exe PID: 5380	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: stealc_default2.exe PID: 5380	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: Set-up.exe PID: 5784	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security
Process Memory Space: Set-up.exe PID: 5784	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Set-up.exe PID: 5784	JoeSecurity_Cryptbot	Yara detected Cryptbot	Joe Security
Process Memory Space: joffer2.exe PID: 2748	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security
Process Memory Space: joffer2.exe PID: 2748	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: joffer2.exe PID: 2748	JoeSecurity_Cryptbot	Yara detected Cryptbot	Joe Security
Process Memory Space: 1.exe PID: 7056	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: 1.exe PID: 7056	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: svchost015.exe PID: 5908	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: svchost015.exe PID: 5908	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: svchost015.exe PID: 5908	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: build.exe PID: 2288	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: crypted.exe PID: 7060	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 67 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
37.2.Amadeus.exe.1610000.1.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
30.2.GetSys.exe.238e000.2.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
31.2.Amadeus.exe.1706000.1.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
17.2.RegAsm.exe.436060.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
33.0.build.exe.a80000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
33.0.build.exe.a80000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
33.0.build.exe.a80000.0.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x58137:$s1: file:/// 0x5806f:$s2: {11111-22222-10009-11112} 0x580c7:$s3: {11111-22222-50001-00000} 0x54b4c:$s4: get_Module 0x4e8e2:$s5: Reverse 0x4f6bc:$s6: BlockCopy 0x4e7bb:$s7: ReadByte 0x58149:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
17.2.RegAsm.exe.482060.2.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
17.2.RegAsm.exe.482060.2.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
17.2.RegAsm.exe.482060.2.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x45693:$s1: file:/// 0x455ef:$s2: {11111-22222-10009-11112} 0x45623:$s3: {11111-22222-50001-00000} 0x4264e:$s4: get_Module 0x3cd3c:$s5: Reverse 0x3da37:$s6: BlockCopy 0x3cd0a:$s7: ReadByte 0x456a5:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
13.2.RegAsm.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
32.2.BitLockerToGo.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
23.2.Hkbsse.exe.70000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
9.2.crypted.exe.3f95570.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
24.0.Hkbsse.exe.70000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
9.2.crypted.exe.3f95570.0.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
45.2.crypted.exe.3e45570.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
20.0.ER1CZAgbcY.exe.7c0000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
40.2.AppLaunch.exe.400000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
30.2.GetSys.exe.238e000.2.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
30.2.GetSys.exe.254c000.3.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
0.2.SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe.220000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
38.2.BitLockerToGo.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
17.2.RegAsm.exe.400000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
17.2.RegAsm.exe.400000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
17.2.RegAsm.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
17.2.RegAsm.exe.400000.0.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0xc48f3:$s1: file:/// 0xc484f:$s2: {11111-22222-10009-11112} 0xc4883:$s3: {11111-22222-50001-00000} 0xc18ae:$s4: get_Module 0x52fe2:$s5: Reverse 0xbbf9c:$s5: Reverse 0xbcc97:$s6: BlockCopy 0xbbf6a:$s7: ReadByte 0xc4905:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
2.2.axplong.exe.710000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
23.0.Hkbsse.exe.70000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
17.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
35.2.runtime.exe.1daf0324.7.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
22.0.Nework.exe.ce0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
18.0.muDv2ygaMe.exe.140000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
18.0.muDv2ygaMe.exe.140000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
18.0.muDv2ygaMe.exe.140000.0.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x45693:$s1: file:/// 0x455ef:$s2: {11111-22222-10009-11112} 0x45623:$s3: {11111-22222-50001-00000} 0x4264e:$s4: get_Module 0x3cd3c:$s5: Reverse 0x3da37:$s6: BlockCopy 0x3cd0a:$s7: ReadByte 0x456a5:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
35.2.runtime.exe.1323f558.3.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
22.2.Nework.exe.ce0000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
17.2.RegAsm.exe.482060.2.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
17.2.RegAsm.exe.482060.2.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
17.2.RegAsm.exe.482060.2.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x43893:$s1: file:/// 0x437ef:$s2: {11111-22222-10009-11112} 0x43823:$s3: {11111-22222-50001-00000} 0x4084e:$s4: get_Module 0x3af3c:$s5: Reverse 0x3bc37:$s6: BlockCopy 0x3af0a:$s7: ReadByte 0x438a5:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
35.2.runtime.exe.1daf0324.7.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
32.2.BitLockerToGo.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
30.2.GetSys.exe.254c000.3.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
17.2.RegAsm.exe.436060.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
6.2.axplong.exe.710000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
35.2.runtime.exe.1323f558.3.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
35.2.runtime.exe.1323f87c.4.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
40.2.AppLaunch.exe.400000.0.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
38.2.BitLockerToGo.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
24.2.Hkbsse.exe.70000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
35.2.runtime.exe.1daf0000.8.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
37.2.Amadeus.exe.1610000.1.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
31.2.Amadeus.exe.1706000.1.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
35.2.runtime.exe.1323f87c.4.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
35.2.runtime.exe.131c1b20.5.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
29.0.svchost015.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
29.0.svchost015.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Click to see the 52 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\1000238002\Amadeus.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe, ProcessId: 3528, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Amadeus.exe

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy "C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe" "C:\Users\user\Pictures\Lighter Tech\runtime.exe" && schtasks /Create /SC MINUTE /MO 1 /TN "runtime" /TR "C:\Users\user\Pictures\Lighter Tech\runtime.exe" /F, CommandLine: "C:\Windows\System32\cmd.exe" /c copy "C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe" "C:\Users\user\Pictures\Lighter Tech\runtime.exe" && schtasks /Create /SC MINUTE /MO 1 /TN "runtime" /TR "C:\Users\user\Pictures\Lighter Tech\runtime.exe" /F, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe, ParentProcessId: 4080, ParentProcessName: runtime.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy "C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe" "C:\Users\user\Pictures\Lighter Tech\runtime.exe" && schtasks /Create /SC MINUTE /MO 1 /TN "runtime" /TR "C:\Users\user\Pictures\Lighter Tech\runtime.exe" /F, ProcessId: 1264, ProcessName: cmd.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe

Avira: detected

Found malware configuration

Source: 0000001D.00000002.2273964707.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: StealC {"C2 url": "http://91.202.233.158/e96ea2db21fa9a1b.php"}
Source: 00000009.00000002.1948777736.0000000003F95000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: RedLine {"C2 url": "95.179.250.45:26212", "Bot Id": "LiveTraffic", "Message": "Error! Disable antivirus and try again!", "Authorization Header": "143feb5082f9936e624c1e27545e7d19"}
Source: 31.2.Amadeus.exe.1706000.1.unpack	Malware Configuration Extractor: LummaC {"C2 url": ["millyscroqwp.shop", "evoliutwoqm.shop", "traineiwnqo.shop", "stagedchheiqwo.shop", "condedqpwqm.shop", "locatedblsoqp.shop", "stamppreewntnq.shop", "caffegclasiqwp.shop"], "Build id": "y1TO5A--QX1"}
Source: 23.2.Hkbsse.exe.70000.0.unpack	Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.26/Dem7kTu/index.php", "Version": "4.41", "Install Folder": "054fdc5f70", "Install File": "Hkbsse.exe"}
Source: 25.0.stealc_default2.exe.d40000.0.unpack	Malware Configuration Extractor: Vidar {"C2 url": "http://185.215.113.17/2fb6c2cc8dce150a.php", "Botnet": "default2"}
Source: joffer2.exe.2748.27.memstrmin	Malware Configuration Extractor: Cryptbot {"C2 list": ["sevxv17pn.top", "@sevxv17pn.top", "analforeverlovyu.top"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\1000238002\Amadeus.exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\1[1].exe	ReversingLabs: Detection: 37%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\GetSys[1].exe	ReversingLabs: Detection: 45%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\crypted[1].exe	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\stealc_default2[1].exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\Set-up[1].exe	ReversingLabs: Detection: 58%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\build[1].exe	ReversingLabs: Detection: 57%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\crypteda[1].exe	ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\Amadeus[1].exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\Nework[1].exe	ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\runtime[1].exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe	ReversingLabs: Detection: 58%
Source: C:\Users\user\AppData\Local\Temp\1000191001\1.exe	ReversingLabs: Detection: 37%
Source: C:\Users\user\AppData\Local\Temp\1000228001\GetSys.exe	ReversingLabs: Detection: 45%
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	ReversingLabs: Detection: 57%
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	ReversingLabs: Detection: 34%

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe

ReversingLabs: Detection: 60%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\1000238002\Amadeus.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\Amadeus[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\build[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\stealc_default2[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\Nework[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\crypteda[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0000001E.00000002.2626655297.000000000238E000.00000004.00001000.00020000.00000000.sdmp	String decryptor: caffegclasiqwp.shop
Source: 0000001E.00000002.2626655297.000000000238E000.00000004.00001000.00020000.00000000.sdmp	String decryptor: stamppreewntnq.shop
Source: 0000001E.00000002.2626655297.000000000238E000.00000004.00001000.00020000.00000000.sdmp	String decryptor: stagedchheiqwo.shop
Source: 0000001E.00000002.2626655297.000000000238E000.00000004.00001000.00020000.00000000.sdmp	String decryptor: millyscroqwp.shop
Source: 0000001E.00000002.2626655297.000000000238E000.00000004.00001000.00020000.00000000.sdmp	String decryptor: evoliutwoqm.shop
Source: 0000001E.00000002.2626655297.000000000238E000.00000004.00001000.00020000.00000000.sdmp	String decryptor: condedqpwqm.shop
Source: 0000001E.00000002.2626655297.000000000238E000.00000004.00001000.00020000.00000000.sdmp	String decryptor: traineiwnqo.shop
Source: 0000001E.00000002.2626655297.000000000238E000.00000004.00001000.00020000.00000000.sdmp	String decryptor: locatedblsoqp.shop
Source: 0000001E.00000002.2626655297.000000000238E000.00000004.00001000.00020000.00000000.sdmp	String decryptor: evoliutwoqm.shop
Source: 0000001E.00000002.2626655297.000000000238E000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 0000001E.00000002.2626655297.000000000238E000.00000004.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 0000001E.00000002.2626655297.000000000238E000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 0000001E.00000002.2626655297.000000000238E000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 0000001E.00000002.2626655297.000000000238E000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 0000001E.00000002.2626655297.000000000238E000.00000004.00001000.00020000.00000000.sdmp	String decryptor: tLYMe5--newnew

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0925DC78 CryptUnprotectData,	13_2_0925DC78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0925DC70 CryptUnprotectData,	13_2_0925DC70
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_00D4C660 memset,lstrlenA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,PK11_FreeSlot,	25_2_00D4C660
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8A6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	25_2_6C8A6C80
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C9FA9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	25_2_6C9FA9A0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C9F44C0 PK11_PubEncrypt,	25_2_6C9F44C0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C9C4420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	25_2_6C9C4420
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C9F4440 PK11_PrivDecrypt,	25_2_6C9F4440
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6CA425B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	25_2_6CA425B0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C9DE6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,	25_2_6C9DE6E0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C9FA650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,	25_2_6C9FA650
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C9D8670 PK11_ExportEncryptedPrivKeyInfo,	25_2_6C9D8670
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6CA1A730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,	25_2_6CA1A730
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6CA20180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util,	25_2_6CA20180
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C9F43B0 PK11_PubEncryptPKCS1,PR_SetError,	25_2_6C9F43B0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6CA17C00 SEC_PKCS12DecoderImportBags,PR_SetError,NSS_OptionGet,CERT_DestroyCertificate,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECOID_FindOID_Util,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,SECOID_GetAlgorithmTag_Util,SECITEM_CopyItem_Util,PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,PK11_ImportPublicKey,SECOID_FindOID_Util,	25_2_6CA17C00

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\svchost015.exe

Unpacked PE file: 29.2.svchost015.exe.400000.0.unpack

Source: SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: mozglue.pdbP source: stealc_default2.exe, 00000019.00000002.2248450280.000000006C90D000.00000002.00000001.01000000.0000001A.sdmp, mozglue[1].dll.25.dr
Source:	Binary string: nss3.pdb@ source: stealc_default2.exe, 00000019.00000002.2248709980.000000006CACF000.00000002.00000001.01000000.00000019.sdmp, nss3[1].dll.25.dr
Source:	Binary string: c:\rje\tg\3fl4\obj\Re\ease\etf.pdb source: axplong.exe, 00000006.00000002.3941033997.00000000013CC000.00000004.00000020.00020000.00000000.sdmp, crypted.exe.6.dr
Source:	Binary string: F:\IlluminatedControls\Simple-Calculator-master\obj\Release\Simple Calculator.pdb source: axplong.exe, 00000006.00000002.3941033997.0000000001426000.00000004.00000020.00020000.00000000.sdmp, runtime.exe, 00000023.00000000.2449148208.0000000000F62000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: BitLockerToGo.pdb source: GetSys.exe, 0000001E.00000002.2626655297.00000000025CF000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000020.00000003.2428975351.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, Amadeus.exe, 00000025.00000002.2725651381.00000000015D6000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: F:\IlluminatedControls\Simple-Calculator-master\obj\Release\Simple Calculator.pdb> source: axplong.exe, 00000006.00000002.3941033997.0000000001426000.00000004.00000020.00020000.00000000.sdmp, runtime.exe, 00000023.00000000.2449148208.0000000000F62000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140[1].dll.25.dr, vcruntime140.dll.25.dr
Source:	Binary string: c:\rje\tg\bj\Re\ease\gqa.pdb source: AppLaunch.exe, 00000028.00000002.3940385031.0000000000C1B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: stealc_default2.exe, 00000019.00000002.2248709980.000000006CACF000.00000002.00000001.01000000.00000019.sdmp, nss3[1].dll.25.dr
Source:	Binary string: mozglue.pdb source: stealc_default2.exe, 00000019.00000002.2248450280.000000006C90D000.00000002.00000001.01000000.0000001A.sdmp, mozglue[1].dll.25.dr
Source:	Binary string: BitLockerToGo.pdbGCTL source: GetSys.exe, 0000001E.00000002.2626655297.00000000025CF000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000020.00000003.2428975351.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, Amadeus.exe, 00000025.00000002.2725651381.00000000015D6000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: G.pdb source: axplong.exe, 00000006.00000002.3941033997.000000000140B000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 17_2_0041B6DA FindFirstFileExW,	17_2_0041B6DA
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 22_2_00D1D9FD FindFirstFileExW,	22_2_00D1D9FD
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Code function: 23_2_000AD9FD FindFirstFileExW,	23_2_000AD9FD

Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	File opened: C:\Users\user
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	File opened: C:\Users\user\AppData
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	File opened: C:\Users\user\AppData\Local\Temp
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	File opened: C:\Users\user\Desktop\desktop.ini
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	File opened: C:\Users\user\AppData\Local
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	File opened: C:\Users\user\Documents\desktop.ini

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then inc dword ptr [ebp-20h]	13_2_06FF3158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then inc dword ptr [ebp-20h]	13_2_06FF2E88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 093297EAh	13_2_093293B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 09329C6Ah	13_2_093293B8

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://91.202.233.158/e96ea2db21fa9a1b.php
Source: Malware configuration extractor	URLs: millyscroqwp.shop
Source: Malware configuration extractor	URLs: evoliutwoqm.shop
Source: Malware configuration extractor	URLs: traineiwnqo.shop
Source: Malware configuration extractor	URLs: stagedchheiqwo.shop
Source: Malware configuration extractor	URLs: condedqpwqm.shop
Source: Malware configuration extractor	URLs: locatedblsoqp.shop
Source: Malware configuration extractor	URLs: stamppreewntnq.shop
Source: Malware configuration extractor	URLs: caffegclasiqwp.shop
Source: Malware configuration extractor	URLs: http://185.215.113.17/2fb6c2cc8dce150a.php
Source: Malware configuration extractor	IPs: 185.215.113.26
Source: Malware configuration extractor	URLs: sevxv17pn.top
Source: Malware configuration extractor	URLs: @sevxv17pn.top
Source: Malware configuration extractor	URLs: analforeverlovyu.top
Source: Malware configuration extractor	URLs: 95.179.250.45:26212

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 6_2_0071BD60 InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,InternetReadFile,

6_2_0071BD60

Source: muDv2ygaMe.exe, 00000012.00000002.2002797684.000000000248D000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000021.00000002.2475331078.0000000002E7F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: muDv2ygaMe.exe, 00000012.00000002.2002797684.000000000248D000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000021.00000002.2475331078.0000000002E7F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\ equals www.youtube.com (Youtube)
Source: build.exe, 00000021.00000002.2475331078.0000000002E7F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb`, equals www.youtube.com (Youtube)
Source: muDv2ygaMe.exe, 00000012.00000002.2002797684.000000000248D000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000021.00000002.2475331078.0000000002E7F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q#www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: muDv2ygaMe.exe, 00000012.00000002.2002797684.000000000248D000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000021.00000002.2475331078.0000000002E7F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: q3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\ equals www.youtube.com (Youtube)

Source: Hkbsse.exe, 00000018.00000002.3939638853.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, Hkbsse.exe, 00000018.00000002.3939638853.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://154.216.17.170/joffer2.exe
Source: Hkbsse.exe, 00000018.00000002.3939638853.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://154.216.17.170/joffer2.exe69c8c83ebf0f2
Source: Hkbsse.exe, 00000018.00000002.3939638853.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://154.216.17.170/joffer2.exeup2.exe
Source: axplong.exe, 00000006.00000002.3941033997.00000000013E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/
Source: axplong.exe, 00000006.00000002.3941033997.00000000013E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/214f815db3496a3a9a731e9f3eeba476ea0e17e76#
Source: axplong.exe, 00000006.00000002.3941033997.000000000140B000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000002.3941033997.00000000013E5000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000002.3941033997.0000000001426000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php
Source: axplong.exe, 00000006.00000002.3941033997.00000000013E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php$v
Source: axplong.exe, 00000006.00000002.3941033997.00000000013CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php00243001
Source: axplong.exe, 00000006.00000002.3941033997.00000000013CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php028766ada219b5bcfb1349d9888d238ers
Source: axplong.exe, 00000006.00000002.3941033997.00000000013CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php3001
Source: axplong.exe, 00000006.00000002.3941033997.00000000013E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php?
Source: axplong.exe, 00000006.00000002.3941033997.000000000140B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpCa
Source: axplong.exe, 00000006.00000002.3941033997.000000000140B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpHa
Source: axplong.exe, 00000006.00000002.3941033997.00000000013CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpUsers
Source: axplong.exe, 00000006.00000002.3941033997.000000000140B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpded
Source: axplong.exe, 00000006.00000002.3941033997.000000000140B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncoded
Source: axplong.exe, 00000006.00000002.3941033997.00000000013CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpnu
Source: axplong.exe, 00000006.00000002.3941033997.00000000013E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/e19fbffd5744f69c5867ee8214f815db3496a3a9a731e9f3eeba476ea0e17e76#
Source: axplong.exe, 00000006.00000002.3941033997.00000000013E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/ferences.SourceAumid1
Source: axplong.exe, 00000006.00000002.3941033997.00000000013E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/Amadeus.exe
Source: axplong.exe, 00000006.00000002.3941033997.00000000013E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/crypteda.exe
Source: axplong.exe, 00000006.00000002.3941033997.00000000013E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/runtime.exe
Source: axplong.exe, 00000006.00000002.3941033997.00000000013E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/runtime.exeS
Source: axplong.exe, 00000006.00000002.3941033997.00000000013E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/runtime.exef62
Source: axplong.exe, 00000006.00000002.3941033997.00000000013E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/stealc_default2.exe
Source: axplong.exe, 00000006.00000002.3941033997.00000000013E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/stealc_default2.exeq
Source: axplong.exe, 00000006.00000002.3941033997.00000000013E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/ta
Source: stealc_default2.exe, 00000019.00000002.2212357774.000000000109E000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000019.00000002.2211354116.0000000000EED000.00000004.00000001.01000000.00000016.sdmp, stealc_default2.exe, 00000019.00000002.2211354116.0000000000D7C000.00000004.00000001.01000000.00000016.sdmp, stealc_default2.exe, 00000019.00000002.2212357774.00000000010AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17
Source: stealc_default2.exe, 00000019.00000002.2212357774.00000000010E7000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000019.00000002.2212357774.00000000010AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/
Source: stealc_default2.exe, 00000019.00000002.2212357774.00000000010AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.php
Source: stealc_default2.exe, 00000019.00000002.2212357774.0000000001107000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.php-
Source: stealc_default2.exe, 00000019.00000002.2212357774.0000000001107000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.php3A
Source: stealc_default2.exe, 00000019.00000002.2212357774.00000000010E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.php5
Source: stealc_default2.exe, 00000019.00000002.2212357774.00000000010E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.php9
Source: stealc_default2.exe, 00000019.00000002.2212357774.00000000010E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpE
Source: stealc_default2.exe, 00000019.00000002.2212357774.00000000010E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpI
Source: stealc_default2.exe, 00000019.00000002.2212357774.00000000010AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpKFIJKFCAKJJJKJKFI
Source: stealc_default2.exe, 00000019.00000002.2212357774.00000000010E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpQ
Source: stealc_default2.exe, 00000019.00000002.2212357774.0000000001107000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpge
Source: stealc_default2.exe, 00000019.00000002.2211354116.0000000000EED000.00000004.00000001.01000000.00000016.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phption:
Source: stealc_default2.exe, 00000019.00000002.2212357774.0000000001107000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpwser
Source: stealc_default2.exe, 00000019.00000002.2212357774.00000000010E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/3n
Source: stealc_default2.exe, 00000019.00000002.2212357774.00000000010E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/freebl3.dll
Source: stealc_default2.exe, 00000019.00000002.2212357774.00000000010E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/mozglue.dll
Source: stealc_default2.exe, 00000019.00000002.2212357774.00000000010E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/mozglue.dllWv
Source: stealc_default2.exe, 00000019.00000002.2212357774.00000000010E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/msvcp140.dll
Source: stealc_default2.exe, 00000019.00000002.2212357774.00000000010E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/msvcp140.dllEv
Source: stealc_default2.exe, 00000019.00000002.2212357774.00000000010AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/nss3.dll
Source: stealc_default2.exe, 00000019.00000002.2212357774.00000000010AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/nss3.dllI;
Source: stealc_default2.exe, 00000019.00000002.2212357774.00000000010AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/nss3.dll~;H
Source: stealc_default2.exe, 00000019.00000002.2212357774.00000000010E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/softokn3.dll
Source: stealc_default2.exe, 00000019.00000002.2212357774.00000000010E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/softokn3.dllKv
Source: stealc_default2.exe, 00000019.00000002.2212357774.00000000010E7000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000019.00000002.2211354116.0000000000DAA000.00000004.00000001.01000000.00000016.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/sqlite3.dll
Source: stealc_default2.exe, 00000019.00000002.2212357774.00000000010E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/sqlite3.dllkww
Source: stealc_default2.exe, 00000019.00000002.2212357774.00000000010E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/vcruntime140.dll
Source: stealc_default2.exe, 00000019.00000002.2211354116.0000000000EED000.00000004.00000001.01000000.00000016.sdmp	String found in binary or memory: http://185.215.113.172fb6c2cc8dce150a.phption:
Source: runtime.exe, 00000023.00000002.2598170248.0000000003166000.00000004.00000800.00020000.00000000.sdmp, runtime.exe, 0000002C.00000002.3947221893.0000000002F69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19
Source: AppLaunch.exe, 00000028.00000002.3940385031.0000000000BED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/CoreOPT/index.php
Source: AppLaunch.exe, 00000028.00000002.3940385031.0000000000C83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/CoreOPT/index.php%
Source: AppLaunch.exe, 00000028.00000002.3940385031.0000000000C83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/CoreOPT/index.php369.jpg
Source: AppLaunch.exe, 00000028.00000002.3940385031.0000000000C83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/CoreOPT/index.php369.jpg1
Source: AppLaunch.exe, 00000028.00000002.3940385031.0000000000C83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/CoreOPT/index.php369.jpg;
Source: AppLaunch.exe, 00000028.00000002.3940385031.0000000000C83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/CoreOPT/index.php81001
Source: AppLaunch.exe, 00000028.00000002.3940385031.0000000000C83000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000028.00000002.3940385031.0000000000C1B000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000028.00000002.3945712890.000000000696E000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/CoreOPT/index.php?scr=1
Source: AppLaunch.exe, 00000028.00000002.3940385031.0000000000C83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/CoreOPT/index.php?scr=130
Source: AppLaunch.exe, 00000028.00000002.3940385031.0000000000C83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/CoreOPT/index.php?scr=146
Source: AppLaunch.exe, 00000028.00000002.3940385031.0000000000C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/CoreOPT/index.php?scr=19
Source: AppLaunch.exe, 00000028.00000002.3940385031.0000000000C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/CoreOPT/index.php?scr=19?
Source: AppLaunch.exe, 00000028.00000002.3940385031.0000000000C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/CoreOPT/index.php?scr=19b
Source: AppLaunch.exe, 00000028.00000002.3940385031.0000000000C83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/CoreOPT/index.php?scr=19d
Source: AppLaunch.exe, 00000028.00000002.3940385031.0000000000C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/CoreOPT/index.php?scr=19l
Source: AppLaunch.exe, 00000028.00000002.3940385031.0000000000C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/CoreOPT/index.php?scr=19q
Source: AppLaunch.exe, 00000028.00000002.3940385031.0000000000C83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/CoreOPT/index.php?scr=1AF
Source: AppLaunch.exe, 00000028.00000002.3940385031.0000000000C83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/CoreOPT/index.php?scr=1EA
Source: AppLaunch.exe, 00000028.00000002.3940385031.0000000000C83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/CoreOPT/index.php?scr=1FC
Source: AppLaunch.exe, 00000028.00000002.3950662047.0000000007A90000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000028.00000002.3940385031.0000000000C83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/CoreOPT/index.php?scr=1c
Source: AppLaunch.exe, 00000028.00000002.3940385031.0000000000C83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/CoreOPT/index.php?scr=1oreOPT/index.php
Source: AppLaunch.exe, 00000028.00000002.3940385031.0000000000C83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/CoreOPT/index.phpC
Source: AppLaunch.exe, 00000028.00000002.3949807186.0000000007980000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/CoreOPT/index.phpG
Source: AppLaunch.exe, 00000028.00000002.3940385031.0000000000C83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/CoreOPT/index.phpK
Source: AppLaunch.exe, 00000028.00000002.3940385031.0000000000C83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/CoreOPT/index.phpo
Source: AppLaunch.exe, 00000028.00000002.3940385031.0000000000C83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/CoreOPT/index.phpt
Source: runtime.exe, 00000023.00000002.2598170248.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, runtime.exe, 0000002C.00000002.3947221893.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/ProlongedPortable.dll
Source: Hkbsse.exe, 00000018.00000002.3939638853.0000000000B28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/
Source: Hkbsse.exe, 00000018.00000002.3939638853.0000000000B28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/15.113.26/ndation.PropertyValue
Source: Hkbsse.exe, 00000018.00000002.3939638853.0000000000B28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/15.113.26/ta
Source: Hkbsse.exe, 00000018.00000002.3939638853.0000000000B28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/3405117-2476756634-10039)
Source: Hkbsse.exe, 00000018.00000002.3939638853.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, Hkbsse.exe, 00000018.00000002.3939638853.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, Hkbsse.exe, 00000018.00000002.3939638853.0000000000B10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Dem7kTu/index.php
Source: Hkbsse.exe, 00000018.00000002.3939638853.0000000000B28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Dem7kTu/index.php%
Source: Hkbsse.exe, 00000018.00000002.3939638853.0000000000B28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Dem7kTu/index.php0
Source: Hkbsse.exe, 00000018.00000002.3939638853.0000000000B28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Dem7kTu/index.php13001
Source: Hkbsse.exe, 00000018.00000002.3939638853.0000000000B28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Dem7kTu/index.php5
Source: Hkbsse.exe, 00000018.00000002.3939638853.0000000000B28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Dem7kTu/index.php:
Source: Hkbsse.exe, 00000018.00000002.3939638853.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, Hkbsse.exe, 00000018.00000002.3939638853.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Dem7kTu/index.phpE
Source: Hkbsse.exe, 00000018.00000002.3939638853.0000000000B28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Dem7kTu/index.phpR
Source: Hkbsse.exe, 00000018.00000002.3939638853.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, Hkbsse.exe, 00000018.00000002.3939638853.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Dem7kTu/index.phpU
Source: Hkbsse.exe, 00000018.00000002.3939638853.0000000000B28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Dem7kTu/index.phpe
Source: Hkbsse.exe, 00000018.00000002.3939638853.0000000000B28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Dem7kTu/index.phpu
Source: Hkbsse.exe, 00000018.00000002.3939638853.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Dem7kTu/index.phpv
Source: axplong.exe, 00000006.00000002.3941033997.00000000013E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Nework.exe
Source: axplong.exe, 00000006.00000002.3941033997.00000000013E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Nework.exeB
Source: Hkbsse.exe, 00000018.00000002.3939638853.0000000000B28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/System32
Source: Hkbsse.exe, 00000018.00000002.3939638853.0000000000B28000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/l
Source: svchost015.exe, 0000001D.00000002.2273964707.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158
Source: svchost015.exe, 0000001D.00000002.2273964707.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000002.2273964707.0000000000B52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/
Source: svchost015.exe, 0000001D.00000002.2273964707.0000000000B52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/9
Source: svchost015.exe, 0000001D.00000002.2273964707.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/:hN
Source: svchost015.exe, 0000001D.00000002.2273964707.0000000000B52000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000002.2273964707.0000000000B6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/e96ea2db21fa9a1b.php
Source: svchost015.exe, 0000001D.00000002.2273964707.0000000000B52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/e96ea2db21fa9a1b.php=
Source: svchost015.exe, 0000001D.00000002.2273964707.0000000000B52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/e96ea2db21fa9a1b.phpM
Source: svchost015.exe, 0000001D.00000002.2273964707.0000000000B52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/e96ea2db21fa9a1b.phpY
Source: svchost015.exe, 0000001D.00000002.2273964707.0000000000B52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/e96ea2db21fa9a1b.phpf
Source: svchost015.exe, 0000001D.00000002.2273964707.0000000000B52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/e96ea2db21fa9a1b.phpi
Source: svchost015.exe, 0000001D.00000002.2273964707.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158D4v
Source: svchost015.exe, 0000001D.00000002.2273964707.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158Rh&
Source: axplong.exe, 00000006.00000002.3941033997.000000000140B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: mozglue[1].dll.25.dr, nss3[1].dll.25.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: mozglue[1].dll.25.dr, nss3[1].dll.25.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: mozglue[1].dll.25.dr, nss3[1].dll.25.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: axplong.exe, 00000006.00000002.3941033997.000000000140B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: mozglue[1].dll.25.dr, nss3[1].dll.25.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: axplong.exe, 00000006.00000002.3941033997.000000000140B000.00000004.00000020.00020000.00000000.sdmp, mozglue[1].dll.25.dr, nss3[1].dll.25.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: axplong.exe, 00000006.00000002.3941033997.0000000001426000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000001C.00000002.2269545389.0000000002E90000.00000040.00001000.00020000.00000000.sdmp, 1.exe.6.dr, 1[1].exe.6.dr	String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0Q
Source: axplong.exe, 00000006.00000002.3941033997.000000000140B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: axplong.exe, 00000006.00000002.3941033997.000000000140B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: axplong.exe, 00000006.00000002.3941033997.0000000001426000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000001C.00000002.2269545389.0000000002E90000.00000040.00001000.00020000.00000000.sdmp, 1.exe.6.dr, 1[1].exe.6.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: mozglue[1].dll.25.dr, nss3[1].dll.25.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: mozglue[1].dll.25.dr, nss3[1].dll.25.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: mozglue[1].dll.25.dr, nss3[1].dll.25.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: axplong.exe, 00000006.00000002.3941033997.000000000140B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: mozglue[1].dll.25.dr, nss3[1].dll.25.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: axplong.exe, 00000006.00000002.3941033997.000000000140B000.00000004.00000020.00020000.00000000.sdmp, mozglue[1].dll.25.dr, nss3[1].dll.25.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: mozglue[1].dll.25.dr, nss3[1].dll.25.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: mozglue[1].dll.25.dr, nss3[1].dll.25.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: mozglue[1].dll.25.dr, nss3[1].dll.25.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: axplong.exe, 00000006.00000002.3941033997.000000000140B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: mozglue[1].dll.25.dr, nss3[1].dll.25.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: axplong.exe, 00000006.00000002.3941033997.0000000001426000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000001C.00000002.2269545389.0000000002E90000.00000040.00001000.00020000.00000000.sdmp, 1.exe.6.dr, 1[1].exe.6.dr	String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl0
Source: axplong.exe, 00000006.00000002.3941033997.0000000001426000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000001C.00000002.2269545389.0000000002E90000.00000040.00001000.00020000.00000000.sdmp, 1.exe.6.dr, 1[1].exe.6.dr	String found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
Source: axplong.exe, 00000006.00000002.3941033997.0000000001426000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000001C.00000002.2269545389.0000000002E90000.00000040.00001000.00020000.00000000.sdmp, 1.exe.6.dr, 1[1].exe.6.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: axplong.exe, 00000006.00000002.3941033997.000000000137F000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000002.3941033997.0000000001395000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddl.safone.dev/3823166/crypted.exe?hash=AgADZl
Source: axplong.exe, 00000006.00000002.3941033997.000000000137F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddl.safone.dev/3823166/crypted.exe?hash=AgADZlqos.dll
Source: axplong.exe, 00000006.00000002.3941033997.0000000001395000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddl.safone.dev/3823166/crypted.exe?hash=AgADZlrr?
Source: axplong.exe, 00000006.00000002.3941033997.00000000013B3000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000002.3941033997.00000000013E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddl.safone.dev/3840509/build.exe?hash=AgADNB
Source: axplong.exe, 00000006.00000002.3941033997.00000000013E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddl.safone.dev/3846244/1.exe?hash=AgADek
Source: axplong.exe, 00000006.00000002.3941033997.0000000001426000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddl.safone.dev/3846636/Set-up.exe?hash=AgADDB
Source: axplong.exe, 00000006.00000002.3941033997.0000000001395000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddl.safone.dev/3846636/Set-up.exe?hash=AgADDB9ed7
Source: axplong.exe, 00000006.00000002.3941033997.0000000001395000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddl.safone.dev/3846636/Set-up.exe?hash=AgADDBeaed
Source: axplong.exe, 00000006.00000002.3941033997.0000000001426000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddl.safone.dev/3846638/GetSys.exe?hash=AgADAh
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: Set-up.exe, 0000001A.00000003.2892419940.00000000014D3000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 0000001A.00000003.2898567209.00000000014DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fivexv5vs.top/8
Source: Set-up.exe, 0000001A.00000003.2892419940.00000000014D3000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 0000001A.00000003.2898567209.00000000014DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fivexv5vs.top/p
Source: Set-up.exe, 0000001A.00000003.2896925548.00000000014E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fivexv5vs.top/v1/upload.php
Source: Set-up.exe, 0000001A.00000003.2892419940.00000000014D3000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 0000001A.00000003.2898567209.00000000014DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fivexv5vs.top/v1/upload.php5%
Source: Set-up.exe, 0000001A.00000003.2896925548.00000000014E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fivexv5vs.top/v1/upload.phpL
Source: Set-up.exe, 0000001A.00000003.2226001214.00000000014E8000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 0000001A.00000003.2226204284.00000000014EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fivexv5vs.top/v1/upload.phpao
Source: Set-up.exe, 0000001A.00000003.2892419940.00000000014D3000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 0000001A.00000003.2898567209.00000000014DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fivexv5vs.top/w
Source: Set-up.exe, 0000001A.00000003.2896925548.00000000014E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fivexv5vs.top:80/v1/upload.php=
Source: axplong.exe, 00000006.00000002.3941033997.000000000140B000.00000004.00000020.00020000.00000000.sdmp, mozglue[1].dll.25.dr, nss3[1].dll.25.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: axplong.exe, 00000006.00000002.3941033997.000000000140B000.00000004.00000020.00020000.00000000.sdmp, mozglue[1].dll.25.dr, nss3[1].dll.25.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: mozglue[1].dll.25.dr, nss3[1].dll.25.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: mozglue[1].dll.25.dr, nss3[1].dll.25.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: mozglue[1].dll.25.dr, nss3[1].dll.25.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: axplong.exe, 00000006.00000002.3941033997.000000000140B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net02
Source: axplong.exe, 00000006.00000002.3941033997.000000000140B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: axplong.exe, 00000006.00000002.3941033997.0000000001426000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000001C.00000002.2269545389.0000000002E90000.00000040.00001000.00020000.00000000.sdmp, 1.exe.6.dr, 1[1].exe.6.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: axplong.exe, 00000006.00000002.3941033997.0000000001426000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000001C.00000002.2269545389.0000000002E90000.00000040.00001000.00020000.00000000.sdmp, 1.exe.6.dr, 1[1].exe.6.dr	String found in binary or memory: http://ocsps.ssl.com0
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9
Source: ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9~
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp, runtime.exe, 00000023.00000002.2598170248.0000000003166000.00000004.00000800.00020000.00000000.sdmp, runtime.exe, 0000002C.00000002.3947221893.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: joffer2.exe, 0000001B.00000003.2959675941.0000000001494000.00000004.00000020.00020000.00000000.sdmp, joffer2.exe, 0000001B.00000003.2967155158.000000000149D000.00000004.00000020.00020000.00000000.sdmp, joffer2.exe, 0000001B.00000003.2955511881.0000000001492000.00000004.00000020.00020000.00000000.sdmp, joffer2.exe, 0000001B.00000003.2967155158.0000000001494000.00000004.00000020.00020000.00000000.sdmp, joffer2.exe, 0000001B.00000003.2959675941.000000000149D000.00000004.00000020.00020000.00000000.sdmp, joffer2.exe, 0000001B.00000003.2955511881.000000000149D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevxv17pn.top/
Source: joffer2.exe, 0000001B.00000003.2967155158.000000000149D000.00000004.00000020.00020000.00000000.sdmp, joffer2.exe, 0000001B.00000003.2959675941.000000000149D000.00000004.00000020.00020000.00000000.sdmp, joffer2.exe, 0000001B.00000003.2955511881.000000000149D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevxv17pn.top/8xzE
Source: joffer2.exe, 0000001B.00000003.2967155158.000000000149D000.00000004.00000020.00020000.00000000.sdmp, joffer2.exe, 0000001B.00000003.2959675941.000000000149D000.00000004.00000020.00020000.00000000.sdmp, joffer2.exe, 0000001B.00000003.2955511881.000000000149D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevxv17pn.top/azZ
Source: joffer2.exe, 0000001B.00000003.2967155158.000000000149D000.00000004.00000020.00020000.00000000.sdmp, joffer2.exe, 0000001B.00000003.2538323147.00000000014AA000.00000004.00000020.00020000.00000000.sdmp, joffer2.exe, 0000001B.00000003.2953439423.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, joffer2.exe, 0000001B.00000003.2303951126.00000000014AA000.00000004.00000020.00020000.00000000.sdmp, joffer2.exe, 0000001B.00000003.2959675941.000000000149D000.00000004.00000020.00020000.00000000.sdmp, joffer2.exe, 0000001B.00000003.2959675941.00000000014AB000.00000004.00000020.00020000.00000000.sdmp, joffer2.exe, 0000001B.00000003.2955511881.000000000149D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevxv17pn.top/v1/upload.php
Source: joffer2.exe, 0000001B.00000003.2266783074.00000000014A9000.00000004.00000020.00020000.00000000.sdmp, joffer2.exe, 0000001B.00000003.2303951126.00000000014AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevxv17pn.top/v1/upload.phpao
Source: joffer2.exe, 0000001B.00000003.2967155158.000000000149D000.00000004.00000020.00020000.00000000.sdmp, joffer2.exe, 0000001B.00000003.2959675941.000000000149D000.00000004.00000020.00020000.00000000.sdmp, joffer2.exe, 0000001B.00000003.2955511881.000000000149D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevxv17pn.top/v1/upload.phpxx
Source: joffer2.exe, 0000001B.00000003.2303951126.00000000014AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevxv17pn.top:80/v1/upload.php
Source: Hkbsse.exe, 00000018.00000002.3939638853.0000000000AF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://stagingbyvdveen.com/get/setup2.exe
Source: Hkbsse.exe, 00000018.00000002.3939638853.0000000000AF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://stagingbyvdveen.com/get/setup2.exe9
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/D
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003689000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003765000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003765000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2087513413.0000000003759000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2087513413.0000000003765000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003765000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003765000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2087513413.00000000037F1000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000037F1000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002BF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2087513413.00000000037F1000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000037F1000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002BF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000037F1000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002B20000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002BF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003761000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002BF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
Source: axplong.exe, 00000006.00000002.3941033997.000000000140B000.00000004.00000020.00020000.00000000.sdmp, mozglue[1].dll.25.dr, nss3[1].dll.25.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: axplong.exe, 00000006.00000002.3941033997.000000000140B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.entrust.net/rpa03
Source: stealc_default2.exe, stealc_default2.exe, 00000019.00000002.2248450280.000000006C90D000.00000002.00000001.01000000.0000001A.sdmp, mozglue[1].dll.25.dr	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: stealc_default2.exe, 00000019.00000002.2248247392.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000019.00000002.2227393547.000000001B480000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: 1.exe, 0000001C.00000002.2269545389.0000000002E90000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000000.2252940170.0000000000401000.00000020.00000001.01000000.0000001C.sdmp	String found in binary or memory: http://www.x-ways.net/order
Source: 1.exe, 0000001C.00000002.2269545389.0000000002E90000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000000.2252940170.0000000000401000.00000020.00000001.01000000.0000001C.sdmp	String found in binary or memory: http://www.x-ways.net/order.html-d.htmlS
Source: 1.exe, 0000001C.00000002.2269545389.0000000002E90000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000000.2252940170.0000000000401000.00000020.00000001.01000000.0000001C.sdmp	String found in binary or memory: http://www.x-ways.net/winhex/license
Source: 1.exe, 0000001C.00000002.2269545389.0000000002E90000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000000.2252940170.0000000000401000.00000020.00000001.01000000.0000001C.sdmp	String found in binary or memory: http://www.x-ways.net/winhex/license-d-f.htmlS
Source: 1.exe, 0000001C.00000002.2269545389.0000000002E90000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000000.2252940170.0000000000401000.00000020.00000001.01000000.0000001C.sdmp	String found in binary or memory: http://www.x-ways.net/winhex/subscribe
Source: 1.exe, 0000001C.00000002.2269545389.0000000002E90000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000000.2252940170.0000000000401000.00000020.00000001.01000000.0000001C.sdmp	String found in binary or memory: http://www.x-ways.net/winhex/subscribe-d.htmlU
Source: stealc_default2.exe, 00000019.00000002.2212357774.0000000001107000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 0000001A.00000003.2263669528.00000000032FB000.00000004.00000020.00020000.00000000.sdmp, joffer2.exe, 0000001B.00000003.2314097440.00000000031BB000.00000004.00000020.00020000.00000000.sdmp, CAAAAFBK.25.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: muDv2ygaMe.exe, 00000012.00000002.2002797684.0000000002403000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000021.00000002.2475331078.0000000002E3E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.s
Source: build.exe, 00000021.00000002.2475331078.0000000002E3E000.00000004.00000800.00020000.00000000.sdmp, crypted.exe, 0000002D.00000002.2654323842.0000000003E64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: stealc_default2.exe, 00000019.00000002.2241865834.00000000275C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696491991400800003.2&ci=1696491991993.
Source: stealc_default2.exe, 00000019.00000002.2241865834.00000000275C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696491991400800003.1&ci=1696491991993.12791&cta
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003A3F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 0000001A.00000003.2263669528.00000000032FB000.00000004.00000020.00020000.00000000.sdmp, joffer2.exe, 0000001B.00000003.2314097440.00000000031BB000.00000004.00000020.00020000.00000000.sdmp, CAAAAFBK.25.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003A3F000.00000004.00000800.00020000.00000000.sdmp, stealc_default2.exe, 00000019.00000002.2212357774.0000000001107000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 0000001A.00000003.2263669528.00000000032FB000.00000004.00000020.00020000.00000000.sdmp, joffer2.exe, 0000001B.00000003.2314097440.00000000031BB000.00000004.00000020.00020000.00000000.sdmp, CAAAAFBK.25.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003A3F000.00000004.00000800.00020000.00000000.sdmp, stealc_default2.exe, 00000019.00000002.2212357774.0000000001107000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 0000001A.00000003.2263669528.00000000032FB000.00000004.00000020.00020000.00000000.sdmp, joffer2.exe, 0000001B.00000003.2314097440.00000000031BB000.00000004.00000020.00020000.00000000.sdmp, CAAAAFBK.25.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: stealc_default2.exe, 00000019.00000002.2241865834.00000000275C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: stealc_default2.exe, 00000019.00000002.2241865834.00000000275C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: build.exe, 00000021.00000002.2475331078.0000000002ED0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003A3F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 0000001A.00000003.2263669528.00000000032FB000.00000004.00000020.00020000.00000000.sdmp, joffer2.exe, 0000001B.00000003.2314097440.00000000031BB000.00000004.00000020.00020000.00000000.sdmp, CAAAAFBK.25.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Set-up.exe, 0000001A.00000003.2263669528.00000000032FB000.00000004.00000020.00020000.00000000.sdmp, joffer2.exe, 0000001B.00000003.2314097440.00000000031BB000.00000004.00000020.00020000.00000000.sdmp, CAAAAFBK.25.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003A3F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabS
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003A3F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 0000001A.00000003.2263669528.00000000032FB000.00000004.00000020.00020000.00000000.sdmp, joffer2.exe, 0000001B.00000003.2314097440.00000000031BB000.00000004.00000020.00020000.00000000.sdmp, CAAAAFBK.25.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: joffer2.exe, 0000001B.00000003.3297043789.0000000001564000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: 1.exe, 0000001C.00000002.2269545389.0000000002E90000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000000.2252940170.0000000000401000.00000020.00000001.01000000.0000001C.sdmp	String found in binary or memory: https://github.com/tesseract-ocr/tessdata/
Source: stealc_default2.exe, 00000019.00000002.2241865834.00000000275C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqX1CqX4pbW1pbWfpbZ7ReNxR3UIG8zInwYIFIVs9eYi
Source: BitLockerToGo.exe, 00000020.00000002.2486647276.0000000000BAE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000026.00000002.2598623828.000000000098E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000026.00000003.2543717376.000000000097E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000026.00000002.2598623828.0000000000965000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://locatedblsoqp.shop/
Source: BitLockerToGo.exe, 00000020.00000002.2486647276.0000000000BAE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000026.00000003.2543717376.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://locatedblsoqp.shop/.
Source: BitLockerToGo.exe, 00000020.00000002.2486647276.0000000000BAE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000020.00000003.2456263109.0000000000B8D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000026.00000003.2543717376.000000000097E000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000026.00000003.2543717376.0000000000972000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000026.00000002.2598623828.0000000000965000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://locatedblsoqp.shop/api
Source: BitLockerToGo.exe, 00000020.00000002.2486647276.0000000000BAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://locatedblsoqp.shop/apiOs
Source: BitLockerToGo.exe, 00000020.00000002.2486647276.0000000000BAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://locatedblsoqp.shop/apib
Source: BitLockerToGo.exe, 00000026.00000003.2543717376.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://locatedblsoqp.shop/apil?P
Source: BitLockerToGo.exe, 00000026.00000002.2598623828.000000000098E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://locatedblsoqp.shop/apis
Source: BitLockerToGo.exe, 00000020.00000002.2486647276.0000000000BA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://locatedblsoqp.shop/apisU
Source: BitLockerToGo.exe, 00000020.00000002.2486647276.0000000000B83000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://locatedblsoqp.shop/k
Source: BitLockerToGo.exe, 00000020.00000002.2486647276.0000000000BAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://locatedblsoqp.shop/nd
Source: BitLockerToGo.exe, 00000026.00000003.2543717376.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://locatedblsoqp.shop/~
Source: BitLockerToGo.exe, 00000026.00000003.2543717376.0000000000972000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://locatedblsoqp.shop:443/api
Source: BitLockerToGo.exe, 00000026.00000003.2543717376.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://millyscroqwp.shop/
Source: BitLockerToGo.exe, 00000026.00000002.2598623828.0000000000953000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://millyscroqwp.shop/(
Source: mozglue[1].dll.25.dr, nss3[1].dll.25.dr	String found in binary or memory: https://mozilla.org0/
Source: axplong.exe, 00000006.00000002.3941033997.0000000001407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nel.heroku.com/reports?ts=1725272783&sid=c4c9725f-1ab0-44d8-820f-430df2718e11&s=qaqy4rJ%2Bta
Source: axplong.exe, 00000006.00000002.3941033997.0000000001426000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nel.heroku.com/reports?ts=1725272792&sid=c4c9725f-1ab0-44d8-820f-430df2718e11&s=duqzMVmDiblK
Source: axplong.exe, 00000006.00000002.3941033997.0000000001395000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nel.heroku.com/reports?ts=1725272809&sid=c4c9725f-1ab0-44d8-820f-430df2718e11&s=xfKEnE6ujGb8
Source: GetSys.exe, 0000001E.00000000.2307058334.0000000001196000.00000002.00000001.01000000.0000001D.sdmp	String found in binary or memory: https://protobuf.dev/reference/go/faq#namespace-conflictnot
Source: axplong.exe, 00000006.00000002.3941033997.0000000001426000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000001C.00000002.2269545389.0000000002E90000.00000040.00001000.00020000.00000000.sdmp, 1.exe.6.dr, 1[1].exe.6.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: stealc_default2.exe, 00000019.00000003.2176721714.000000002D810000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: stealc_default2.exe, 00000019.00000003.2176721714.000000002D810000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.elMx_wJzrE6l
Source: AppLaunch.exe, 00000028.00000002.3940385031.0000000000BED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://transfer.adminforge.de/
Source: AppLaunch.exe, 00000028.00000002.3940385031.0000000000BED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://transfer.adminforge.de/MZ
Source: AppLaunch.exe, 00000028.00000002.3940385031.0000000000C02000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000028.00000002.3940385031.0000000000BED000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000028.00000002.3940385031.0000000000BA7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://transfer.adminforge.de/get/5dfLDESaxz/crypted.exe
Source: AppLaunch.exe, 00000028.00000002.3940385031.0000000000BED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://transfer.adminforge.de/get/5dfLDESaxz/crypted.exe6789
Source: Set-up.exe, 0000001A.00000002.3168232055.0000000000882000.00000002.00000001.01000000.00000017.sdmp, joffer2.exe, 0000001B.00000000.2148251312.0000000000885000.00000002.00000001.01000000.00000018.sdmp, joffer2[1].exe.24.dr, joffer2.exe.24.dr, Set-up[1].exe.6.dr	String found in binary or memory: https://update-ledger.net/update
Source: stealc_default2.exe, 00000019.00000002.2241865834.00000000275C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_15d7e4b694824b33323940336fbf0bead57d89764383fe44
Source: BitLockerToGo.exe, 00000020.00000003.2456024901.0000000000BFE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000020.00000003.2456093433.0000000000BAE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000026.00000003.2543520838.00000000009CD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000026.00000003.2543717376.0000000000959000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000026.00000003.2543717376.0000000000972000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: BitLockerToGo.exe, 00000020.00000003.2456024901.0000000000BFE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000020.00000003.2456093433.0000000000BAE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000026.00000003.2543717376.0000000000959000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000026.00000003.2543717376.0000000000972000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: mozglue[1].dll.25.dr, nss3[1].dll.25.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: stealc_default2.exe, 00000019.00000002.2212357774.0000000001107000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 0000001A.00000003.2263669528.00000000032FB000.00000004.00000020.00020000.00000000.sdmp, joffer2.exe, 0000001B.00000003.2314097440.00000000031BB000.00000004.00000020.00020000.00000000.sdmp, CAAAAFBK.25.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: axplong.exe, 00000006.00000002.3941033997.000000000140B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.entrust.net/rpa0
Source: RegAsm.exe, 0000000D.00000002.2087513413.0000000003A3F000.00000004.00000800.00020000.00000000.sdmp, Set-up.exe, 0000001A.00000003.2263669528.00000000032FB000.00000004.00000020.00020000.00000000.sdmp, joffer2.exe, 0000001B.00000003.2314097440.00000000031BB000.00000004.00000020.00020000.00000000.sdmp, CAAAAFBK.25.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: stealc_default2.exe, 00000019.00000002.2241865834.00000000275C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: stealc_default2.exe, 00000019.00000003.2176721714.000000002D810000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
Source: stealc_default2.exe, 00000019.00000003.2176721714.000000002D810000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
Source: stealc_default2.exe, 00000019.00000003.2176721714.000000002D810000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: stealc_default2.exe, 00000019.00000003.2176721714.000000002D810000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: axplong.exe, 00000006.00000002.3941033997.0000000001426000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000001C.00000002.2269545389.0000000002E90000.00000040.00001000.00020000.00000000.sdmp, 1.exe.6.dr, 1[1].exe.6.dr	String found in binary or memory: https://www.ssl.com/repository0
Source: 1.exe, 0000001C.00000002.2269545389.0000000002E90000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000000.2252940170.0000000000401000.00000020.00000001.01000000.0000001C.sdmp	String found in binary or memory: https://www.x-ways.net/forensics/x-tensions.html
Source: 1.exe, 0000001C.00000002.2269545389.0000000002E90000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000000.2252940170.0000000000401000.00000020.00000001.01000000.0000001C.sdmp	String found in binary or memory: https://www.x-ways.net/forensics/x-tensions.htmlf
Source: 1.exe, 0000001C.00000002.2269545389.0000000002E90000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000000.2252940170.0000000000401000.00000020.00000001.01000000.0000001C.sdmp	String found in binary or memory: https://www.x-ways.net/winhex/forum/
Source: 1.exe, 0000001C.00000002.2269545389.0000000002E90000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000000.2252940170.0000000000401000.00000020.00000001.01000000.0000001C.sdmp	String found in binary or memory: https://www.x-ways.net/winhex/forum/www.x-ways.net/winhex/templates/www.x-ways.net/dongle_protection

Source: muDv2ygaMe.exe, 00000012.00000002.2002797684.00000000025F9000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_41e616e5-d

Source: Yara match	File source: 29.0.svchost015.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001C.00000002.2269545389.0000000002E90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1.exe PID: 7056, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost015.exe PID: 5908, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\svchost015.exe, type: DROPPED

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\TmpFC42.tmp	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\TmpFC62.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp9CE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp9DF.tmp	Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: 33.0.build.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 17.2.RegAsm.exe.482060.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 17.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 18.0.muDv2ygaMe.exe.140000.0.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 17.2.RegAsm.exe.482060.2.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0000001E.00000002.2626655297.000000000260A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe, type: DROPPED	Matched rule: Detects zgRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\build[1].exe, type: DROPPED	Matched rule: Detects zgRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe, type: DROPPED	Matched rule: Detects zgRAT Author: ditekSHen

.NET source code contains very large array initializations

Source: crypted[1].exe.6.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 311296
Source: crypted.exe.6.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 311296

Drops large PE files

Source: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe

File dump: service123.exe.26.dr 314613760

Jump to dropped file

PE file contains section with special chars

Source: SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Static PE information: section name: .idata
Source: SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name: .idata
Source: axplong.exe.0.dr	Static PE information: section name:

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 22_2_00CFC9F7 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers,	22_2_00CFC9F7
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Code function: 23_2_0008C9F7 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers,	23_2_0008C9F7
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8FB700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	25_2_6C8FB700
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8FB8C0 rand_s,NtQueryVirtualMemory,	25_2_6C8FB8C0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8FB910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	25_2_6C8FB910
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C89F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	25_2_6C89F280

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	File created: C:\Windows\Tasks\axplong.job			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	File created: C:\Windows\Tasks\Hkbsse.job

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_0071E440	6_2_0071E440
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00753068	6_2_00753068
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00714CF0	6_2_00714CF0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00747D83	6_2_00747D83
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_0075765B	6_2_0075765B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00714AF0	6_2_00714AF0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_0075777B	6_2_0075777B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00758720	6_2_00758720
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00756F09	6_2_00756F09
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00752BD0	6_2_00752BD0
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Code function: 9_2_01490B3A	9_2_01490B3A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_016DDC74	13_2_016DDC74
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_06C3A688	13_2_06C3A688
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_06C367D8	13_2_06C367D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_06C33F50	13_2_06C33F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_06C36FE8	13_2_06C36FE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_06C36FF8	13_2_06C36FF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_06FF66D0	13_2_06FF66D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_06FF13C0	13_2_06FF13C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_06FF6FA0	13_2_06FF6FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_06FF13B0	13_2_06FF13B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_06FF6388	13_2_06FF6388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_06FFE9B0	13_2_06FFE9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_06FFE977	13_2_06FFE977
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_09257B08	13_2_09257B08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0925CDB8	13_2_0925CDB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0925AF98	13_2_0925AF98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_09257660	13_2_09257660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0925B8AC	13_2_0925B8AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0925B8B8	13_2_0925B8B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0925CDA9	13_2_0925CDA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0925F7B1	13_2_0925F7B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_09323828	13_2_09323828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_09323050	13_2_09323050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_09326B2B	13_2_09326B2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_09324300	13_2_09324300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_093293B8	13_2_093293B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_09326390	13_2_09326390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_09327578	13_2_09327578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_09325C38	13_2_09325C38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_0932BC28	13_2_0932BC28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_09324E30	13_2_09324E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_09323E80	13_2_09323E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_09328128	13_2_09328128
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_09322128	13_2_09322128
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_09323819	13_2_09323819
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_09323040	13_2_09323040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_09328B31	13_2_09328B31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_093202A8	13_2_093202A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_093242F0	13_2_093242F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_09322780	13_2_09322780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_09324E05	13_2_09324E05
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_09323E70	13_2_09323E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 17_2_00402310	17_2_00402310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 17_2_004050B0	17_2_004050B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 17_2_0042045E	17_2_0042045E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 17_2_0040FCE0	17_2_0040FCE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 17_2_00419D09	17_2_00419D09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 17_2_0041950B	17_2_0041950B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 17_2_00415625	17_2_00415625
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 17_2_00404EF0	17_2_00404EF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 17_2_0040CF7F	17_2_0040CF7F
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Code function: 18_2_00A97468	18_2_00A97468
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Code function: 18_2_00A97458	18_2_00A97458
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Code function: 18_2_08470578	18_2_08470578
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Code function: 18_2_08470568	18_2_08470568
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Code function: 18_2_0847F532	18_2_0847F532
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Code function: 20_2_0102DC74	20_2_0102DC74
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Code function: 20_2_062B3838	20_2_062B3838
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Code function: 20_2_062C67D0	20_2_062C67D0
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Code function: 20_2_062CA3E8	20_2_062CA3E8
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Code function: 20_2_062C3F50	20_2_062C3F50
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Code function: 20_2_062CA3B7	20_2_062CA3B7
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Code function: 20_2_062C6FE8	20_2_062C6FE8
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Code function: 20_2_062C6FF8	20_2_062C6FF8
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 22_2_00CEAC50	22_2_00CEAC50
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 22_2_00CEE390	22_2_00CEE390
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 22_2_00D28650	22_2_00D28650
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 22_2_00CE4AF0	22_2_00CE4AF0
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 22_2_00D22B00	22_2_00D22B00
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 22_2_00CE4CF0	22_2_00CE4CF0
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 22_2_00D00C73	22_2_00D00C73
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 22_2_00D26E39	22_2_00D26E39
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 22_2_00D22F98	22_2_00D22F98
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 22_2_00D01462	22_2_00D01462
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 22_2_00D2758B	22_2_00D2758B
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 22_2_00D276AB	22_2_00D276AB
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 22_2_00D17CB3	22_2_00D17CB3
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 22_2_00D03C51	22_2_00D03C51
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 22_2_00D05FF2	22_2_00D05FF2
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Code function: 23_2_00079760	23_2_00079760
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Code function: 23_2_00091462	23_2_00091462
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Code function: 23_2_000B758B	23_2_000B758B
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Code function: 23_2_000B8650	23_2_000B8650
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Code function: 23_2_000B76AB	23_2_000B76AB
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Code function: 23_2_00074AF0	23_2_00074AF0
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Code function: 23_2_000B2B00	23_2_000B2B00
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Code function: 23_2_00093C51	23_2_00093C51
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Code function: 23_2_00090C73	23_2_00090C73
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Code function: 23_2_000A7CB3	23_2_000A7CB3
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Code function: 23_2_00074CF0	23_2_00074CF0
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Code function: 23_2_000B6E39	23_2_000B6E39
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Code function: 23_2_000B2F98	23_2_000B2F98
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Code function: 23_2_00095FF2	23_2_00095FF2
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8935A0	25_2_6C8935A0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8A6C80	25_2_6C8A6C80
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8F34A0	25_2_6C8F34A0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8FC4A0	25_2_6C8FC4A0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8A64C0	25_2_6C8A64C0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8BD4D0	25_2_6C8BD4D0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C89D4E0	25_2_6C89D4E0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8D6CF0	25_2_6C8D6CF0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C90AC00	25_2_6C90AC00
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8D5C10	25_2_6C8D5C10
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8E2C10	25_2_6C8E2C10
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C90542B	25_2_6C90542B
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8A5440	25_2_6C8A5440
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C90545C	25_2_6C90545C
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8D0DD0	25_2_6C8D0DD0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8F85F0	25_2_6C8F85F0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8AFD00	25_2_6C8AFD00
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8BED10	25_2_6C8BED10
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8C0512	25_2_6C8C0512
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8FE680	25_2_6C8FE680
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8B5E90	25_2_6C8B5E90
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8F4EA0	25_2_6C8F4EA0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C9076E3	25_2_6C9076E3
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C89BEF0	25_2_6C89BEF0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8AFEF0	25_2_6C8AFEF0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8E5600	25_2_6C8E5600
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8D7E10	25_2_6C8D7E10
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8F9E30	25_2_6C8F9E30
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8E2E4E	25_2_6C8E2E4E
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8B4640	25_2_6C8B4640
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8B9E50	25_2_6C8B9E50
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8D3E50	25_2_6C8D3E50
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C906E63	25_2_6C906E63
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C89C670	25_2_6C89C670
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8E77A0	25_2_6C8E77A0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C89DFE0	25_2_6C89DFE0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8C6FF0	25_2_6C8C6FF0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8A9F00	25_2_6C8A9F00
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8D7710	25_2_6C8D7710
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8C60A0	25_2_6C8C60A0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C9050C7	25_2_6C9050C7
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8BC0E0	25_2_6C8BC0E0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8D58E0	25_2_6C8D58E0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8A7810	25_2_6C8A7810
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8DB820	25_2_6C8DB820
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8E4820	25_2_6C8E4820
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8B8850	25_2_6C8B8850
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8BD850	25_2_6C8BD850
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8DF070	25_2_6C8DF070
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8D5190	25_2_6C8D5190
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8F2990	25_2_6C8F2990
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C89C9A0	25_2_6C89C9A0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8CD9B0	25_2_6C8CD9B0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8BA940	25_2_6C8BA940
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C90B170	25_2_6C90B170
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8AD960	25_2_6C8AD960
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8EB970	25_2_6C8EB970
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C90BA90	25_2_6C90BA90
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C902AB0	25_2_6C902AB0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8922A0	25_2_6C8922A0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8C4AA0	25_2_6C8C4AA0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8ACAB0	25_2_6C8ACAB0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8D8AC0	25_2_6C8D8AC0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8B1AF0	25_2_6C8B1AF0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8DE2F0	25_2_6C8DE2F0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8D9A60	25_2_6C8D9A60
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C89F380	25_2_6C89F380
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C9053C8	25_2_6C9053C8
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8DD320	25_2_6C8DD320
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C895340	25_2_6C895340
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8AC370	25_2_6C8AC370
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C99ECD0	25_2_6C99ECD0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C93ECC0	25_2_6C93ECC0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6CA1AC30	25_2_6CA1AC30
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6CA06C00	25_2_6CA06C00
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C94AC60	25_2_6C94AC60
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C9D6D90	25_2_6C9D6D90
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C944DB0	25_2_6C944DB0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6CACCDC0	25_2_6CACCDC0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6CAC8D20	25_2_6CAC8D20
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6CA0ED70	25_2_6CA0ED70
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6CA6AD50	25_2_6CA6AD50
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C9C6E90	25_2_6C9C6E90
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C94AEC0	25_2_6C94AEC0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C9E0EC0	25_2_6C9E0EC0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6CA20E20	25_2_6CA20E20
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C9DEE70	25_2_6C9DEE70
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6CA88FB0	25_2_6CA88FB0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C94EFB0	25_2_6C94EFB0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6CA1EFF0	25_2_6CA1EFF0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C940FE0	25_2_6C940FE0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C946F10	25_2_6C946F10
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6CA80F20	25_2_6CA80F20
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6CA02F70	25_2_6CA02F70
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C9AEF40	25_2_6C9AEF40
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6CA468E0	25_2_6CA468E0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C990820	25_2_6C990820
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C9CA820	25_2_6C9CA820
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6CA14840	25_2_6CA14840
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6CA009B0	25_2_6CA009B0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C9D09A0	25_2_6C9D09A0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C9FA9A0	25_2_6C9FA9A0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6CA5C9E0	25_2_6CA5C9E0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C9749F0	25_2_6C9749F0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C996900	25_2_6C996900
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C978960	25_2_6C978960
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C9BEA80	25_2_6C9BEA80
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C9EEA00	25_2_6C9EEA00
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C9F8A30	25_2_6C9F8A30
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C9BCA70	25_2_6C9BCA70
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C9E0BA0	25_2_6C9E0BA0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6CA46BE0	25_2_6CA46BE0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6CA6A480	25_2_6CA6A480
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C9864D0	25_2_6C9864D0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C9DA4D0	25_2_6C9DA4D0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C9CA430	25_2_6C9CA430
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C9A4420	25_2_6C9A4420
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C958460	25_2_6C958460
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C9345B0	25_2_6C9345B0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6CA0A5E0	25_2_6CA0A5E0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C9CE5F0	25_2_6C9CE5F0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C998540	25_2_6C998540
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6CA44540	25_2_6CA44540
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C9E0570	25_2_6C9E0570
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6CA88550	25_2_6CA88550
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C9A2560	25_2_6C9A2560
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C9646D0	25_2_6C9646D0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C99E6E0	25_2_6C99E6E0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C9DE6E0	25_2_6C9DE6E0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C99C650	25_2_6C99C650
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C96A7D0	25_2_6C96A7D0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C9C0700	25_2_6C9C0700
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C938090	25_2_6C938090
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6CA1C0B0	25_2_6CA1C0B0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C9500B0	25_2_6C9500B0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6CA0C000	25_2_6CA0C000
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6CA08010	25_2_6CA08010
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C98E070	25_2_6C98E070
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C9401E0	25_2_6C9401E0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6CA24130	25_2_6CA24130
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C9B6130	25_2_6C9B6130
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C9A8140	25_2_6C9A8140
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6CA122A0	25_2_6CA122A0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6CA0E2B0	25_2_6CA0E2B0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6CAC62C0	25_2_6CAC62C0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6CA18220	25_2_6CA18220
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6CA0A210	25_2_6CA0A210
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C9D8250	25_2_6C9D8250
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C9C8260	25_2_6C9C8260
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C99E3B0	25_2_6C99E3B0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C9723A0	25_2_6C9723A0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C9943E0	25_2_6C9943E0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C9B2320	25_2_6C9B2320
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6CA5C360	25_2_6CA5C360
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C948340	25_2_6C948340
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6CA82370	25_2_6CA82370
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C942370	25_2_6C942370
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C9D6370	25_2_6C9D6370
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6CA01CE0	25_2_6CA01CE0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6CA7DCD0	25_2_6CA7DCD0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C951C30	25_2_6C951C30
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C943C40	25_2_6C943C40
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6CA69C40	25_2_6CA69C40
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C933D80	25_2_6C933D80
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6CA89D90	25_2_6CA89D90

Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe

Process token adjusted: Security

Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: String function: 00CFD7A2 appears 84 times
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: String function: 00CFD4C4 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: String function: 00CFDDE0 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: String function: 00CF7F20 appears 129 times
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Code function: String function: 00087F20 appears 128 times
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Code function: String function: 0008D7A2 appears 69 times
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Code function: String function: 0008DDE0 appears 39 times
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: String function: 6C963620 appears 62 times
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: String function: 6CA79F30 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: String function: 6C969B10 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: String function: 6C8D94D0 appears 90 times
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: String function: 6C8CCBE8 appears 134 times
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: String function: 00D44610 appears 316 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00407D20 appears 55 times

Source: Set-up[1].exe.6.dr	Static PE information: Number of sections : 18 > 10
Source: Set-up.exe.6.dr	Static PE information: Number of sections : 18 > 10

Source: SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 33.0.build.exe.a80000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 17.2.RegAsm.exe.482060.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 17.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 18.0.muDv2ygaMe.exe.140000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 17.2.RegAsm.exe.482060.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0000001E.00000002.2626655297.000000000260A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe, type: DROPPED	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\build[1].exe, type: DROPPED	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe, type: DROPPED	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: crypted[1].exe.6.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: crypted.exe.6.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: crypteda[1].exe.6.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: crypteda.exe.6.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Static PE information: Section: ZLIB complexity 0.9969186393051771
Source: SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Static PE information: Section: hwadqtea ZLIB complexity 0.9943944732937685
Source: axplong.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9969186393051771
Source: axplong.exe.0.dr	Static PE information: Section: hwadqtea ZLIB complexity 0.9943944732937685

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@70/71@0/14

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: 25_2_6C8F7030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

25_2_6C8F7030

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\crypted[1].exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000281001\crypted.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5668:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Mutant created: \Sessions\1\BaseNamedObjects\07c6bc37dc50874878dcb010336ed906
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6540:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3324:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3636:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Mutant created: \Sessions\1\BaseNamedObjects\c1ec479e5342a25940592acf24703eb2
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1256:120:WilError_03

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe

File created: C:\Users\user\AppData\Local\Temp\44111dbc49

Jump to behavior

Source: Yara match	File source: 29.0.svchost015.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001D.00000000.2252940170.0000000000401000.00000020.00000001.01000000.0000001C.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2269545389.0000000002E90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\AppData\Local\Temp\1000191001\1.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Local\Temp\1000191001\1.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : Select Name from Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: stealc_default2.exe, 00000019.00000002.2248136571.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000019.00000002.2248709980.000000006CACF000.00000002.00000001.01000000.00000019.sdmp, stealc_default2.exe, 00000019.00000002.2227393547.000000001B480000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.25.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: stealc_default2.exe, 00000019.00000002.2248136571.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000019.00000002.2248709980.000000006CACF000.00000002.00000001.01000000.00000019.sdmp, stealc_default2.exe, 00000019.00000002.2227393547.000000001B480000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.25.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: stealc_default2.exe, 00000019.00000002.2248136571.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000019.00000002.2248709980.000000006CACF000.00000002.00000001.01000000.00000019.sdmp, stealc_default2.exe, 00000019.00000002.2227393547.000000001B480000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.25.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: stealc_default2.exe, 00000019.00000002.2248136571.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000019.00000002.2248709980.000000006CACF000.00000002.00000001.01000000.00000019.sdmp, stealc_default2.exe, 00000019.00000002.2227393547.000000001B480000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.25.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: stealc_default2.exe, stealc_default2.exe, 00000019.00000002.2248136571.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000019.00000002.2248709980.000000006CACF000.00000002.00000001.01000000.00000019.sdmp, stealc_default2.exe, 00000019.00000002.2227393547.000000001B480000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.25.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: stealc_default2.exe, 00000019.00000002.2248136571.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000019.00000002.2227393547.000000001B480000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: stealc_default2.exe, 00000019.00000002.2248136571.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000019.00000002.2248709980.000000006CACF000.00000002.00000001.01000000.00000019.sdmp, stealc_default2.exe, 00000019.00000002.2227393547.000000001B480000.00000004.00000020.00020000.00000000.sdmp, nss3[1].dll.25.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: RegAsm.exe, 0000000D.00000002.2087513413.000000000384D000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2087513413.0000000003862000.00000004.00000800.00020000.00000000.sdmp, stealc_default2.exe, 00000019.00000003.2087819848.0000000021549000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000019.00000003.2102509781.000000002153D000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000019.00000003.2084704789.0000000001121000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 0000001A.00000003.2264262536.00000000032E8000.00000004.00000020.00020000.00000000.sdmp, joffer2.exe, 0000001B.00000003.2314636365.00000000031A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: stealc_default2.exe, 00000019.00000002.2248136571.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000019.00000002.2227393547.000000001B480000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: stealc_default2.exe, 00000019.00000002.2248136571.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000019.00000002.2227393547.000000001B480000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe

ReversingLabs: Detection: 60%

Source: SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe "C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe"
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe "C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe"
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe "C:\Users\user\AppData\Roaming\muDv2ygaMe.exe"
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe "C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe "C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe"
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Process created: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe "C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe "C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe "C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe"
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Process created: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe "C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000191001\1.exe "C:\Users\user\AppData\Local\Temp\1000191001\1.exe"
Source: C:\Users\user\AppData\Local\Temp\1000191001\1.exe	Process created: C:\Users\user\AppData\Local\Temp\svchost015.exe C:\Users\user\AppData\Local\Temp\svchost015.exe
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000228001\GetSys.exe "C:\Users\user\AppData\Local\Temp\1000228001\GetSys.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\1000238002\Amadeus.exe "C:\Users\user\1000238002\Amadeus.exe"
Source: C:\Users\user\AppData\Local\Temp\1000228001\GetSys.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000241001\build.exe "C:\Users\user\AppData\Local\Temp\1000241001\build.exe"
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe "C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe"
Source: unknown	Process created: C:\Users\user\1000238002\Amadeus.exe "C:\Users\user\1000238002\Amadeus.exe"
Source: C:\Users\user\1000238002\Amadeus.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c copy "C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe" "C:\Users\user\Pictures\Lighter Tech\runtime.exe" && schtasks /Create /SC MINUTE /MO 1 /TN "runtime" /TR "C:\Users\user\Pictures\Lighter Tech\runtime.exe" /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Create /SC MINUTE /MO 1 /TN "runtime" /TR "C:\Users\user\Pictures\Lighter Tech\runtime.exe" /F
Source: unknown	Process created: C:\Users\user\Pictures\Lighter Tech\runtime.exe "C:\Users\user\Pictures\Lighter Tech\runtime.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process created: C:\Users\user\AppData\Local\Temp\1000281001\crypted.exe "C:\Users\user\AppData\Local\Temp\1000281001\crypted.exe"
Source: C:\Users\user\AppData\Local\Temp\1000281001\crypted.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe "C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe "C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe "C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe "C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe "C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000191001\1.exe "C:\Users\user\AppData\Local\Temp\1000191001\1.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000228001\GetSys.exe "C:\Users\user\AppData\Local\Temp\1000228001\GetSys.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\1000238002\Amadeus.exe "C:\Users\user\1000238002\Amadeus.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000241001\build.exe "C:\Users\user\AppData\Local\Temp\1000241001\build.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe "C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe "C:\Users\user\AppData\Roaming\muDv2ygaMe.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe "C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe"
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Process created: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe "C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Process created: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe "C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe"
Source: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe	Process created: C:\Users\user\AppData\Local\Temp\1000281001\crypted.exe "C:\Users\user\AppData\Local\Temp\1000281001\crypted.exe"
Source: C:\Users\user\AppData\Local\Temp\1000191001\1.exe	Process created: C:\Users\user\AppData\Local\Temp\svchost015.exe C:\Users\user\AppData\Local\Temp\svchost015.exe
Source: C:\Users\user\AppData\Local\Temp\1000228001\GetSys.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\1000238002\Amadeus.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c copy "C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe" "C:\Users\user\Pictures\Lighter Tech\runtime.exe" && schtasks /Create /SC MINUTE /MO 1 /TN "runtime" /TR "C:\Users\user\Pictures\Lighter Tech\runtime.exe" /F
Source: C:\Users\user\1000238002\Amadeus.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process created: C:\Users\user\AppData\Local\Temp\1000281001\crypted.exe "C:\Users\user\AppData\Local\Temp\1000281001\crypted.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Create /SC MINUTE /MO 1 /TN "runtime" /TR "C:\Users\user\Pictures\Lighter Tech\runtime.exe" /F
Source: C:\Users\user\AppData\Local\Temp\1000281001\crypted.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: esdsip.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: propsys.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: edputil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: appresolver.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: slc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sppc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Section loaded: msisip.dll
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Section loaded: wshext.dll
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Section loaded: appxsip.dll
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Section loaded: opcservices.dll
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Section loaded: esdsip.dll
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Section loaded: scrrun.dll
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Section loaded: linkinfo.dll
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: mstask.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: dui70.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: duser.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: chartv.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: oleacc.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: atlthunk.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: windows.fileexplorer.common.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: explorerframe.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: mozglue.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: msvcp140.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe	Section loaded: dlnashext.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe	Section loaded: wpdshext.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe	Section loaded: dlnashext.dll
Source: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe	Section loaded: wpdshext.dll
Source: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\1.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\1.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\1.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\1.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\1.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\1.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\1.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\1.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\1.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\1.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\1.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\1.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\1.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\1.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\1.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\1.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\1.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\1.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\1.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000228001\GetSys.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000228001\GetSys.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\1000228001\GetSys.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\1000228001\GetSys.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000228001\GetSys.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000228001\GetSys.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\1000228001\GetSys.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\1000238002\Amadeus.exe	Section loaded: apphelp.dll
Source: C:\Users\user\1000238002\Amadeus.exe	Section loaded: powrprof.dll
Source: C:\Users\user\1000238002\Amadeus.exe	Section loaded: umpdc.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winhttp.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: webio.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mswsock.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: winnsi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: sspicli.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dnsapi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: schannel.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ntasn1.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncrypt.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: msasn1.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptsp.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: rsaenh.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: cryptbase.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: gpapi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: dpapi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: amsi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: userenv.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: profapi.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: version.dll
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Section loaded: vcruntime140_clr0400.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Source: SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe

Static file information: File size 1928704 > 1048576

Source: SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe

Static PE information: Raw size of hwadqtea is bigger than: 0x100000 < 0x1a5400

Source:	Binary string: mozglue.pdbP source: stealc_default2.exe, 00000019.00000002.2248450280.000000006C90D000.00000002.00000001.01000000.0000001A.sdmp, mozglue[1].dll.25.dr
Source:	Binary string: nss3.pdb@ source: stealc_default2.exe, 00000019.00000002.2248709980.000000006CACF000.00000002.00000001.01000000.00000019.sdmp, nss3[1].dll.25.dr
Source:	Binary string: c:\rje\tg\3fl4\obj\Re\ease\etf.pdb source: axplong.exe, 00000006.00000002.3941033997.00000000013CC000.00000004.00000020.00020000.00000000.sdmp, crypted.exe.6.dr
Source:	Binary string: F:\IlluminatedControls\Simple-Calculator-master\obj\Release\Simple Calculator.pdb source: axplong.exe, 00000006.00000002.3941033997.0000000001426000.00000004.00000020.00020000.00000000.sdmp, runtime.exe, 00000023.00000000.2449148208.0000000000F62000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: BitLockerToGo.pdb source: GetSys.exe, 0000001E.00000002.2626655297.00000000025CF000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000020.00000003.2428975351.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, Amadeus.exe, 00000025.00000002.2725651381.00000000015D6000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: F:\IlluminatedControls\Simple-Calculator-master\obj\Release\Simple Calculator.pdb> source: axplong.exe, 00000006.00000002.3941033997.0000000001426000.00000004.00000020.00020000.00000000.sdmp, runtime.exe, 00000023.00000000.2449148208.0000000000F62000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: vcruntime140[1].dll.25.dr, vcruntime140.dll.25.dr
Source:	Binary string: c:\rje\tg\bj\Re\ease\gqa.pdb source: AppLaunch.exe, 00000028.00000002.3940385031.0000000000C1B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nss3.pdb source: stealc_default2.exe, 00000019.00000002.2248709980.000000006CACF000.00000002.00000001.01000000.00000019.sdmp, nss3[1].dll.25.dr
Source:	Binary string: mozglue.pdb source: stealc_default2.exe, 00000019.00000002.2248450280.000000006C90D000.00000002.00000001.01000000.0000001A.sdmp, mozglue[1].dll.25.dr
Source:	Binary string: BitLockerToGo.pdbGCTL source: GetSys.exe, 0000001E.00000002.2626655297.00000000025CF000.00000004.00001000.00020000.00000000.sdmp, BitLockerToGo.exe, 00000020.00000003.2428975351.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, Amadeus.exe, 00000025.00000002.2725651381.00000000015D6000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: G.pdb source: axplong.exe, 00000006.00000002.3941033997.000000000140B000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Unpacked PE file: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe.220000.0.unpack :EW;.rsrc:W;.idata :W; :EW;hwadqtea:EW;goyyausu:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;hwadqtea:EW;goyyausu:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 2.2.axplong.exe.710000.0.unpack :EW;.rsrc:W;.idata :W; :EW;hwadqtea:EW;goyyausu:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;hwadqtea:EW;goyyausu:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 6.2.axplong.exe.710000.0.unpack :EW;.rsrc:W;.idata :W; :EW;hwadqtea:EW;goyyausu:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;hwadqtea:EW;goyyausu:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Unpacked PE file: 29.2.svchost015.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\svchost015.exe

Unpacked PE file: 29.2.svchost015.exe.400000.0.unpack

Source: build[1].exe.6.dr

Static PE information: 0x9644DD5D [Sun Nov 21 08:18:37 2049 UTC]

Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe

Code function: 22_2_00D0BDF9 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

22_2_00D0BDF9

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: Nework[1].exe.6.dr	Static PE information: real checksum: 0x0 should be: 0x6abc6
Source: build[1].exe.6.dr	Static PE information: real checksum: 0x0 should be: 0x68612
Source: SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Static PE information: real checksum: 0x1d78d2 should be: 0x1de706
Source: axplong.exe.0.dr	Static PE information: real checksum: 0x1d78d2 should be: 0x1de706
Source: crypteda[1].exe.6.dr	Static PE information: real checksum: 0x0 should be: 0x11b6f1
Source: Nework.exe.6.dr	Static PE information: real checksum: 0x0 should be: 0x6abc6
Source: crypteda.exe.6.dr	Static PE information: real checksum: 0x0 should be: 0x11b6f1
Source: build.exe.6.dr	Static PE information: real checksum: 0x0 should be: 0x68612

Source: SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Static PE information: section name: .idata
Source: SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Static PE information: section name:
Source: SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Static PE information: section name: hwadqtea
Source: SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Static PE information: section name: goyyausu
Source: SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Static PE information: section name: .taggant
Source: axplong.exe.0.dr	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name: .idata
Source: axplong.exe.0.dr	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name: hwadqtea
Source: axplong.exe.0.dr	Static PE information: section name: goyyausu
Source: axplong.exe.0.dr	Static PE information: section name: .taggant
Source: Set-up[1].exe.6.dr	Static PE information: section name: /4
Source: Set-up[1].exe.6.dr	Static PE information: section name: /14
Source: Set-up[1].exe.6.dr	Static PE information: section name: /29
Source: Set-up[1].exe.6.dr	Static PE information: section name: /41
Source: Set-up[1].exe.6.dr	Static PE information: section name: /55
Source: Set-up[1].exe.6.dr	Static PE information: section name: /67
Source: Set-up[1].exe.6.dr	Static PE information: section name: /80
Source: Set-up[1].exe.6.dr	Static PE information: section name: /91
Source: Set-up[1].exe.6.dr	Static PE information: section name: /102
Source: Set-up.exe.6.dr	Static PE information: section name: /4
Source: Set-up.exe.6.dr	Static PE information: section name: /14
Source: Set-up.exe.6.dr	Static PE information: section name: /29
Source: Set-up.exe.6.dr	Static PE information: section name: /41
Source: Set-up.exe.6.dr	Static PE information: section name: /55
Source: Set-up.exe.6.dr	Static PE information: section name: /67
Source: Set-up.exe.6.dr	Static PE information: section name: /80
Source: Set-up.exe.6.dr	Static PE information: section name: /91
Source: Set-up.exe.6.dr	Static PE information: section name: /102
Source: GetSys[1].exe.6.dr	Static PE information: section name: .symtab
Source: GetSys.exe.6.dr	Static PE information: section name: .symtab
Source: Amadeus[1].exe.6.dr	Static PE information: section name: .symtab
Source: Amadeus.exe.6.dr	Static PE information: section name: .symtab

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_0072D84C push ecx; ret	6_2_0072D85F
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00989680 push ebx; mov dword ptr [esp], edx	6_2_009896D3
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00989680 push ecx; mov dword ptr [esp], 77FBB323h	6_2_00989700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_06C3EFB2 push eax; ret	13_2_06C3EFC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_09324DC4 push 8BD0B70Fh; retf	13_2_09324DD0
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Code function: 15_2_03242989 push eax; retf 0071h	15_2_0324298A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 17_2_00428E7D push esi; ret	17_2_00428E86
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 17_2_004076D3 push ecx; ret	17_2_004076E6
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Code function: 18_2_0847F530 push esp; ret	18_2_0847F531
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Code function: 20_2_062CECF2 push eax; ret	20_2_062CED01
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 22_2_00CFD77C push ecx; ret	22_2_00CFD78F
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 22_2_00CFDE26 push ecx; ret	22_2_00CFDE39
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Code function: 23_2_0008D77C push ecx; ret	23_2_0008D78F
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_00D5A9F5 push ecx; ret	25_2_00D5AA08
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8CB536 push ecx; ret	25_2_6C8CB549

Source: SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Static PE information: section name: entropy: 7.98015965484696
Source: SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Static PE information: section name: hwadqtea entropy: 7.954042204005219
Source: axplong.exe.0.dr	Static PE information: section name: entropy: 7.98015965484696
Source: axplong.exe.0.dr	Static PE information: section name: hwadqtea entropy: 7.954042204005219
Source: crypted[1].exe.6.dr	Static PE information: section name: .text entropy: 7.995145897290141
Source: crypted.exe.6.dr	Static PE information: section name: .text entropy: 7.995145897290141
Source: crypteda[1].exe.6.dr	Static PE information: section name: .text entropy: 7.99930616062516
Source: crypteda.exe.6.dr	Static PE information: section name: .text entropy: 7.99930616062516

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	File created: C:\Users\user\AppData\Local\Temp\1000281001\crypted.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\GetSys[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000191001\1.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\stealc_default2[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe	File created: C:\Users\user\AppData\Local\Temp\service123.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	File created: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\Nework[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000191001\1.exe	File created: C:\Users\user\AppData\Local\Temp\svchost015.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\joffer2[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\1[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe	File created: C:\Users\user\AppData\Local\Temp\fBzeZmUWdBgmhZfvjyDr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\1000238002\Amadeus.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000228001\GetSys.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\crypteda[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\Amadeus[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	File created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	File created: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\runtime[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\Set-up[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\crypted[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\build[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe	File created: C:\Users\user\AppData\Local\Temp\JhCTEUiuPFSAmdKyCcGU.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Windows\System32\cmd.exe	File created: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce runtime
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Amadeus.exe			Jump to behavior

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\schtasks.exe schtasks /Create /SC MINUTE /MO 1 /TN "runtime" /TR "C:\Users\user\Pictures\Lighter Tech\runtime.exe" /F

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe

File created: C:\Windows\Tasks\axplong.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Amadeus.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Amadeus.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce runtime
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce runtime
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce runtime
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce runtime

Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe

Code function: 22_2_00CFC5C8 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

22_2_00CFC5C8

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000191001\1.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000228001\GetSys.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\1000238002\Amadeus.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1000238002\Amadeus.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000281001\crypted.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000281001\crypted.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000281001\crypted.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000281001\crypted.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000281001\crypted.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000281001\crypted.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000281001\crypted.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000281001\crypted.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000281001\crypted.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000281001\crypted.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000281001\crypted.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000281001\crypted.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000281001\crypted.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: muDv2ygaMe.exe, 00000012.00000002.2002797684.00000000024D0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000021.00000002.2475331078.0000000002ED0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE`,
Source: muDv2ygaMe.exe, 00000012.00000002.2002797684.00000000024D0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000021.00000002.2475331078.0000000002ED0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE
Source: muDv2ygaMe.exe, 00000012.00000002.2002797684.00000000024D0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000021.00000002.2475331078.0000000002ED0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE@\

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 28F049 second address: 28E93F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007F64BD03DB9Fh 0x0000000e push edi 0x0000000f pop edi 0x00000010 popad 0x00000011 pop eax 0x00000012 nop 0x00000013 jmp 00007F64BD03DBA1h 0x00000018 mov dword ptr [ebp+122D1B6Ch], esi 0x0000001e push dword ptr [ebp+122D0955h] 0x00000024 sub dword ptr [ebp+122D2585h], edx 0x0000002a call dword ptr [ebp+122D17E8h] 0x00000030 pushad 0x00000031 jnc 00007F64BD03DBA7h 0x00000037 jmp 00007F64BD03DB9Ch 0x0000003c xor eax, eax 0x0000003e clc 0x0000003f mov edx, dword ptr [esp+28h] 0x00000043 jmp 00007F64BD03DBA5h 0x00000048 mov dword ptr [ebp+122D2BF1h], eax 0x0000004e jmp 00007F64BD03DB9Fh 0x00000053 jno 00007F64BD03DB9Ch 0x00000059 mov esi, 0000003Ch 0x0000005e stc 0x0000005f add esi, dword ptr [esp+24h] 0x00000063 clc 0x00000064 lodsw 0x00000066 mov dword ptr [ebp+122D19A3h], esi 0x0000006c add eax, dword ptr [esp+24h] 0x00000070 sub dword ptr [ebp+122D19A3h], eax 0x00000076 mov ebx, dword ptr [esp+24h] 0x0000007a sub dword ptr [ebp+122D19A3h], esi 0x00000080 nop 0x00000081 jmp 00007F64BD03DB9Ch 0x00000086 push eax 0x00000087 push eax 0x00000088 push edx 0x00000089 push ebx 0x0000008a push ecx 0x0000008b pop ecx 0x0000008c pop ebx 0x0000008d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 40369E second address: 4036BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F64BC5223E8h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F64BC5223EBh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 410246 second address: 41024C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 41024C second address: 410250 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 410250 second address: 410254 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4103DF second address: 410412 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BC5223F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F64BC5223F8h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 410412 second address: 41042F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BD03DBA7h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4108AD second address: 4108E8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 push ebx 0x0000000a jmp 00007F64BC5223F4h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F64BC5223F9h 0x00000016 push esi 0x00000017 pop esi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4108E8 second address: 4108EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4145CE second address: 4145D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4145D3 second address: 4145F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F64BD03DB96h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f pushad 0x00000010 push edx 0x00000011 pop edx 0x00000012 jmp 00007F64BD03DB9Eh 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4145F8 second address: 4145FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4145FC second address: 414611 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jp 00007F64BD03DB9Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 414611 second address: 414615 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 414615 second address: 414632 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BD03DB9Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007F64BD03DB98h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 414632 second address: 414655 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jns 00007F64BC5223E6h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F64BC5223F1h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 414655 second address: 28E93F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 mov dword ptr [ebp+122D1A14h], edi 0x0000000f push dword ptr [ebp+122D0955h] 0x00000015 cld 0x00000016 call dword ptr [ebp+122D17E8h] 0x0000001c pushad 0x0000001d jnc 00007F64BD03DBA7h 0x00000023 jmp 00007F64BD03DB9Ch 0x00000028 xor eax, eax 0x0000002a clc 0x0000002b mov edx, dword ptr [esp+28h] 0x0000002f jmp 00007F64BD03DBA5h 0x00000034 mov dword ptr [ebp+122D2BF1h], eax 0x0000003a jmp 00007F64BD03DB9Fh 0x0000003f jno 00007F64BD03DB9Ch 0x00000045 mov esi, 0000003Ch 0x0000004a stc 0x0000004b add esi, dword ptr [esp+24h] 0x0000004f clc 0x00000050 lodsw 0x00000052 mov dword ptr [ebp+122D19A3h], esi 0x00000058 add eax, dword ptr [esp+24h] 0x0000005c sub dword ptr [ebp+122D19A3h], eax 0x00000062 mov ebx, dword ptr [esp+24h] 0x00000066 sub dword ptr [ebp+122D19A3h], esi 0x0000006c nop 0x0000006d jmp 00007F64BD03DB9Ch 0x00000072 push eax 0x00000073 push eax 0x00000074 push edx 0x00000075 push ebx 0x00000076 push ecx 0x00000077 pop ecx 0x00000078 pop ebx 0x00000079 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 414678 second address: 4146B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop esi 0x00000006 push eax 0x00000007 jmp 00007F64BC5223F6h 0x0000000c nop 0x0000000d xor dword ptr [ebp+122D1958h], edx 0x00000013 push 00000000h 0x00000015 mov edx, dword ptr [ebp+122D2B49h] 0x0000001b push 359D516Dh 0x00000020 pushad 0x00000021 push edi 0x00000022 push edx 0x00000023 pop edx 0x00000024 pop edi 0x00000025 pushad 0x00000026 pushad 0x00000027 popad 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 414829 second address: 41489A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c mov edi, dword ptr [ebp+122D2B91h] 0x00000012 push F82F12FFh 0x00000017 push eax 0x00000018 jmp 00007F64BD03DB9Fh 0x0000001d pop eax 0x0000001e add dword ptr [esp], 07D0ED81h 0x00000025 push 00000000h 0x00000027 push esi 0x00000028 call 00007F64BD03DB98h 0x0000002d pop esi 0x0000002e mov dword ptr [esp+04h], esi 0x00000032 add dword ptr [esp+04h], 0000001Ah 0x0000003a inc esi 0x0000003b push esi 0x0000003c ret 0x0000003d pop esi 0x0000003e ret 0x0000003f mov edx, ecx 0x00000041 push 00000003h 0x00000043 mov dword ptr [ebp+122D2FADh], eax 0x00000049 push 00000000h 0x0000004b cmc 0x0000004c push 00000003h 0x0000004e add esi, 161C8CD5h 0x00000054 push B2E2E99Ch 0x00000059 pushad 0x0000005a pushad 0x0000005b push esi 0x0000005c pop esi 0x0000005d push eax 0x0000005e push edx 0x0000005f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 41489A second address: 414904 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jng 00007F64BC5223E6h 0x0000000c pop esi 0x0000000d popad 0x0000000e add dword ptr [esp], 0D1D1664h 0x00000015 push 00000000h 0x00000017 push edi 0x00000018 call 00007F64BC5223E8h 0x0000001d pop edi 0x0000001e mov dword ptr [esp+04h], edi 0x00000022 add dword ptr [esp+04h], 00000014h 0x0000002a inc edi 0x0000002b push edi 0x0000002c ret 0x0000002d pop edi 0x0000002e ret 0x0000002f js 00007F64BC522405h 0x00000035 call 00007F64BC5223F8h 0x0000003a mov dword ptr [ebp+122D17D1h], esi 0x00000040 pop edi 0x00000041 mov dx, bx 0x00000044 lea ebx, dword ptr [ebp+124594DDh] 0x0000004a xchg eax, ebx 0x0000004b push eax 0x0000004c push edx 0x0000004d jnc 00007F64BC5223E8h 0x00000053 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 414904 second address: 41490F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F64BD03DB96h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 41499E second address: 4149B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BC5223F2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4149B4 second address: 4149BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F64BD03DB96h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4149BE second address: 414A81 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BC5223F8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e add dword ptr [ebp+122D2623h], edi 0x00000014 push 00000000h 0x00000016 push ebx 0x00000017 jns 00007F64BC5223F3h 0x0000001d pop edx 0x0000001e push 269EFDD5h 0x00000023 jmp 00007F64BC5223F4h 0x00000028 xor dword ptr [esp], 269EFD55h 0x0000002f or ecx, 1C1AAC06h 0x00000035 push 00000003h 0x00000037 push 00000000h 0x00000039 push ecx 0x0000003a call 00007F64BC5223E8h 0x0000003f pop ecx 0x00000040 mov dword ptr [esp+04h], ecx 0x00000044 add dword ptr [esp+04h], 00000016h 0x0000004c inc ecx 0x0000004d push ecx 0x0000004e ret 0x0000004f pop ecx 0x00000050 ret 0x00000051 jmp 00007F64BC5223F0h 0x00000056 push 00000000h 0x00000058 mov edi, dword ptr [ebp+122D1A43h] 0x0000005e push 00000003h 0x00000060 mov esi, dword ptr [ebp+122D2C3Dh] 0x00000066 push B4450496h 0x0000006b push eax 0x0000006c push edx 0x0000006d jmp 00007F64BC5223F8h 0x00000072 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 414A81 second address: 414AFA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BD03DBA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 0BBAFB6Ah 0x00000010 lea ebx, dword ptr [ebp+124594E8h] 0x00000016 push 00000000h 0x00000018 push ebp 0x00000019 call 00007F64BD03DB98h 0x0000001e pop ebp 0x0000001f mov dword ptr [esp+04h], ebp 0x00000023 add dword ptr [esp+04h], 0000001Bh 0x0000002b inc ebp 0x0000002c push ebp 0x0000002d ret 0x0000002e pop ebp 0x0000002f ret 0x00000030 jmp 00007F64BD03DBA7h 0x00000035 mov dword ptr [ebp+122D2595h], ebx 0x0000003b push eax 0x0000003c js 00007F64BD03DBA4h 0x00000042 push eax 0x00000043 push edx 0x00000044 jng 00007F64BD03DB96h 0x0000004a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 3F9310 second address: 3F9315 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 433B14 second address: 433B3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F64BD03DBA0h 0x00000009 jmp 00007F64BD03DBA7h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 433CA7 second address: 433CAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 433CAC second address: 433CB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 433CB4 second address: 433CB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 433CB8 second address: 433CCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a je 00007F64BD03DB98h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4343AC second address: 4343B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F64BC5223E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 434515 second address: 434519 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 434BE4 second address: 434BEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 434BEA second address: 434BF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F64BD03DB96h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 434BF4 second address: 434BF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 434D82 second address: 434DA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F64BD03DB9Ah 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007F64BD03DB9Ch 0x00000010 jns 00007F64BD03DB96h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 434DA6 second address: 434DAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 434DAB second address: 434DB0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 435609 second address: 435620 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F64BC5223E6h 0x0000000a popad 0x0000000b jmp 00007F64BC5223ECh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 435620 second address: 435637 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BD03DB9Bh 0x00000007 jl 00007F64BD03DB9Eh 0x0000000d push esi 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 406B90 second address: 406B94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 406B94 second address: 406BCF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F64BD03DB9Ah 0x0000000b push ecx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F64BD03DB9Ch 0x00000013 pop ecx 0x00000014 popad 0x00000015 pushad 0x00000016 jmp 00007F64BD03DBA4h 0x0000001b pushad 0x0000001c pushad 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 43ADA8 second address: 43ADAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 43BC03 second address: 43BC09 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 43D32D second address: 43D363 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F64BC5223EFh 0x0000000d popad 0x0000000e popad 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 pushad 0x00000014 pushad 0x00000015 js 00007F64BC5223E6h 0x0000001b jmp 00007F64BC5223ECh 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 43D363 second address: 43D38C instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F64BD03DB96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d js 00007F64BD03DB9Eh 0x00000013 push ecx 0x00000014 jns 00007F64BD03DB96h 0x0000001a pop ecx 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f push eax 0x00000020 push edx 0x00000021 jns 00007F64BD03DB98h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 43D506 second address: 43D50A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4422A0 second address: 4422A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4422A6 second address: 4422B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4422B1 second address: 4422B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4422B5 second address: 4422B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4429EF second address: 442A0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007F64BD03DBA8h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 442A0C second address: 442A11 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 442A11 second address: 442A28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007F64BD03DB9Dh 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 442A28 second address: 442A41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F64BC5223F1h 0x00000009 push esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 444BD1 second address: 444BD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 444BD5 second address: 444BDB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 444FB9 second address: 444FBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4458D2 second address: 4458F2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F64BC5223F7h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4458F2 second address: 4458F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4458F8 second address: 44592A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 jmp 00007F64BC5223F4h 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F64BC5223F0h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 44592A second address: 445943 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BD03DBA5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 3FE5DD second address: 3FE5E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 446D37 second address: 446D3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 448493 second address: 448497 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 448497 second address: 4484DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a mov edi, eax 0x0000000c push 00000000h 0x0000000e sub dword ptr [ebp+122D17D9h], edi 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push edi 0x00000019 call 00007F64BD03DB98h 0x0000001e pop edi 0x0000001f mov dword ptr [esp+04h], edi 0x00000023 add dword ptr [esp+04h], 0000001Dh 0x0000002b inc edi 0x0000002c push edi 0x0000002d ret 0x0000002e pop edi 0x0000002f ret 0x00000030 push eax 0x00000031 jl 00007F64BD03DB9Eh 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4493F8 second address: 4493FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4493FC second address: 44942C instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F64BD03DB96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F64BD03DBA5h 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F64BD03DB9Dh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 44942C second address: 449465 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BC5223F5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov esi, 3EDE2C97h 0x0000000f push 00000000h 0x00000011 or dword ptr [ebp+122D1801h], edi 0x00000017 push 00000000h 0x00000019 xchg eax, ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F64BC5223EBh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 449465 second address: 449469 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 449469 second address: 44946F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 44946F second address: 449498 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F64BD03DBA8h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jnp 00007F64BD03DBA8h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 449498 second address: 44949C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 44949C second address: 4494A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 44AA2D second address: 44AA32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 44AA32 second address: 44AA38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 44AA38 second address: 44AA7D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BC5223EEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov dword ptr [ebp+122D2D07h], ebx 0x00000012 push 00000000h 0x00000014 ja 00007F64BC5223F9h 0x0000001a jmp 00007F64BC5223F3h 0x0000001f push 00000000h 0x00000021 mov dword ptr [ebp+122D37FAh], edi 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c push edx 0x0000002d pop edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 44AA7D second address: 44AA87 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F64BD03DB96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 44BEF8 second address: 44BF6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 mov esi, dword ptr [ebp+122D2B11h] 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push eax 0x00000013 call 00007F64BC5223E8h 0x00000018 pop eax 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d add dword ptr [esp+04h], 00000014h 0x00000025 inc eax 0x00000026 push eax 0x00000027 ret 0x00000028 pop eax 0x00000029 ret 0x0000002a mov edi, 7B95E342h 0x0000002f cmc 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push ebx 0x00000035 call 00007F64BC5223E8h 0x0000003a pop ebx 0x0000003b mov dword ptr [esp+04h], ebx 0x0000003f add dword ptr [esp+04h], 00000017h 0x00000047 inc ebx 0x00000048 push ebx 0x00000049 ret 0x0000004a pop ebx 0x0000004b ret 0x0000004c or edi, 3A21EFE1h 0x00000052 push eax 0x00000053 pushad 0x00000054 jnp 00007F64BC5223ECh 0x0000005a push eax 0x0000005b push edx 0x0000005c jmp 00007F64BC5223EEh 0x00000061 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 44CA07 second address: 44CA8D instructions: 0x00000000 rdtsc 0x00000002 jng 00007F64BD03DB96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F64BD03DBA5h 0x0000000f popad 0x00000010 mov dword ptr [esp], eax 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007F64BD03DB98h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 00000014h 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d mov edi, ecx 0x0000002f push 00000000h 0x00000031 mov di, si 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push edi 0x00000039 call 00007F64BD03DB98h 0x0000003e pop edi 0x0000003f mov dword ptr [esp+04h], edi 0x00000043 add dword ptr [esp+04h], 00000018h 0x0000004b inc edi 0x0000004c push edi 0x0000004d ret 0x0000004e pop edi 0x0000004f ret 0x00000050 mov dword ptr [ebp+1245A571h], ebx 0x00000056 xchg eax, ebx 0x00000057 push eax 0x00000058 push edx 0x00000059 jmp 00007F64BD03DBA5h 0x0000005e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 451222 second address: 451239 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BC5223F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 451239 second address: 451243 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F64BD03DB9Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 451243 second address: 45128E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 mov ebx, 6C1D3F9Fh 0x0000000e push 00000000h 0x00000010 jl 00007F64BC5223E8h 0x00000016 mov edi, ebx 0x00000018 push ebx 0x00000019 or edi, 7BDF5705h 0x0000001f pop edi 0x00000020 push 00000000h 0x00000022 sub bx, 4154h 0x00000027 mov dword ptr [ebp+1245A319h], esi 0x0000002d xchg eax, esi 0x0000002e pushad 0x0000002f pushad 0x00000030 push edi 0x00000031 pop edi 0x00000032 push esi 0x00000033 pop esi 0x00000034 popad 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007F64BC5223F4h 0x0000003c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 45128E second address: 451292 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 451292 second address: 4512B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d jmp 00007F64BC5223F3h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 453238 second address: 45329E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F64BD03DBA0h 0x0000000d nop 0x0000000e adc edi, 58E2AE18h 0x00000014 push 00000000h 0x00000016 push eax 0x00000017 push eax 0x00000018 mov dword ptr [ebp+122D2E94h], eax 0x0000001e pop edi 0x0000001f pop ebx 0x00000020 push 00000000h 0x00000022 push ebx 0x00000023 pushad 0x00000024 jmp 00007F64BD03DB9Dh 0x00000029 jng 00007F64BD03DB96h 0x0000002f popad 0x00000030 pop edi 0x00000031 xchg eax, esi 0x00000032 pushad 0x00000033 jmp 00007F64BD03DB9Ch 0x00000038 jnl 00007F64BD03DB98h 0x0000003e push ecx 0x0000003f pop ecx 0x00000040 popad 0x00000041 push eax 0x00000042 jnl 00007F64BD03DBA0h 0x00000048 push eax 0x00000049 push edx 0x0000004a push edx 0x0000004b pop edx 0x0000004c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 452534 second address: 452539 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4552BC second address: 455338 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F64BD03DB98h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push eax 0x0000000e call 00007F64BD03DB98h 0x00000013 pop eax 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 add dword ptr [esp+04h], 0000001Ch 0x00000020 inc eax 0x00000021 push eax 0x00000022 ret 0x00000023 pop eax 0x00000024 ret 0x00000025 movzx edi, si 0x00000028 push 00000000h 0x0000002a jc 00007F64BD03DBA1h 0x00000030 jmp 00007F64BD03DB9Bh 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push edx 0x0000003a call 00007F64BD03DB98h 0x0000003f pop edx 0x00000040 mov dword ptr [esp+04h], edx 0x00000044 add dword ptr [esp+04h], 00000016h 0x0000004c inc edx 0x0000004d push edx 0x0000004e ret 0x0000004f pop edx 0x00000050 ret 0x00000051 mov ebx, dword ptr [ebp+122D29FDh] 0x00000057 push eax 0x00000058 push eax 0x00000059 push edx 0x0000005a jl 00007F64BD03DB9Ch 0x00000060 js 00007F64BD03DB96h 0x00000066 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 45452A second address: 454543 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F64BC5223E6h 0x00000009 jnl 00007F64BC5223E6h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push edi 0x00000018 pop edi 0x00000019 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 454543 second address: 454547 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 454547 second address: 45454D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 455564 second address: 45557A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BD03DB9Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4563B7 second address: 4563C1 instructions: 0x00000000 rdtsc 0x00000002 js 00007F64BC5223E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 45557A second address: 45557E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4563C1 second address: 4563C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4563C7 second address: 4563CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4563CB second address: 4563DD instructions: 0x00000000 rdtsc 0x00000002 js 00007F64BC5223E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4563DD second address: 4563E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4565DE second address: 4565E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4565E4 second address: 4565E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4583A9 second address: 4583B3 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F64BC5223E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4583B3 second address: 4583B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4583B9 second address: 4583BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 45955B second address: 45955F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 45C624 second address: 45C66F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F64BC5223EAh 0x00000009 popad 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e movsx ebx, di 0x00000011 push 00000000h 0x00000013 jmp 00007F64BC5223EAh 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push edi 0x0000001d call 00007F64BC5223E8h 0x00000022 pop edi 0x00000023 mov dword ptr [esp+04h], edi 0x00000027 add dword ptr [esp+04h], 00000019h 0x0000002f inc edi 0x00000030 push edi 0x00000031 ret 0x00000032 pop edi 0x00000033 ret 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 45C66F second address: 45C673 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 457580 second address: 457591 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jg 00007F64BC5223F8h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 457591 second address: 457595 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 457595 second address: 457599 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 45B938 second address: 45B952 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BD03DB9Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007F64BD03DB98h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 45C86B second address: 45C870 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 45E435 second address: 45E439 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 45C870 second address: 45C876 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 45E439 second address: 45E4AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F64BD03DBA0h 0x0000000c pop eax 0x0000000d popad 0x0000000e mov dword ptr [esp], eax 0x00000011 jnc 00007F64BD03DB9Ch 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push edx 0x0000001c call 00007F64BD03DB98h 0x00000021 pop edx 0x00000022 mov dword ptr [esp+04h], edx 0x00000026 add dword ptr [esp+04h], 0000001Ch 0x0000002e inc edx 0x0000002f push edx 0x00000030 ret 0x00000031 pop edx 0x00000032 ret 0x00000033 push 00000000h 0x00000035 sub dword ptr [ebp+122D25F3h], esi 0x0000003b xchg eax, esi 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f jmp 00007F64BD03DBA7h 0x00000044 pop eax 0x00000045 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 45E4AB second address: 45E4DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BC5223F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F64BC5223F0h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4001C0 second address: 4001D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F64BD03DB9Ch 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4001D2 second address: 4001D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 467561 second address: 467565 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 467565 second address: 46758C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pushad 0x0000000a jmp 00007F64BC5223F9h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 46758C second address: 4675A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F64BD03DBA1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4675A1 second address: 4675A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4675A5 second address: 4675C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F64BD03DBA5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007F64BD03DB96h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 467765 second address: 467774 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jng 00007F64BC5223E6h 0x0000000c push esi 0x0000000d pop esi 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 467774 second address: 46777A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 46777A second address: 467780 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 467780 second address: 467784 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 467AB1 second address: 467ACA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 ja 00007F64BC5223E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F64BC5223EBh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 467ACA second address: 467AD0 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 46D477 second address: 46D494 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BC5223F8h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 46D494 second address: 46D49A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 46EA10 second address: 46EA53 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ecx 0x0000000c jmp 00007F64BC5223F9h 0x00000011 pop ecx 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 jmp 00007F64BC5223EEh 0x0000001b mov eax, dword ptr [eax] 0x0000001d push edi 0x0000001e jnp 00007F64BC5223ECh 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 46EC17 second address: 46EC1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 46EC1B second address: 46EC1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 46EC1F second address: 28E93F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xor dword ptr [esp], 16CE787Eh 0x0000000e pushad 0x0000000f jmp 00007F64BD03DB9Dh 0x00000014 jmp 00007F64BD03DB9Ch 0x00000019 popad 0x0000001a push dword ptr [ebp+122D0955h] 0x00000020 pushad 0x00000021 and si, 70A4h 0x00000026 popad 0x00000027 call dword ptr [ebp+122D17E8h] 0x0000002d pushad 0x0000002e jnc 00007F64BD03DBA7h 0x00000034 jmp 00007F64BD03DB9Ch 0x00000039 xor eax, eax 0x0000003b clc 0x0000003c mov edx, dword ptr [esp+28h] 0x00000040 jmp 00007F64BD03DBA5h 0x00000045 mov dword ptr [ebp+122D2BF1h], eax 0x0000004b jmp 00007F64BD03DB9Fh 0x00000050 jno 00007F64BD03DB9Ch 0x00000056 mov esi, 0000003Ch 0x0000005b stc 0x0000005c add esi, dword ptr [esp+24h] 0x00000060 clc 0x00000061 lodsw 0x00000063 mov dword ptr [ebp+122D19A3h], esi 0x00000069 add eax, dword ptr [esp+24h] 0x0000006d sub dword ptr [ebp+122D19A3h], eax 0x00000073 mov ebx, dword ptr [esp+24h] 0x00000077 sub dword ptr [ebp+122D19A3h], esi 0x0000007d nop 0x0000007e jmp 00007F64BD03DB9Ch 0x00000083 push eax 0x00000084 push eax 0x00000085 push edx 0x00000086 push ebx 0x00000087 push ecx 0x00000088 pop ecx 0x00000089 pop ebx 0x0000008a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 472F4C second address: 472F58 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 472F58 second address: 472F6B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BD03DB9Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 47322F second address: 473235 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 473388 second address: 473392 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F64BD03DB96h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4736B0 second address: 4736BF instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F64BC5223E6h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4736BF second address: 4736C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 47395D second address: 473967 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F64BC5223E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 47A1EF second address: 47A1F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 47A1F5 second address: 47A1FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 47A1FB second address: 47A200 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 478DA2 second address: 478DAC instructions: 0x00000000 rdtsc 0x00000002 jp 00007F64BC5223E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 478DAC second address: 478DC4 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F64BD03DB98h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007F64BD03DB9Eh 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 478DC4 second address: 478DDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F64BC5223F4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4791C4 second address: 4791CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4791CA second address: 4791D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4795AD second address: 4795CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007F64BD03DB96h 0x0000000e jmp 00007F64BD03DBA0h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4795CB second address: 4795E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F64BC5223EEh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4795E4 second address: 4795FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F64BD03DB9Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4795FA second address: 479606 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 479606 second address: 479624 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F64BD03DBA6h 0x00000009 popad 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 478ABA second address: 478AC0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 478AC0 second address: 478AC9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 40A247 second address: 40A265 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F64BC5223F2h 0x00000008 je 00007F64BC5223E6h 0x0000000e jp 00007F64BC5223E6h 0x00000014 push eax 0x00000015 push edx 0x00000016 jg 00007F64BC5223E6h 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 40A265 second address: 40A269 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 40A269 second address: 40A26F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 47ED7D second address: 47ED81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 47ED81 second address: 47EDAC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BC5223F7h 0x00000007 jmp 00007F64BC5223F0h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 47EEF6 second address: 47EEFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 47F1D8 second address: 47F206 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BC5223F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F64BC5223EFh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 47F206 second address: 47F20A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 47E94B second address: 47E966 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BC5223EFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007F64BC5223E6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 47F84A second address: 47F868 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F64BD03DB9Dh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d jnp 00007F64BD03DB96h 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 pop eax 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 47F868 second address: 47F86D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 47FC57 second address: 47FC74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F64BD03DB96h 0x0000000a pop ecx 0x0000000b jmp 00007F64BD03DB9Ch 0x00000010 popad 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 47FC74 second address: 47FC78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4832F9 second address: 4832FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4832FF second address: 483308 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 483308 second address: 483325 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F64BD03DBA8h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 483325 second address: 48333F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F64BC5223F6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 48333F second address: 483355 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F64BD03DB96h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jbe 00007F64BD03DB96h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 483355 second address: 483359 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 485F79 second address: 485F9C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BD03DBA8h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 488754 second address: 48875B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 44372C second address: 443743 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F64BD03DBA3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 443743 second address: 443789 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jo 00007F64BC5223F8h 0x0000000f pushad 0x00000010 jmp 00007F64BC5223EAh 0x00000015 jne 00007F64BC5223E6h 0x0000001b popad 0x0000001c nop 0x0000001d push esi 0x0000001e jbe 00007F64BC5223ECh 0x00000024 or dword ptr [ebp+122D1BA2h], ecx 0x0000002a pop edx 0x0000002b mov dx, cx 0x0000002e lea eax, dword ptr [ebp+124884A2h] 0x00000034 mov dword ptr [ebp+122D19DEh], edx 0x0000003a nop 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 443789 second address: 44378D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 44378D second address: 443791 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 443791 second address: 443797 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 443958 second address: 443962 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F64BC5223E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4441BA second address: 444209 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F64BD03DB98h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F64BD03DBA0h 0x00000010 nop 0x00000011 and ecx, dword ptr [ebp+122D2955h] 0x00000017 push 00000004h 0x00000019 jnp 00007F64BD03DB9Ch 0x0000001f or dword ptr [ebp+1245A36Fh], ecx 0x00000025 nop 0x00000026 push edi 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F64BD03DBA9h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 48C0E8 second address: 48C0F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F64BC5223E6h 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 48C0F3 second address: 48C0F8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 48C4ED second address: 48C4F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 48C663 second address: 48C679 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F64BD03DBA2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 48C679 second address: 48C699 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F64BC5223F7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 48C699 second address: 48C69F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 48C69F second address: 48C6B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jnp 00007F64BC5223ECh 0x0000000b popad 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4900D5 second address: 4900D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4900D9 second address: 4900DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4900DD second address: 4900E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ebx 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 48FB86 second address: 48FB8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 48FE2B second address: 48FE36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F64BD03DB96h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 48FE36 second address: 48FE3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 48FE3C second address: 48FE44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 48FE44 second address: 48FE50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 48FE50 second address: 48FE54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 496143 second address: 496149 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 495EA0 second address: 495EB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F64BD03DB9Ah 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 499661 second address: 499675 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jno 00007F64BC5223E6h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push edx 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 499675 second address: 49969D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jo 00007F64BD03DB96h 0x0000000c pushad 0x0000000d popad 0x0000000e push edi 0x0000000f pop edi 0x00000010 jmp 00007F64BD03DBA7h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 499826 second address: 49983A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BC5223ECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 49983A second address: 499855 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F64BD03DBA7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 499855 second address: 499859 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 499859 second address: 499862 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 499D2D second address: 499D33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 499D33 second address: 499D3D instructions: 0x00000000 rdtsc 0x00000002 jo 00007F64BD03DBA9h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 49FAF3 second address: 49FAF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 49FAF7 second address: 49FB0B instructions: 0x00000000 rdtsc 0x00000002 jno 00007F64BD03DB96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007F64BD03DB96h 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 49FB0B second address: 49FB1D instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F64BC5223E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a ja 00007F64BC5223ECh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 49FC94 second address: 49FC9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 49FC9A second address: 49FCB3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BC5223EFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 49FCB3 second address: 49FCB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 49FCB9 second address: 49FCBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 49FCBD second address: 49FCD7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F64BD03DBA0h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 49FCD7 second address: 49FCDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 49FDDF second address: 49FE0F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BD03DBA6h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F64BD03DBA4h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 49FE0F second address: 49FE1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F64BC5223E6h 0x0000000a jo 00007F64BC5223E6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 49FE1F second address: 49FE38 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BD03DB9Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c je 00007F64BD03DB9Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 49FE38 second address: 49FE4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F64BC5223EEh 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 49FE4E second address: 49FE54 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4A6F23 second address: 4A6F41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F64BC5223E6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F64BC5223EFh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4A71FE second address: 4A7202 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4A77AB second address: 4A77D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BC5223F7h 0x00000007 jmp 00007F64BC5223EBh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4A7A8F second address: 4A7A93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4A7A93 second address: 4A7AA3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jo 00007F64BC5223E6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4A7AA3 second address: 4A7AA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4A7FD7 second address: 4A7FF8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F64BC5223F2h 0x0000000c jns 00007F64BC5223E6h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4A7FF8 second address: 4A7FFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4A8310 second address: 4A8315 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4A9CCC second address: 4A9CF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F64BD03DBA8h 0x00000009 jmp 00007F64BD03DBA0h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4A9CF8 second address: 4A9CFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4AF59F second address: 4AF5B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BD03DB9Eh 0x00000007 jne 00007F64BD03DB96h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4B351F second address: 4B3524 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4B285C second address: 4B288F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 jmp 00007F64BD03DBA7h 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jnl 00007F64BD03DB96h 0x00000015 popad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b jng 00007F64BD03DB96h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4B288F second address: 4B28C0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F64BC5223F8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F64BC5223F1h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4B28C0 second address: 4B28C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4B28C6 second address: 4B28D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F64BC5223EAh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4B28D6 second address: 4B28DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4B2CB0 second address: 4B2CB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4B2CB6 second address: 4B2CBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4B2CBE second address: 4B2CC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4B2FAC second address: 4B2FB2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4B2FB2 second address: 4B2FC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F64BC5223F1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4B2FC7 second address: 4B2FCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4B30FC second address: 4B310C instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F64BC5223E8h 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4B3231 second address: 4B3235 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4B3235 second address: 4B323D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4B323D second address: 4B3252 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F64BD03DBA0h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4B5628 second address: 4B562C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4B562C second address: 4B5632 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4B5632 second address: 4B5638 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4B5638 second address: 4B563E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BBFDB second address: 4BC000 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F64BC5223E6h 0x0000000a pop edx 0x0000000b pushad 0x0000000c jmp 00007F64BC5223F7h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BC156 second address: 4BC16B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 js 00007F64BD03DB96h 0x0000000f jno 00007F64BD03DB96h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C3EE3 second address: 4C3EFB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 je 00007F64BC5223E6h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F64BC5223EAh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C3891 second address: 4C38A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C38A0 second address: 4C38BD instructions: 0x00000000 rdtsc 0x00000002 jns 00007F64BC5223E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jc 00007F64BC5223F3h 0x00000010 jmp 00007F64BC5223EDh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C3BCD second address: 4C3BFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop eax 0x00000008 jc 00007F64BD03DBCEh 0x0000000e pushad 0x0000000f jo 00007F64BD03DB96h 0x00000015 push edi 0x00000016 pop edi 0x00000017 jc 00007F64BD03DB96h 0x0000001d popad 0x0000001e pushad 0x0000001f push ebx 0x00000020 pop ebx 0x00000021 jmp 00007F64BD03DB9Fh 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4CABD0 second address: 4CABD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4CABD4 second address: 4CABE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4CABE0 second address: 4CABE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4CABE4 second address: 4CABE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 3F3FC0 second address: 3F3FC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4D30BA second address: 4D30C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4D30C2 second address: 4D30CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4D30CB second address: 4D30CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4D30CF second address: 4D30E8 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F64BC5223E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F64BC5223EAh 0x0000000f popad 0x00000010 pushad 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4D30E8 second address: 4D30F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jnp 00007F64BD03DB96h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4D30F6 second address: 4D3112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F64BC5223E6h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F64BC5223EBh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4D3112 second address: 4D3116 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4D68D1 second address: 4D68DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pushad 0x0000000a popad 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4D68DD second address: 4D68E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4DC126 second address: 4DC146 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F64BC5223ECh 0x00000009 pop edi 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F64BC5223EBh 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4DC146 second address: 4DC154 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 js 00007F64BD03DB96h 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4E0F77 second address: 4E0F81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F64BC5223E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4E67E5 second address: 4E67E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4E67E9 second address: 4E6827 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BC5223F1h 0x00000007 jmp 00007F64BC5223F2h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e popad 0x0000000f pushad 0x00000010 jnc 00007F64BC5223EEh 0x00000016 push edx 0x00000017 push eax 0x00000018 pop eax 0x00000019 pop edx 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4E6656 second address: 4E6678 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BD03DB9Eh 0x00000007 jno 00007F64BD03DB96h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jc 00007F64BD03DB9Eh 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4EE070 second address: 4EE0B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BC5223F5h 0x00000007 js 00007F64BC5223E6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F64BC5223F4h 0x00000014 pop edx 0x00000015 push esi 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F64BC5223F0h 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4ECE50 second address: 4ECE54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4ECFA8 second address: 4ECFC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F64BC5223EEh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4ECFC1 second address: 4ECFE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 pop eax 0x00000008 jmp 00007F64BD03DB9Fh 0x0000000d pop ecx 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F64BD03DB9Ch 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4ECFE8 second address: 4ECFF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F64BC5223EBh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4ECFF9 second address: 4ECFFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4ECFFD second address: 4ED007 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F64BC5223E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4ED16F second address: 4ED173 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4F29BB second address: 4F2A01 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F64BC5223F1h 0x0000000a pop edx 0x0000000b jmp 00007F64BC5223EBh 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 jp 00007F64BC5223E6h 0x0000001b jmp 00007F64BC5223F9h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4F2A01 second address: 4F2A13 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BD03DB9Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4F2A13 second address: 4F2A1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4F2A1D second address: 4F2A21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4F2A21 second address: 4F2A25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4F24CF second address: 4F24D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4F24D3 second address: 4F24D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4F24D7 second address: 4F24DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4F24DD second address: 4F24FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F64BC5223F7h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4F24FA second address: 4F2516 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BD03DBA7h 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 510A19 second address: 510A27 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BC5223EAh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 510892 second address: 5108A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F64BD03DB9Bh 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 5108A6 second address: 5108AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 51223A second address: 51223F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 51223F second address: 512245 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 512245 second address: 51224B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 514205 second address: 51420D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 513DA4 second address: 513DB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F64BD03DB96h 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 513DB3 second address: 513DB9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 513DB9 second address: 513DE7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F64BD03DBA0h 0x00000008 jbe 00007F64BD03DB96h 0x0000000e pop ecx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 jnc 00007F64BD03DB9Eh 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 513F3D second address: 513F43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 52D3DF second address: 52D3EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a popad 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 52D3EB second address: 52D3FC instructions: 0x00000000 rdtsc 0x00000002 jns 00007F64BC5223EAh 0x00000008 pushad 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 52DA18 second address: 52DA28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 ja 00007F64BD03DB96h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 52DA28 second address: 52DA37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push esi 0x00000008 pushad 0x00000009 popad 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 52DA37 second address: 52DA3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 52DB94 second address: 52DBC3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F64BC5223EAh 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop esi 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jng 00007F64BC5223F6h 0x00000015 jmp 00007F64BC5223F0h 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 52DBC3 second address: 52DBC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 532341 second address: 532347 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 5326C6 second address: 5326F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 nop 0x00000008 mov dword ptr [ebp+122D198Eh], edi 0x0000000e push dword ptr [ebp+122D1D03h] 0x00000014 mov dx, 6B07h 0x00000018 call 00007F64BD03DB99h 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F64BD03DB9Eh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 5326F7 second address: 532701 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F64BC5223E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 532701 second address: 53271F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BD03DBA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 53271F second address: 53273B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BC5223F0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d pushad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 53273B second address: 532779 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F64BD03DB96h 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007F64BD03DBA3h 0x00000011 pop eax 0x00000012 popad 0x00000013 mov eax, dword ptr [eax] 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F64BD03DBA8h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 5357DA second address: 5357DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 537317 second address: 537321 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 537321 second address: 537325 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BC0CD3 second address: 4BC0CEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F64BD03DBA4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BC0CEB second address: 4BC0D17 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BC5223EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e jmp 00007F64BC5223F4h 0x00000013 push eax 0x00000014 push edx 0x00000015 mov bh, ch 0x00000017 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BC0D17 second address: 4BC0D1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BC0D1B second address: 4BC0D39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F64BC5223F4h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C00AA2 second address: 4C00AA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C00AA6 second address: 4C00AAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C00AAA second address: 4C00AB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C00AB0 second address: 4C00ACD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F64BC5223F9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C00ACD second address: 4C00AFC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BD03DBA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F64BD03DBA3h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C00AFC second address: 4C00B02 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C00B02 second address: 4C00B6C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, dx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F64BD03DBA9h 0x00000013 add cx, 4B56h 0x00000018 jmp 00007F64BD03DBA1h 0x0000001d popfd 0x0000001e pushfd 0x0000001f jmp 00007F64BD03DBA0h 0x00000024 adc eax, 5F886D78h 0x0000002a jmp 00007F64BD03DB9Bh 0x0000002f popfd 0x00000030 popad 0x00000031 mov ebp, esp 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C00B6C second address: 4C00B70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C00B70 second address: 4C00B8B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BD03DBA7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C00B8B second address: 4C00BCA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BC5223F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F64BC5223ECh 0x00000011 and al, 00000068h 0x00000014 jmp 00007F64BC5223EBh 0x00000019 popfd 0x0000001a push eax 0x0000001b push edx 0x0000001c mov cl, 0Eh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BA012D second address: 4BA016E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BD03DBA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d movsx ebx, si 0x00000010 pushfd 0x00000011 jmp 00007F64BD03DBA4h 0x00000016 or ah, 00000038h 0x00000019 jmp 00007F64BD03DB9Bh 0x0000001e popfd 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BA016E second address: 4BA0174 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BA0174 second address: 4BA019D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e call 00007F64BD03DBA9h 0x00000013 pop esi 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BA019D second address: 4BA01F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F64BC5223ECh 0x00000009 sub ax, F3F8h 0x0000000e jmp 00007F64BC5223EBh 0x00000013 popfd 0x00000014 mov dx, cx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e movsx edx, cx 0x00000021 pushfd 0x00000022 jmp 00007F64BC5223F8h 0x00000027 or esi, 4D777D88h 0x0000002d jmp 00007F64BC5223EBh 0x00000032 popfd 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BA01F7 second address: 4BA022A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, bx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007F64BD03DBA7h 0x00000012 push dword ptr [ebp+04h] 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 movsx ebx, si 0x0000001b mov eax, 3E740A73h 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BA022A second address: 4BA025E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, ax 0x00000006 pushfd 0x00000007 jmp 00007F64BC5223F0h 0x0000000c adc ax, 7D78h 0x00000011 jmp 00007F64BC5223EBh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push dword ptr [ebp+0Ch] 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BA025E second address: 4BA0262 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BA0262 second address: 4BA0266 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BA0266 second address: 4BA026C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BA0298 second address: 4BA029E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BA029E second address: 4BA02A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BC0A48 second address: 4BC0AB3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BC5223F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F64BC5223EEh 0x0000000f push eax 0x00000010 jmp 00007F64BC5223EBh 0x00000015 xchg eax, ebp 0x00000016 jmp 00007F64BC5223F6h 0x0000001b mov ebp, esp 0x0000001d jmp 00007F64BC5223F0h 0x00000022 pop ebp 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 mov dl, BAh 0x00000028 movzx ecx, di 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BC0AB3 second address: 4BC0ABA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cl, 26h 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BC0577 second address: 4BC057D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BC057D second address: 4BC0581 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BC0581 second address: 4BC05C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BC5223EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F64BC5223EBh 0x00000015 sub ecx, 69DE289Eh 0x0000001b jmp 00007F64BC5223F9h 0x00000020 popfd 0x00000021 mov di, cx 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BC05C6 second address: 4BC05E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BD03DB9Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c mov ebx, ecx 0x0000000e pop eax 0x0000000f mov bx, CBBAh 0x00000013 popad 0x00000014 xchg eax, ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BC05E9 second address: 4BC05ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BC05ED second address: 4BC05F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BC05F1 second address: 4BC05F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BC05F7 second address: 4BC0646 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BD03DBA5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov si, dx 0x00000011 pushfd 0x00000012 jmp 00007F64BD03DB9Fh 0x00000017 sub ah, 0000006Eh 0x0000001a jmp 00007F64BD03DBA9h 0x0000001f popfd 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BC0646 second address: 4BC064C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BC064C second address: 4BC0650 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BC0270 second address: 4BC02C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edi 0x00000005 pushfd 0x00000006 jmp 00007F64BC5223EBh 0x0000000b sbb eax, 34943C6Eh 0x00000011 jmp 00007F64BC5223F9h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b jmp 00007F64BC5223EEh 0x00000020 push eax 0x00000021 jmp 00007F64BC5223EBh 0x00000026 xchg eax, ebp 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a pushad 0x0000002b popad 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BC02C6 second address: 4BC02CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BC0F76 second address: 4BC0F8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F64BC5223F0h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BC0F8A second address: 4BC0F99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BC0F99 second address: 4BC0F9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BC0F9D second address: 4BC0FB0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BD03DB9Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C009D5 second address: 4C009E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F64BC5223EBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C009E4 second address: 4C009E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C009E8 second address: 4C009FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov cl, bl 0x0000000e movzx esi, di 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C009FA second address: 4C00A26 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F64BD03DBA2h 0x00000008 mov esi, 594721E1h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 xchg eax, ebp 0x00000011 pushad 0x00000012 mov ch, 2Ch 0x00000014 popad 0x00000015 mov ebp, esp 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a pushad 0x0000001b popad 0x0000001c pushad 0x0000001d popad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C00A26 second address: 4C00A3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F64BC5223F2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C00A3C second address: 4C00A54 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BD03DB9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C00A54 second address: 4C00A58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C00A58 second address: 4C00A5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BE0044 second address: 4BE0065 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F64BC5223F4h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BE0065 second address: 4BE0069 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BE0069 second address: 4BE006F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BE006F second address: 4BE00F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, EC98h 0x00000007 mov bx, 3A44h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f jmp 00007F64BD03DBA3h 0x00000014 mov ebp, esp 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F64BD03DBA4h 0x0000001d or ah, 00000028h 0x00000020 jmp 00007F64BD03DB9Bh 0x00000025 popfd 0x00000026 call 00007F64BD03DBA8h 0x0000002b mov ch, BAh 0x0000002d pop edi 0x0000002e popad 0x0000002f mov eax, dword ptr [ebp+08h] 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F64BD03DBA9h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BD0CA7 second address: 4BD0CAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BD0CAD second address: 4BD0CB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BD0CB1 second address: 4BD0CB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BD0EB3 second address: 4BD0EB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BD0EB9 second address: 4BD0EEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F64BC5223F6h 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 call 00007F64BC5223EEh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C0024B second address: 4C00251 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C00251 second address: 4C00298 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F64BC5223F2h 0x00000009 or ecx, 46F673C8h 0x0000000f jmp 00007F64BC5223EBh 0x00000014 popfd 0x00000015 mov bh, ah 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push esp 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F64BC5223F7h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C00298 second address: 4C0029E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C0029E second address: 4C002A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C002A2 second address: 4C002A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C002A6 second address: 4C002BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F64BC5223EAh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C002BD second address: 4C002EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ebp, esp 0x0000000c jmp 00007F64BD03DBA9h 0x00000011 xchg eax, ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov esi, edx 0x00000017 movsx edx, si 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C002EC second address: 4C002F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C002F2 second address: 4C002F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C002F6 second address: 4C003A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BC5223F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d movsx edx, cx 0x00000010 movzx eax, di 0x00000013 popad 0x00000014 xchg eax, ecx 0x00000015 pushad 0x00000016 pushad 0x00000017 mov di, 6266h 0x0000001b mov edi, 59003EF2h 0x00000020 popad 0x00000021 popad 0x00000022 mov eax, dword ptr [775165FCh] 0x00000027 pushad 0x00000028 call 00007F64BC5223EFh 0x0000002d pushfd 0x0000002e jmp 00007F64BC5223F8h 0x00000033 adc ah, 00000038h 0x00000036 jmp 00007F64BC5223EBh 0x0000003b popfd 0x0000003c pop esi 0x0000003d mov eax, ebx 0x0000003f popad 0x00000040 test eax, eax 0x00000042 jmp 00007F64BC5223EBh 0x00000047 je 00007F652EDB59D8h 0x0000004d pushad 0x0000004e jmp 00007F64BC5223EBh 0x00000053 popad 0x00000054 mov ecx, eax 0x00000056 jmp 00007F64BC5223F6h 0x0000005b xor eax, dword ptr [ebp+08h] 0x0000005e push eax 0x0000005f push edx 0x00000060 push eax 0x00000061 push edx 0x00000062 pushad 0x00000063 popad 0x00000064 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C003A8 second address: 4C003AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C003AE second address: 4C00402 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 732427E6h 0x00000008 pushfd 0x00000009 jmp 00007F64BC5223F7h 0x0000000e and ax, A26Eh 0x00000013 jmp 00007F64BC5223F9h 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c and ecx, 1Fh 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F64BC5223EDh 0x00000026 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C00402 second address: 4C00408 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C00408 second address: 4C0040C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C0040C second address: 4C00410 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C00410 second address: 4C0043F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 ror eax, cl 0x0000000a pushad 0x0000000b mov cx, di 0x0000000e push edx 0x0000000f mov di, si 0x00000012 pop eax 0x00000013 popad 0x00000014 leave 0x00000015 jmp 00007F64BC5223EFh 0x0000001a retn 0004h 0x0000001d nop 0x0000001e mov esi, eax 0x00000020 lea eax, dword ptr [ebp-08h] 0x00000023 xor esi, dword ptr [00282014h] 0x00000029 push eax 0x0000002a push eax 0x0000002b push eax 0x0000002c lea eax, dword ptr [ebp-10h] 0x0000002f push eax 0x00000030 call 00007F64C0EE282Dh 0x00000035 push FFFFFFFEh 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C0043F second address: 4C00443 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C00443 second address: 4C00449 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C00449 second address: 4C00471 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BD03DB9Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a jmp 00007F64BD03DBA0h 0x0000000f ret 0x00000010 nop 0x00000011 push eax 0x00000012 call 00007F64C19FE008h 0x00000017 mov edi, edi 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C00471 second address: 4C00475 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C00475 second address: 4C00479 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C00479 second address: 4C0047F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C0047F second address: 4C0048E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F64BD03DB9Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C0048E second address: 4C00492 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BB009C second address: 4BB0121 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, dx 0x00000006 pushfd 0x00000007 jmp 00007F64BD03DB9Bh 0x0000000c and ah, FFFFFF9Eh 0x0000000f jmp 00007F64BD03DBA9h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 xchg eax, ecx 0x00000019 pushad 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007F64BD03DB9Ah 0x00000021 add esi, 534C8798h 0x00000027 jmp 00007F64BD03DB9Bh 0x0000002c popfd 0x0000002d pushad 0x0000002e popad 0x0000002f popad 0x00000030 pushfd 0x00000031 jmp 00007F64BD03DBA6h 0x00000036 or si, B1F8h 0x0000003b jmp 00007F64BD03DB9Bh 0x00000040 popfd 0x00000041 popad 0x00000042 push eax 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 pushad 0x00000048 popad 0x00000049 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BB0121 second address: 4BB0133 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BC5223EEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BB0133 second address: 4BB0168 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edx 0x00000005 mov di, 8E70h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F64BD03DBA0h 0x00000016 and cx, 16B8h 0x0000001b jmp 00007F64BD03DB9Bh 0x00000020 popfd 0x00000021 push eax 0x00000022 pop edx 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BB0168 second address: 4BB016E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BB016E second address: 4BB01DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 pushad 0x0000000a mov si, 50F5h 0x0000000e jmp 00007F64BD03DBA2h 0x00000013 popad 0x00000014 mov dword ptr [esp], ebx 0x00000017 pushad 0x00000018 push eax 0x00000019 pushfd 0x0000001a jmp 00007F64BD03DB9Dh 0x0000001f sub cl, FFFFFFB6h 0x00000022 jmp 00007F64BD03DBA1h 0x00000027 popfd 0x00000028 pop esi 0x00000029 jmp 00007F64BD03DBA1h 0x0000002e popad 0x0000002f mov ebx, dword ptr [ebp+10h] 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F64BD03DB9Dh 0x00000039 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BB01DC second address: 4BB022B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 2F251952h 0x00000008 push ebx 0x00000009 pop ecx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push ecx 0x0000000e jmp 00007F64BC5223F2h 0x00000013 mov dword ptr [esp], esi 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007F64BC5223EDh 0x0000001f adc cx, 6ED6h 0x00000024 jmp 00007F64BC5223F1h 0x00000029 popfd 0x0000002a mov di, cx 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BB022B second address: 4BB0231 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BB0231 second address: 4BB025E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BC5223EFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esi, dword ptr [ebp+08h] 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F64BC5223F2h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BB025E second address: 4BB0290 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, edi 0x00000008 jmp 00007F64BD03DBA8h 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F64BD03DB9Dh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BB0290 second address: 4BB02A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BC5223F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BB02A5 second address: 4BB02AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BB02AB second address: 4BB02AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BB02AF second address: 4BB02B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BB02B3 second address: 4BB02C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, edi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BB02C2 second address: 4BB02C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BB02C6 second address: 4BB02CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BB02CA second address: 4BB02D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BB02D0 second address: 4BB031E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BC5223F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b jmp 00007F64BC5223F6h 0x00000010 je 00007F652EE006FCh 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F64BC5223F7h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BB031E second address: 4BB0324 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BB0324 second address: 4BB0371 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BC5223EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b cmp dword ptr [esi+08h], DDEEDDEEh 0x00000012 jmp 00007F64BC5223F6h 0x00000017 je 00007F652EE006BFh 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F64BC5223F7h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BB0371 second address: 4BB0389 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F64BD03DBA4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BB0389 second address: 4BB03A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BC5223EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov edx, dword ptr [esi+44h] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BB03A3 second address: 4BB03A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BB03A7 second address: 4BB03AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BB03AB second address: 4BB03B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BB03B1 second address: 4BB03DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BC5223EAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 or edx, dword ptr [ebp+0Ch] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F64BC5223F7h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BB03DB second address: 4BB0406 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BD03DBA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test edx, 61000000h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push edi 0x00000015 pop esi 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BB0406 second address: 4BB0438 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop edx 0x00000005 pushfd 0x00000006 jmp 00007F64BC5223ECh 0x0000000b adc cl, 00000078h 0x0000000e jmp 00007F64BC5223EBh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 jne 00007F652EE00644h 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 mov cx, bx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BB0438 second address: 4BB043D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BB043D second address: 4BB0443 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BB0443 second address: 4BB0447 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BB0447 second address: 4BB044B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BA07B9 second address: 4BA07ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, si 0x00000006 call 00007F64BD03DBA0h 0x0000000b pop esi 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F64BD03DBA7h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BA07ED second address: 4BA0805 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F64BC5223F4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BA0805 second address: 4BA0861 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BD03DB9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d call 00007F64BD03DBA4h 0x00000012 jmp 00007F64BD03DBA2h 0x00000017 pop ecx 0x00000018 call 00007F64BD03DB9Bh 0x0000001d pop edx 0x0000001e popad 0x0000001f mov ebp, esp 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F64BD03DBA1h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BA0861 second address: 4BA0867 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BA0867 second address: 4BA086B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BA086B second address: 4BA087B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and esp, FFFFFFF8h 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BA087B second address: 4BA0900 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F64BD03DBA1h 0x00000008 and ch, 00000076h 0x0000000b jmp 00007F64BD03DBA1h 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 push eax 0x00000015 pop edx 0x00000016 push eax 0x00000017 pop edi 0x00000018 popad 0x00000019 popad 0x0000001a xchg eax, ebx 0x0000001b jmp 00007F64BD03DBA4h 0x00000020 push eax 0x00000021 pushad 0x00000022 mov di, BB74h 0x00000026 popad 0x00000027 xchg eax, ebx 0x00000028 jmp 00007F64BD03DB9Fh 0x0000002d xchg eax, esi 0x0000002e pushad 0x0000002f mov ecx, 49A37F4Bh 0x00000034 mov cx, C527h 0x00000038 popad 0x00000039 push eax 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007F64BD03DBA8h 0x00000041 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BA0900 second address: 4BA094E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BC5223EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b mov edx, ecx 0x0000000d pushad 0x0000000e mov eax, 3245A4CDh 0x00000013 pushfd 0x00000014 jmp 00007F64BC5223EAh 0x00000019 jmp 00007F64BC5223F5h 0x0000001e popfd 0x0000001f popad 0x00000020 popad 0x00000021 mov esi, dword ptr [ebp+08h] 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F64BC5223EDh 0x0000002b rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BA0A6D second address: 4BA0ABE instructions: 0x00000000 rdtsc 0x00000002 mov si, di 0x00000005 pop edx 0x00000006 pop eax 0x00000007 call 00007F64BD03DBA5h 0x0000000c mov ah, 06h 0x0000000e pop edx 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushfd 0x00000015 jmp 00007F64BD03DB9Fh 0x0000001a sbb al, 0000003Eh 0x0000001d jmp 00007F64BD03DBA9h 0x00000022 popfd 0x00000023 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BA0ABE second address: 4BA0ADE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BC5223F0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov cx, B311h 0x0000000d popad 0x0000000e xchg eax, ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BA0ADE second address: 4BA0AE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BA0AE2 second address: 4BA0AE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BA0AE6 second address: 4BA0AEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BA0AEC second address: 4BA0B1B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F64BC5223EEh 0x00000008 mov eax, 23010DF1h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 xchg eax, ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F64BC5223F3h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BA0B1B second address: 4BA0B21 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BA0B21 second address: 4BA0B25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BA0B25 second address: 4BA0B29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BA0B29 second address: 4BA0B3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov edi, 3DE56F0Eh 0x00000011 movsx edx, cx 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BA0B3E second address: 4BA0B44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BA0B44 second address: 4BA0B72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BC5223F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F64BC5223F0h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BA0B72 second address: 4BA0B76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BA0B76 second address: 4BA0B7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BA0B7C second address: 4BA0B82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BA0B82 second address: 4BA0B92 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+14h] 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BA0B92 second address: 4BA0B96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BA0C1B second address: 4BA0C21 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BA0C21 second address: 4BA0C34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, AA49h 0x00000007 mov al, A2h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov esp, ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BA0C34 second address: 4BA0C51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F64BC5223F8h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BB0AB1 second address: 4BB0AD8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BD03DB9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F64BD03DBA5h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BB0AD8 second address: 4BB0ADE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BB0ADE second address: 4BB0AE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BB0AE2 second address: 4BB0AE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BB0AE6 second address: 4BB0AF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BB0AF5 second address: 4BB0B27 instructions: 0x00000000 rdtsc 0x00000002 mov bx, 2E04h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov bl, 26h 0x0000000a popad 0x0000000b pop ebp 0x0000000c pushad 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F64BC5223F0h 0x00000014 xor cx, AEB8h 0x00000019 jmp 00007F64BC5223EBh 0x0000001e popfd 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C307A7 second address: 4C307EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop eax 0x00000005 pushfd 0x00000006 jmp 00007F64BD03DB9Dh 0x0000000b adc cx, BD16h 0x00000010 jmp 00007F64BD03DBA1h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, ebp 0x0000001a jmp 00007F64BD03DB9Eh 0x0000001f mov ebp, esp 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C307EB second address: 4C307EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C307EF second address: 4C307F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C307F3 second address: 4C307F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C307F9 second address: 4C3082D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F64BD03DBA2h 0x00000009 adc eax, 16BDF398h 0x0000000f jmp 00007F64BD03DB9Bh 0x00000014 popfd 0x00000015 mov dx, si 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b pop ebp 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C3082D second address: 4C30831 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C20982 second address: 4C20987 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C20987 second address: 4C20995 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F64BC5223EAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C20995 second address: 4C209E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BD03DB9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F64BD03DBA4h 0x00000014 sub eax, 653ABB38h 0x0000001a jmp 00007F64BD03DB9Bh 0x0000001f popfd 0x00000020 push eax 0x00000021 push edx 0x00000022 call 00007F64BD03DBA6h 0x00000027 pop eax 0x00000028 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C207CB second address: 4C20801 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BC5223F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F64BC5223EAh 0x00000013 or ch, FFFFFFB8h 0x00000016 jmp 00007F64BC5223EBh 0x0000001b popfd 0x0000001c mov ch, 76h 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C20801 second address: 4C20841 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BD03DBA2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F64BD03DBA0h 0x0000000f mov ebp, esp 0x00000011 jmp 00007F64BD03DBA0h 0x00000016 pop ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C20841 second address: 4C20845 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4C20845 second address: 4C2084B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BC0033 second address: 4BC0044 instructions: 0x00000000 rdtsc 0x00000002 movzx eax, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 mov dword ptr [esp], ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BC0044 second address: 4BC0048 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BC0048 second address: 4BC004E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BC004E second address: 4BC0065 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BD03DB9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BC0065 second address: 4BC0069 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BC0069 second address: 4BC0084 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BD03DBA7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BC0084 second address: 4BC00B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F64BC5223F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F64BC5223EDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BC00B1 second address: 4BC00B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	RDTSC instruction interceptor: First address: 4BC00B7 second address: 4BC00BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Special instruction interceptor: First address: 28E9A1 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Special instruction interceptor: First address: 43BD72 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Special instruction interceptor: First address: 4CB4E3 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 77E9A1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 92BD72 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 9BB4E3 instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Memory allocated: 1490000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Memory allocated: 2F90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Memory allocated: 2DD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 1690000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 3440000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 3240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Memory allocated: 3090000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Memory allocated: 3240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Memory allocated: 5240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Memory allocated: A10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Memory allocated: 23A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Memory allocated: 43A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Memory allocated: 1020000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Memory allocated: 2980000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Memory allocated: 4A80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Memory allocated: 11F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Memory allocated: 2DA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Memory allocated: 4DA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Memory allocated: 16B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Memory allocated: 1B0D0000 memory reserve \| memory write watch
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Memory allocated: 1490000 memory reserve \| memory write watch
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Memory allocated: 1AF20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000281001\crypted.exe	Memory allocated: 2CA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000281001\crypted.exe	Memory allocated: 2E40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000281001\crypted.exe	Memory allocated: 4E40000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe

Code function: 0_2_04C201C7 rdtsc

0_2_04C201C7

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 180000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\1000281001\crypted.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 1691	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 1233	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 1231	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 1188	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 2120	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Window / User API: threadDelayed 709
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Window / User API: threadDelayed 1867
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Window / User API: threadDelayed 9588

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\service123.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\JhCTEUiuPFSAmdKyCcGU.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\fBzeZmUWdBgmhZfvjyDr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe

Evasive API call chain: GetLocalTime,DecisionNodes

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Evasive API call chain: RegOpenKey,DecisionNodes,Sleep

graph_6-15479

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API coverage: 9.8 %
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	API coverage: 3.6 %
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	API coverage: 1.5 %
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	API coverage: 2.1 %

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 2088	Thread sleep count: 75 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 2088	Thread sleep time: -150075s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1460	Thread sleep count: 1691 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1460	Thread sleep time: -3383691s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 4924	Thread sleep count: 188 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 4924	Thread sleep time: -5640000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 4424	Thread sleep count: 1233 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 4424	Thread sleep time: -2467233s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1660	Thread sleep time: -1080000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1492	Thread sleep count: 1231 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1492	Thread sleep time: -2463231s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe TID: 632	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5964	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 768	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe TID: 5548	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe TID: 6364	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe TID: 6932	Thread sleep time: -11068046444225724s >= -30000s
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe TID: 7052	Thread sleep count: 709 > 30
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe TID: 7052	Thread sleep count: 1867 > 30
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe TID: 2796	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe TID: 3228	Thread sleep count: 9588 > 30
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe TID: 3228	Thread sleep time: -287640000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe TID: 6896	Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe TID: 5868	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe TID: 5284	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 352	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe TID: 4128	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 6392	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 6708	Thread sleep time: -1680000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 4940	Thread sleep time: -540000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 6404	Thread sleep time: -360000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 6708	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000281001\crypted.exe TID: 4144	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\1000191001\1.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : Select Name from Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 17_2_0041B6DA FindFirstFileExW,	17_2_0041B6DA
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 22_2_00D1D9FD FindFirstFileExW,	22_2_00D1D9FD
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Code function: 23_2_000AD9FD FindFirstFileExW,	23_2_000AD9FD

Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe

Code function: 22_2_00CE7C40 GetVersionExW,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,

22_2_00CE7C40

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 30000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 180000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 180000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\1000281001\crypted.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	File opened: C:\Users\user
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	File opened: C:\Users\user\AppData
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	File opened: C:\Users\user\AppData\Local\Temp
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	File opened: C:\Users\user\Desktop\desktop.ini
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	File opened: C:\Users\user\AppData\Local
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	File opened: C:\Users\user\Documents\desktop.ini

Source: joffer2.exe, 0000001B.00000003.2315047685.00000000031CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: 1.exe, 0000001C.00000002.2269545389.0000000002E90000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000000.2252940170.0000000000401000.00000020.00000001.01000000.0000001C.sdmp	Binary or memory string: ParallelsVirtualMachine
Source: ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002F5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: joffer2.exe, 0000001B.00000003.2315047685.00000000031CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696494690
Source: joffer2.exe, 0000001B.00000003.2315047685.00000000031CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002F5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: joffer2.exe, 0000001B.00000003.2315047685.00000000031CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: joffer2.exe, 0000001B.00000003.2315047685.00000000031CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: joffer2.exe, 0000001B.00000003.2315047685.00000000031CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: 1.exe, 0000001C.00000000.2196888123.0000000000401000.00000020.00000001.01000000.0000001B.sdmp, 1.exe.6.dr, 1[1].exe.6.dr	Binary or memory string: QEMUU
Source: joffer2.exe, 0000001B.00000003.2315047685.00000000031CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: axplong.exe, 00000006.00000002.3941033997.00000000013CC000.00000004.00000020.00020000.00000000.sdmp, Hkbsse.exe, 00000018.00000002.3939638853.0000000000AF5000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000019.00000002.2212357774.0000000001107000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000019.00000002.2212357774.00000000010E7000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000019.00000002.2212357774.00000000010AE000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 0000001A.00000003.2226001214.0000000001503000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 0000001A.00000003.2909495707.0000000001503000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 0000001A.00000003.2226482093.0000000001503000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 0000001A.00000002.3186032635.0000000001507000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 0000001A.00000002.3186032635.00000000014AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Set-up.exe, 0000001A.00000002.3186032635.00000000014AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002F5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696494690
Source: ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002F5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002F5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: GetSys.exe, 0000001E.00000002.2490414980.0000000001BDE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllj.v
Source: ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002F5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: muDv2ygaMe.exe, 00000012.00000002.2002797684.00000000024D0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000021.00000002.2475331078.0000000002ED0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe@\
Source: BitLockerToGo.exe, 00000020.00000003.2456093433.0000000000BAE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000020.00000002.2486647276.0000000000BAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWmq
Source: RegAsm.exe, 0000000D.00000002.2119498645.00000000065FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll#
Source: joffer2.exe, 0000001B.00000003.2315047685.00000000031CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: joffer2.exe, 0000001B.00000003.2315047685.00000000031CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: Amadeus.exe, 0000001F.00000002.2588617271.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll9
Source: joffer2.exe, 0000001B.00000003.2315047685.00000000031CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: svchost015.exe, 0000001D.00000002.2273964707.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8P
Source: muDv2ygaMe.exe, 00000012.00000002.2002797684.00000000024D0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000021.00000002.2475331078.0000000002ED0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe
Source: ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002F5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: joffer2.exe, 0000001B.00000003.2315047685.00000000031CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696494690
Source: RegAsm.exe, 00000011.00000002.1984060520.0000000000479000.00000040.00000400.00020000.00000000.sdmp, muDv2ygaMe.exe, 00000012.00000000.1981672290.0000000000142000.00000002.00000001.01000000.0000000E.sdmp, muDv2ygaMe.exe.17.dr	Binary or memory string: HgFSVDCVdb86m2CfHM1
Source: svchost015.exe, 0000001D.00000002.2273964707.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: joffer2.exe, 0000001B.00000003.2315047685.00000000031CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: axplong.exe, 00000006.00000002.3941033997.0000000001395000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0=
Source: joffer2.exe, 0000001B.00000003.2315047685.00000000031CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: joffer2.exe, 0000001B.00000003.2315047685.00000000031CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: Set-up[1].exe.6.dr	Binary or memory string: Disc_Soft_Ltd.vscode-insidersanaconda3CapCut\ProfilesRoaming\SUPERAntiSpywaregecko_cacheTikTok LIVE StudioPioneerOlkfluency\*webapp100bitNVIDIA CorporationLenovoServiceBridgeFree_PDF_SolutionsVMware2K GamesProgram FilesProgram Files (x86)ScratchibnejdfjmmkpcnlpebklmnkoeoihofecCPU: UserName (ComputerName):
Source: joffer2.exe, 0000001B.00000003.2315047685.00000000031CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: joffer2.exe, 0000001B.00000003.2315047685.00000000031CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: joffer2.exe, 0000001B.00000003.2315047685.00000000031CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002F5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE
Source: ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002F5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: joffer2.exe, 0000001B.00000003.2315047685.00000000031CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: joffer2.exe, 0000001B.00000003.2315047685.00000000031CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE
Source: runtime.exe, 00000023.00000002.2559109752.000000000137C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllrr
Source: axplong.exe, axplong.exe, 00000006.00000002.3938129496.0000000000909000.00000040.00000001.01000000.00000008.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: joffer2.exe, 0000001B.00000003.2315047685.00000000031CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696494690f
Source: joffer2.exe, 0000001B.00000003.2968115769.00000000014C0000.00000004.00000020.00020000.00000000.sdmp, joffer2.exe, 0000001B.00000003.2266783074.00000000014B4000.00000004.00000020.00020000.00000000.sdmp, joffer2.exe, 0000001B.00000003.2538323147.00000000014B4000.00000004.00000020.00020000.00000000.sdmp, joffer2.exe, 0000001B.00000003.2951051541.00000000014B4000.00000004.00000020.00020000.00000000.sdmp, joffer2.exe, 0000001B.00000003.2542531394.00000000014B4000.00000004.00000020.00020000.00000000.sdmp, joffer2.exe, 0000001B.00000003.2303951126.00000000014B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW:
Source: ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002F5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: joffer2.exe, 0000001B.00000003.2315047685.00000000031CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002F5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: joffer2.exe, 0000001B.00000003.2315047685.00000000031CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: joffer2.exe, 0000001B.00000003.2315047685.00000000031CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: Hkbsse.exe, 00000018.00000002.3939638853.0000000000AF5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW-
Source: ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002F5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: ER1CZAgbcY.exe, 00000014.00000002.2150417823.00000000066D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllO
Source: ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002F5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: Hkbsse.exe, 00000018.00000002.3939638853.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002F5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002F5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: joffer2.exe, 0000001B.00000003.2315047685.00000000031CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002F5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002F5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002F5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: joffer2.exe, 0000001B.00000003.2315047685.00000000031CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002F5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002F5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: joffer2.exe, 0000001B.00000003.2315047685.00000000031CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002F5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: joffer2.exe, 0000001B.00000003.2315047685.00000000031CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: joffer2.exe, 0000001B.00000003.2315047685.00000000031CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: joffer2.exe, 0000001B.00000003.2315047685.00000000031CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: Amadeus.exe, 00000025.00000002.2656863801.0000000000D2C000.00000004.00000020.00020000.00000000.sdmp, runtime.exe, 0000002C.00000002.3939127616.00000000012F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: joffer2.exe, 0000001B.00000003.2315047685.00000000031CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002F5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002F5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: joffer2.exe.24.dr	Binary or memory string: leveldbwalletsInputPersonalizationMSBuildinputGameDVRCitra\com.liberty.jaxxAdvinstAnalyticsVMwareEthereum (UTC)3D ObjectsG HUBEAConnect_microsoftlghubBlack Sea StudiosCrystal Dynamics$
Source: svchost015.exe, 0000001D.00000002.2273964707.0000000000B6B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWY
Source: joffer2.exe, 0000001B.00000003.2315047685.00000000031CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: muDv2ygaMe.exe, 00000012.00000002.2002797684.00000000024D0000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000021.00000002.2475331078.0000000002ED0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe`,
Source: 1.exe, 0000001C.00000002.2269545389.0000000002E90000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000000.2252940170.0000000000401000.00000020.00000001.01000000.0000001C.sdmp	Binary or memory string: xmlphpvlczpl wpl xpacketimport hrefXML:NAMESPACEaid DOCTYPE ELEMENT ENTITY -- <mdb:mork:zAFDR aom saved from url=(-->xmlns=jobwmlRDFnzbsvgkmlgpxCaRxslJDFrssRSStagTAGXMIlmxloclogIMGtmxosmX3DVERCFLRCCncxxbkSCFrtcpseSDOmapnviofcasxdivLogopmlsmilrootpgmlxfdfXFDLBASEtei2xbeljnlpdgmlfeedFEEDinfobeancasevxmlsesxnotesitetasklinkxbrlGAEBXZFXFormqgisSMAIHDMLjsonpsplbodyheadmetadictdocuembedplistTEI.2xliffformsQBXMLTypeseaglehtml5myapptablestyleentrygroupLXFMLwindowdialogSchemaschemacommonCanvaslayoutobjectFFDataReporttaglibARCXMLgnc-v2modulerobloxXDFV:4Xara3DLayoutRDCManattachwidgetreportSchemewebbuyloaderdeviceRDF:RDFweb:RDFoverlayprojectProjectabiwordxdp:xdpsvg:svgCOLLADASOFTPKGfo:rootlm:lmxarchivecollagelibraryHelpTOCpackagesiteMapen-noteFoundryweblinkReportssharingWebPartTestRunpopularsnippetwhpropsQBWCXMLcontentkml:kmlSDOListkDRouteFormSetactionslookupssectionns2:gpxPaletteCatalogProfileTreePadMIFFileKeyFilepayloadPresetsstringsdocumentDocumentNETSCAPEmetalinkresourcenewsItemhtmlplusEnvelopeplandatamoleculelicensesDatabasebindingsWorkbookPlaylistBookFileTimeLinejsp:rootbrowsersfotobookMTSScenemessengercomponentc:contactr:licensex:xmpmetadiscoveryERDiagramWorksheetcrickgridHelpIndexWinampXMLrecoIndexTomTomTocen-exportAnswerSetwinzipjobmuseScorePHONEBOOKm:myListsedmx:EdmxYNABData1workspacePlacemarkMakerFileoor:itemsscriptletcolorBookSignaturexsd:schemadlg:windowFinalDraftVirtualBoxTfrxReportVSTemplateWhiteboardstylesheetBurnWizarddictionaryPCSettingsRedlineXMLBackupMetaxbrli:xbrlFontFamilys:WorkbookFictionBookdia:diagramdefinitionsNmfDocumentSnippetRootSEC:SECMetanet:NetfileCustSectionDieCutLabelPremierDataUserControljsp:includess:Workbookapplicationjsp:useBeancfcomponentparticipantSessionFilejasperReporthelpdocumentxsl:documentxsl:templatePremiereDataSettingsFileCodeSnippetsFileInstancetpmOwnerDataDataTemplateProject_DataTfrReportBSAnote:notepadFieldCatalogUserSettingsgnm:WorkbookLIBRARY_ITEMDocumentDatamso:customUIpicasa2albumrnpddatabasepdfpreflightrn-customizecml:moleculemuveeProjectRelationshipsVisioDocumentxsl:transformD:multistatusKMYMONEY-FILEBackupCatalogfile:ManifestPocketMindMapDiagramLayoutannotationSetLEAPTOFROGANSpublic:attachsoap:EnvelopepersistedQuerymx:ApplicationOverDriveMediaasmv1:assemblyHelpCollectionQvdTableHeaderSCRIBUSUTF8NEWw:wordDocumentPADocumentRootConfigMetadataBorlandProjectDTS:ExecutableMMC_ConsoleFilelibrary:libraryglade-interfacerg:licenseGroupdisco:discoveryAdobeSwatchbookaudacityprojectoffice:documentCoolpixTransfersqueeze_projectwirelessProfileProjectFileInfowsdl:definitionsScrivenerProjectfulfillmentTokenkey:presentationdynamicDiscoverylibrary:librariesClickToDvdProjectDataCladFileStorechat_api_responseMyApplicationDataKeyboardShortcutsDeepBurner_recordXmlTransformationdata.vos.BudgetVOIRIDASCompositionpresentationClipsoor:component-datalibraryDescriptionPowerShellMetadataResourceDictionaryxsf:xDocumentClassoffice:color-tableVisualStudioProjectActiveReportsLayoutwap-provisioningdocAfterEffectsProjectoor:component-sch
Source: ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002F5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002F5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: BitLockerToGo.exe, 00000026.00000002.2598623828.000000000094B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH
Source: ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002F5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002F5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002F5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696494690
Source: ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002F5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe, 00000000.00000002.1541241528.0000000000419000.00000040.00000001.01000000.00000003.sdmp, axplong.exe, 00000002.00000002.1579435781.0000000000909000.00000040.00000001.01000000.00000008.sdmp, axplong.exe, 00000006.00000002.3938129496.0000000000909000.00000040.00000001.01000000.00000008.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002F5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696494690f
Source: ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002F5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process queried: DebugPort
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe

Code function: 0_2_04C201C7 rdtsc

0_2_04C201C7

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 13_2_06FF3E78 LdrInitializeThunk,

13_2_06FF3E78

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 17_2_00407AF1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

17_2_00407AF1

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: 25_2_00D44610 VirtualProtect ?,00000004,00000100,00000000

25_2_00D44610

Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe

Code function: 22_2_00D0BDF9 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

22_2_00D0BDF9

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_0074645B mov eax, dword ptr fs:[00000030h]	6_2_0074645B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_0074A1C2 mov eax, dword ptr fs:[00000030h]	6_2_0074A1C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 17_2_0041913C mov eax, dword ptr fs:[00000030h]	17_2_0041913C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 17_2_00411496 mov ecx, dword ptr fs:[00000030h]	17_2_00411496
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 22_2_00D1A0F2 mov eax, dword ptr fs:[00000030h]	22_2_00D1A0F2
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 22_2_00D1638B mov eax, dword ptr fs:[00000030h]	22_2_00D1638B
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Code function: 23_2_000AA0F2 mov eax, dword ptr fs:[00000030h]	23_2_000AA0F2
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Code function: 23_2_000A638B mov eax, dword ptr fs:[00000030h]	23_2_000A638B
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_00D59160 mov eax, dword ptr fs:[00000030h]	25_2_00D59160

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 17_2_0041EFC8 GetProcessHeap,

17_2_0041EFC8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process token adjusted: Debug

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 17_2_00407AF1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_00407AF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 17_2_00407C53 SetUnhandledExceptionFilter,	17_2_00407C53
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 17_2_00407D65 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	17_2_00407D65
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 17_2_0040DD68 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_0040DD68
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 22_2_00D1690E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_00D1690E
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 22_2_00CFD048 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	22_2_00CFD048
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 22_2_00CFDA05 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	22_2_00CFDA05
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 22_2_00CFDB6A SetUnhandledExceptionFilter,	22_2_00CFDB6A
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Code function: 23_2_0008D048 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	23_2_0008D048
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Code function: 23_2_000A690E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	23_2_000A690E
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Code function: 23_2_0008DA05 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	23_2_0008DA05
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_00D5C8D9 SetUnhandledExceptionFilter,	25_2_00D5C8D9
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_00D5ACFA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	25_2_00D5ACFA
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_00D5A718 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	25_2_00D5A718
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8CB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	25_2_6C8CB66C
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C8CB1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	25_2_6C8CB1F7
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6CA7AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	25_2_6CA7AC62

Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: stealc_default2.exe PID: 5380, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 1.exe PID: 7056, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost015.exe PID: 5908, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\stealc_default2[1].exe, type: DROPPED

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000191001\1.exe	Memory allocated: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\1000228001\GetSys.exe	Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\1000238002\Amadeus.exe	Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\1000238002\Amadeus.exe	Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\1000281001\crypted.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe

Code function: 9_2_02F92555 CreateProcessA,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,VirtualAllocEx,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,

9_2_02F92555

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000191001\1.exe	Memory written: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1000228001\GetSys.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\1000238002\Amadeus.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\1000238002\Amadeus.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1000281001\crypted.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

LummaC encrypted strings found

Source: GetSys.exe, 0000001E.00000002.2626655297.000000000238E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: caffegclasiqwp.shop
Source: GetSys.exe, 0000001E.00000002.2626655297.000000000238E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: stamppreewntnq.shop
Source: GetSys.exe, 0000001E.00000002.2626655297.000000000238E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: stagedchheiqwo.shop
Source: GetSys.exe, 0000001E.00000002.2626655297.000000000238E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: millyscroqwp.shop
Source: GetSys.exe, 0000001E.00000002.2626655297.000000000238E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: evoliutwoqm.shop
Source: GetSys.exe, 0000001E.00000002.2626655297.000000000238E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: condedqpwqm.shop
Source: GetSys.exe, 0000001E.00000002.2626655297.000000000238E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: traineiwnqo.shop
Source: GetSys.exe, 0000001E.00000002.2626655297.000000000238E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: locatedblsoqp.shop

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\Temp\1000191001\1.exe

Section unmapped: C:\Users\user\AppData\Local\Temp\svchost015.exe base address: 400000

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 432000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 450000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 115D008	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 426000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 434000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 436000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 50B000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: E99008	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000191001\1.exe	Memory written: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000191001\1.exe	Memory written: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1000191001\1.exe	Memory written: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 41E000
Source: C:\Users\user\AppData\Local\Temp\1000191001\1.exe	Memory written: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 42B000
Source: C:\Users\user\AppData\Local\Temp\1000191001\1.exe	Memory written: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 63E000
Source: C:\Users\user\AppData\Local\Temp\1000228001\GetSys.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 7DD008
Source: C:\Users\user\AppData\Local\Temp\1000228001\GetSys.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000228001\GetSys.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1000228001\GetSys.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 438000
Source: C:\Users\user\AppData\Local\Temp\1000228001\GetSys.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 43B000
Source: C:\Users\user\AppData\Local\Temp\1000228001\GetSys.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 44A000
Source: C:\Users\user\1000238002\Amadeus.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 719008
Source: C:\Users\user\1000238002\Amadeus.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000
Source: C:\Users\user\1000238002\Amadeus.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000
Source: C:\Users\user\1000238002\Amadeus.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 441000
Source: C:\Users\user\1000238002\Amadeus.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 444000
Source: C:\Users\user\1000238002\Amadeus.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 453000
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 452000
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 464000
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 46B000
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 46C000
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 649008
Source: C:\Users\user\1000238002\Amadeus.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 31AE008
Source: C:\Users\user\1000238002\Amadeus.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000
Source: C:\Users\user\1000238002\Amadeus.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000
Source: C:\Users\user\1000238002\Amadeus.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 441000
Source: C:\Users\user\1000238002\Amadeus.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 444000
Source: C:\Users\user\1000238002\Amadeus.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 453000
Source: C:\Users\user\AppData\Local\Temp\1000281001\crypted.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000281001\crypted.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000
Source: C:\Users\user\AppData\Local\Temp\1000281001\crypted.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 432000
Source: C:\Users\user\AppData\Local\Temp\1000281001\crypted.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 450000
Source: C:\Users\user\AppData\Local\Temp\1000281001\crypted.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: D62008

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe "C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe "C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe "C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe "C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe "C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000191001\1.exe "C:\Users\user\AppData\Local\Temp\1000191001\1.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000228001\GetSys.exe "C:\Users\user\AppData\Local\Temp\1000228001\GetSys.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\1000238002\Amadeus.exe "C:\Users\user\1000238002\Amadeus.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000241001\build.exe "C:\Users\user\AppData\Local\Temp\1000241001\build.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe "C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe "C:\Users\user\AppData\Roaming\muDv2ygaMe.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe "C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe"
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Process created: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe "C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Process created: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe "C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe"
Source: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe	Process created: C:\Users\user\AppData\Local\Temp\1000281001\crypted.exe "C:\Users\user\AppData\Local\Temp\1000281001\crypted.exe"
Source: C:\Users\user\AppData\Local\Temp\1000191001\1.exe	Process created: C:\Users\user\AppData\Local\Temp\svchost015.exe C:\Users\user\AppData\Local\Temp\svchost015.exe
Source: C:\Users\user\AppData\Local\Temp\1000228001\GetSys.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\1000238002\Amadeus.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c copy "C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe" "C:\Users\user\Pictures\Lighter Tech\runtime.exe" && schtasks /Create /SC MINUTE /MO 1 /TN "runtime" /TR "C:\Users\user\Pictures\Lighter Tech\runtime.exe" /F
Source: C:\Users\user\1000238002\Amadeus.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process created: C:\Users\user\AppData\Local\Temp\1000281001\crypted.exe "C:\Users\user\AppData\Local\Temp\1000281001\crypted.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Create /SC MINUTE /MO 1 /TN "runtime" /TR "C:\Users\user\Pictures\Lighter Tech\runtime.exe" /F
Source: C:\Users\user\AppData\Local\Temp\1000281001\crypted.exe	Process created: unknown unknown

Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c copy "c:\users\user\appdata\local\temp\1000243001\runtime.exe" "c:\users\user\pictures\lighter tech\runtime.exe" && schtasks /create /sc minute /mo 1 /tn "runtime" /tr "c:\users\user\pictures\lighter tech\runtime.exe" /f
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c copy "c:\users\user\appdata\local\temp\1000243001\runtime.exe" "c:\users\user\pictures\lighter tech\runtime.exe" && schtasks /create /sc minute /mo 1 /tn "runtime" /tr "c:\users\user\pictures\lighter tech\runtime.exe" /f

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: 25_2_6CAC4760 malloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,PR_SetError,GetLastError,free,GetLastError,GetLastError,free,free,free,

25_2_6CAC4760

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: 25_2_6C9A1C30 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLengthSid,malloc,CopySid,CopySid,GetTokenInformation,GetLengthSid,malloc,CopySid,CloseHandle,AllocateAndInitializeSid,GetLastError,PR_LogPrint,

25_2_6C9A1C30

Source: muDv2ygaMe.exe, 00000012.00000002.2002797684.00000000025F9000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000021.00000002.2475331078.0000000002FFA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: GetProgmanWindow
Source: axplong.exe, axplong.exe, 00000006.00000002.3938129496.0000000000909000.00000040.00000001.01000000.00000008.sdmp	Binary or memory string: 5nProgram Manager
Source: muDv2ygaMe.exe, 00000012.00000002.2002797684.00000000025F9000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000021.00000002.2475331078.0000000002FFA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SetProgmanWindow

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 6_2_0072D312 cpuid

6_2_0072D312

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	17_2_0041E815
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	17_2_00414128
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	17_2_0041EA68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	17_2_0041EB91
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	17_2_0041E402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	17_2_0041EC97
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	17_2_0041ED66
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	17_2_0041E5FD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	17_2_0041464E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	17_2_0041E6EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	17_2_0041E6A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	17_2_0041E78A

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000191001\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000191001\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000228001\GetSys.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000228001\GetSys.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\1000238002\Amadeus.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\1000238002\Amadeus.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000241001\build.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000241001\build.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Queries volume information: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Queries volume information: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000012001\setup2.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000228001\GetSys.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000228001\GetSys.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000228001\GetSys.exe	Queries volume information: C:\Windows VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000228001\GetSys.exe	Queries volume information: C:\Windows\AppReadiness VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000228001\GetSys.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000228001\GetSys.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation
Source: C:\Users\user\1000238002\Amadeus.exe	Queries volume information: C:\Windows VolumeInformation
Source: C:\Users\user\1000238002\Amadeus.exe	Queries volume information: C:\Windows\AppReadiness VolumeInformation
Source: C:\Users\user\1000238002\Amadeus.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformation
Source: C:\Users\user\1000238002\Amadeus.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation
Source: C:\Users\user\1000238002\Amadeus.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000241001\build.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe VolumeInformation
Source: C:\Users\user\1000238002\Amadeus.exe	Queries volume information: C:\Windows VolumeInformation
Source: C:\Users\user\1000238002\Amadeus.exe	Queries volume information: C:\Windows\AppReadiness VolumeInformation
Source: C:\Users\user\1000238002\Amadeus.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation
Source: C:\Users\user\1000238002\Amadeus.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000281001\crypted.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000281001\crypted.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Queries volume information: C:\Users\user\Pictures\Lighter Tech\runtime.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000281001\crypted.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000281001\crypted.exe VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 6_2_0072CB1A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

6_2_0072CB1A

Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe

Code function: 22_2_00CEAC50 GetUserNameA,CoInitialize,GetLocalTime,CoInitialize,CreateFileA,InternetOpenA,InternetOpenUrlA,InternetReadFile,WriteFile,WriteFile,InternetReadFile,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,RemoveDirectoryA,

22_2_00CEAC50

Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe

Code function: 22_2_00D22307 _free,_free,_free,GetTimeZoneInformation,_free,

22_2_00D22307

Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe

Code function: 22_2_00CE7C40 GetVersionExW,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,

22_2_00CE7C40

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: crypted.exe, 00000009.00000002.1947873658.0000000001075000.00000004.00000020.00020000.00000000.sdmp, crypted.exe, 0000002D.00000002.2596667334.00000000011C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avp.exe
Source: axplong.exe, 00000006.00000002.3941033997.00000000013CC000.00000004.00000020.00020000.00000000.sdmp, crypted.exe, 00000009.00000002.1947873658.0000000001075000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000028.00000002.3940385031.0000000000C1B000.00000004.00000020.00020000.00000000.sdmp, crypted.exe, 0000002D.00000002.2596667334.00000000011C1000.00000004.00000020.00020000.00000000.sdmp, crypted.exe.6.dr	Binary or memory string: AVP.exe
Source: RegAsm.exe, 0000000D.00000002.2085813052.000000000151E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000000D.00000002.2119065541.00000000065C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 23.2.Hkbsse.exe.70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.0.Hkbsse.exe.70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe.220000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.axplong.exe.710000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.0.Hkbsse.exe.70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.runtime.exe.1daf0324.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.0.Nework.exe.ce0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.runtime.exe.1323f558.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.Nework.exe.ce0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.runtime.exe.1daf0324.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.axplong.exe.710000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.runtime.exe.1323f558.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.runtime.exe.1323f87c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 40.2.AppLaunch.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.Hkbsse.exe.70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.runtime.exe.1daf0000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.runtime.exe.1323f87c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 35.2.runtime.exe.131c1b20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.3937837542.0000000000711000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000000.2008973826.0000000000071000.00000020.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2609308568.00000000131C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2011003083.0000000000CE1000.00000020.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1579348090.0000000000711000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3937835844.0000000000071000.00000020.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000000.2003355241.0000000000CE1000.00000020.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.3937747782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1911621771.0000000005090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1539084353.0000000005090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.2651827464.000000001DAF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1486966046.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000000.2024822913.0000000000071000.00000020.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1541104272.0000000000221000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2011664885.0000000000071000.00000020.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\Nework[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe, type: DROPPED

Yara detected Clipboard Hijacker

Source: Yara match	File source: 0000001A.00000003.3140000961.0000000003E8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000003.3297043789.0000000001564000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Set-up.exe PID: 5784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: joffer2.exe PID: 2748, type: MEMORYSTR

Yara detected CryptOne packer

Source: Yara match

File source: 0000001C.00000002.2269545389.0000000003199000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Cryptbot

Source: Yara match	File source: Process Memory Space: Set-up.exe PID: 5784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: joffer2.exe PID: 2748, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 37.2.Amadeus.exe.1610000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.GetSys.exe.238e000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.Amadeus.exe.1706000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.GetSys.exe.238e000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.GetSys.exe.254c000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.BitLockerToGo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.BitLockerToGo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.GetSys.exe.254c000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.Amadeus.exe.1610000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.Amadeus.exe.1706000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001E.00000002.2626655297.000000000238E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2688945254.0000000001706000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.2725651381.0000000001610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2626655297.000000000254C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.2661614424.0000000001494000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2627787489.0000000001552000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2496293194.00000000020BC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.2582962886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2474240837.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 33.0.build.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.RegAsm.exe.482060.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.muDv2ygaMe.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.RegAsm.exe.482060.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.1984060520.0000000000479000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.1981672290.0000000000142000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000000.2421089096.0000000000A82000.00000002.00000001.01000000.0000001F.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\build[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: 17.2.RegAsm.exe.436060.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.crypted.exe.3f95570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.crypted.exe.3f95570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 45.2.crypted.exe.3e45570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.0.ER1CZAgbcY.exe.7c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.RegAsm.exe.436060.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1948777736.0000000003F95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.2654323842.0000000003E64000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.1982243767.00000000007C2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2084760629.0000000000421000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: crypted.exe PID: 6696, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: muDv2ygaMe.exe PID: 6200, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ER1CZAgbcY.exe PID: 2548, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: build.exe PID: 2288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: crypted.exe PID: 7060, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe, type: DROPPED

Yara detected Stealc

Source: Yara match	File source: 0000001D.00000002.2273964707.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2212357774.00000000010AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: stealc_default2.exe PID: 5380, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost015.exe PID: 5908, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 00000019.00000002.2212357774.00000000010AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: stealc_default2.exe PID: 5380, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 33.0.build.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.RegAsm.exe.482060.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.muDv2ygaMe.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.RegAsm.exe.482060.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\build[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe, type: DROPPED

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ElectrumE#
Source: stealc_default2.exe, 00000019.00000002.2212357774.0000000001107000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\ElectronCash\wallets\.ll
Source: stealc_default2.exe, 00000019.00000002.2212357774.00000000010E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum\wallets\.*
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: JaxxE#
Source: stealc_default2.exe, 00000019.00000002.2212357774.0000000001107000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\window-state.json
Source: stealc_default2.exe, 00000019.00000002.2212357774.00000000010E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\\Exodus\\exodus.conf.json
Source: stealc_default2.exe, 00000019.00000002.2212357774.0000000001107000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\window-state.json
Source: stealc_default2.exe, 00000019.00000002.2212357774.0000000001107000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\\Exodus\exodus.wallet\\info.seco=
Source: stealc_default2.exe, 00000019.00000002.2211354116.0000000000D7C000.00000004.00000001.01000000.00000016.sdmp	String found in binary or memory: ElectrumLTC
Source: stealc_default2.exe, 00000019.00000002.2212357774.0000000001107000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\passphrase.json
Source: stealc_default2.exe, 00000019.00000002.2212357774.0000000001107000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\jaxx\Local Storage\file__0.localstoragej
Source: stealc_default2.exe, 00000019.00000002.2212357774.00000000010E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\\Ethereum\\keystore
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ExodusE#
Source: stealc_default2.exe, 00000019.00000002.2212357774.00000000010E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\app-store.jsonic<
Source: RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: EthereumE#
Source: stealc_default2.exe, 00000019.00000002.2212357774.0000000001107000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\jaxx\Local Storage\file__0.localstoragej
Source: stealc_default2.exe, 00000019.00000002.2212357774.0000000001107000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\.C
Source: stealc_default2.exe, 00000019.00000002.2212357774.0000000001107000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\\MultiDoge\\multidoge.wallet.*
Source: stealc_default2.exe, 00000019.00000002.2212357774.0000000001107000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\\Exodus\exodus.wallet\\info.seco=
Source: stealc_default2.exe, 00000019.00000002.2212357774.0000000001107000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\seed.seco
Source: RegAsm.exe, 00000011.00000002.1984060520.0000000000479000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: set_UseMachineKeyStore
Source: stealc_default2.exe, 00000019.00000002.2212357774.0000000001107000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\.\|
Source: stealc_default2.exe, 00000019.00000002.2212357774.0000000001107000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\.

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite-wal
Source: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-wal
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004

Source: Yara match	File source: 00000019.00000002.2212357774.0000000001107000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ER1CZAgbcY.exe PID: 2548, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: stealc_default2.exe PID: 5380, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Set-up.exe PID: 5784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: joffer2.exe PID: 2748, type: MEMORYSTR

Remote Access Functionality

Yara detected CryptOne packer

Source: Yara match

File source: 0000001C.00000002.2269545389.0000000003199000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Cryptbot

Source: Yara match	File source: Process Memory Space: Set-up.exe PID: 5784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: joffer2.exe PID: 2748, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 37.2.Amadeus.exe.1610000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.GetSys.exe.238e000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.Amadeus.exe.1706000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.GetSys.exe.238e000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.GetSys.exe.254c000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.BitLockerToGo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.BitLockerToGo.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.GetSys.exe.254c000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.BitLockerToGo.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 37.2.Amadeus.exe.1610000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.Amadeus.exe.1706000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001E.00000002.2626655297.000000000238E000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2688945254.0000000001706000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.2725651381.0000000001610000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2626655297.000000000254C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.2661614424.0000000001494000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2627787489.0000000001552000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2496293194.00000000020BC000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.2582962886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2474240837.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Yara detected PureLog Stealer

Source: Yara match	File source: 33.0.build.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.RegAsm.exe.482060.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.muDv2ygaMe.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.RegAsm.exe.482060.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.1984060520.0000000000479000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.1981672290.0000000000142000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000000.2421089096.0000000000A82000.00000002.00000001.01000000.0000001F.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\build[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: 17.2.RegAsm.exe.436060.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.crypted.exe.3f95570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.crypted.exe.3f95570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 45.2.crypted.exe.3e45570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.0.ER1CZAgbcY.exe.7c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.RegAsm.exe.436060.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1948777736.0000000003F95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.2654323842.0000000003E64000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.1982243767.00000000007C2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2084760629.0000000000421000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: crypted.exe PID: 6696, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 5500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: muDv2ygaMe.exe PID: 6200, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ER1CZAgbcY.exe PID: 2548, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: build.exe PID: 2288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: crypted.exe PID: 7060, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe, type: DROPPED

Yara detected Stealc

Source: Yara match	File source: 0000001D.00000002.2273964707.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2212357774.00000000010AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: stealc_default2.exe PID: 5380, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost015.exe PID: 5908, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: 00000019.00000002.2212357774.00000000010AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: stealc_default2.exe PID: 5380, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 33.0.build.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.RegAsm.exe.482060.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.muDv2ygaMe.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.RegAsm.exe.482060.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\build[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe, type: DROPPED

Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 22_2_00CE2400 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,	22_2_00CE2400
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 22_2_00D0EAA8 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext,	22_2_00D0EAA8
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 22_2_00D0DDB1 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	22_2_00D0DDB1
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Code function: 23_2_0009EAA8 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext,	23_2_0009EAA8
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Code function: 23_2_0009DDB1 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	23_2_0009DDB1
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6CA80C40 sqlite3_bind_zeroblob,	25_2_6CA80C40
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6CA80D60 sqlite3_bind_parameter_name,	25_2_6CA80D60
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C9A8EA0 sqlite3_clear_bindings,	25_2_6C9A8EA0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6CA80B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	25_2_6CA80B40
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C9AC030 sqlite3_bind_parameter_count,	25_2_6C9AC030
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C9AC050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp,	25_2_6C9AC050
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C9A6070 PR_Listen,	25_2_6C9A6070
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C9322D0 sqlite3_bind_blob,	25_2_6C9322D0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 25_2_6C9A63C0 PR_Bind,	25_2_6C9A63C0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	231 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Native API	11 Scheduled Task/Job	512 Process Injection	11 Deobfuscate/Decode Files or Information	11 Input Capture	1 Account Discovery	Remote Desktop Protocol	4 Data from Local System	2 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Shared Modules	11 Registry Run Keys / Startup Folder	11 Scheduled Task/Job	4 Obfuscated Files or Information	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	12 Command and Scripting Interpreter	Login Hook	11 Registry Run Keys / Startup Folder	1 Install Root Certificate	NTDS	359 System Information Discovery	Distributed Component Object Model	11 Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	11 Scheduled Task/Job	Network Logon Script	Network Logon Script	23 Software Packing	LSA Secrets	1091 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	1 PowerShell	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	471 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Masquerading	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	471 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	512 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	61%	ReversingLabs	Win32.Ransomware.RedLine
SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	100%	Avira	TR/Crypt.TPM.Gen
SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\1000238002\Amadeus.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\Amadeus[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\build[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\stealc_default2[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\Nework[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\crypteda[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	100%	Joe Sandbox ML
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\nss3.dll	0%	ReversingLabs
C:\ProgramData\softokn3.dll	0%	ReversingLabs
C:\ProgramData\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\1000238002\Amadeus.exe	37%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\1[1].exe	38%	ReversingLabs	Win32.Trojan.Smokeloader
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\GetSys[1].exe	46%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\crypted[1].exe	83%	ReversingLabs	Win32.Trojan.LummaStealer
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\stealc_default2[1].exe	96%	ReversingLabs	Win32.Trojan.Stealerc
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\Set-up[1].exe	58%	ReversingLabs	Win32.Trojan.CryptBot
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\build[1].exe	58%	ReversingLabs	Win32.Trojan.Jalapeno
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\crypteda[1].exe	100%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\Amadeus[1].exe	37%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\Nework[1].exe	100%	ReversingLabs	Win32.Trojan.Multiverze
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\freebl3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\mozglue[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\msvcp140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\nss3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\runtime[1].exe	34%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\softokn3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\vcruntime140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	100%	ReversingLabs	Win32.Trojan.Multiverze
C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe	83%	ReversingLabs	Win32.Trojan.LummaStealer
C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	100%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	100%	ReversingLabs	Win32.Trojan.Multiverze
C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	96%	ReversingLabs	Win32.Trojan.Stealerc
C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe	58%	ReversingLabs	Win32.Trojan.CryptBot
C:\Users\user\AppData\Local\Temp\1000191001\1.exe	38%	ReversingLabs	Win32.Trojan.Smokeloader
C:\Users\user\AppData\Local\Temp\1000228001\GetSys.exe	46%	ReversingLabs
C:\Users\user\AppData\Local\Temp\1000241001\build.exe	58%	ReversingLabs	Win32.Trojan.Jalapeno
C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	34%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	61%	ReversingLabs	Win32.Ransomware.RedLine
C:\Users\user\AppData\Local\Temp\JhCTEUiuPFSAmdKyCcGU.dll	11%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\svchost015.exe	4%	ReversingLabs
C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe	92%	ReversingLabs	ByteCode-MSIL.Trojan.Whispergate
C:\Users\user\AppData\Roaming\muDv2ygaMe.exe	92%	ReversingLabs	Win32.Spyware.Multiverze
C:\Users\user\Pictures\Lighter Tech\runtime.exe	34%	ReversingLabs	Win32.Trojan.Generic

Name	Malicious	Antivirus Detection	Reputation
http://91.202.233.158/e96ea2db21fa9a1b.php	true
analforeverlovyu.top	true
stamppreewntnq.shop	true
95.179.250.45:26212	true

URLs from Memory and Binaries

Name	Source	Malicious
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text	RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/sc/sct	RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	false
https://www.cloudflare.com/learning/access-management/phishing-attack/	BitLockerToGo.exe, 00000020.00000003.2456024901.0000000000BFE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000020.00000003.2456093433.0000000000BAE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000026.00000003.2543717376.0000000000959000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000026.00000003.2543717376.0000000000972000.00000004.00000020.00020000.00000000.sdmp	false
http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0Q	axplong.exe, 00000006.00000002.3941033997.0000000001426000.00000004.00000020.00020000.00000000.sdmp, 1.exe, 0000001C.00000002.2269545389.0000000002E90000.00000040.00001000.00020000.00000000.sdmp, 1.exe.6.dr, 1[1].exe.6.dr	false
http://ddl.safone.dev/3846244/1.exe?hash=AgADek	axplong.exe, 00000006.00000002.3941033997.00000000013E5000.00000004.00000020.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id23ResponseD	RegAsm.exe, 0000000D.00000002.2087513413.00000000037F1000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002BF9000.00000004.00000800.00020000.00000000.sdmp	false
http://ddl.safone.dev/3846636/Set-up.exe?hash=AgADDB	axplong.exe, 00000006.00000002.3941033997.0000000001426000.00000004.00000020.00020000.00000000.sdmp	false
http://ddl.safone.dev/3846636/Set-up.exe?hash=AgADDBeaed	axplong.exe, 00000006.00000002.3941033997.0000000001395000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.16/214f815db3496a3a9a731e9f3eeba476ea0e17e76#	axplong.exe, 00000006.00000002.3941033997.00000000013E5000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.17/f1ddeb6592c03206/mozglue.dllWv	stealc_default2.exe, 00000019.00000002.2212357774.00000000010E7000.00000004.00000020.00020000.00000000.sdmp	false
http://tempuri.org/	RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id2Response	RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	false
http://www.x-ways.net/winhex/subscribe-d.htmlU	1.exe, 0000001C.00000002.2269545389.0000000002E90000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000000.2252940170.0000000000401000.00000020.00000001.01000000.0000001C.sdmp	false
http://tempuri.org/Entity/Id21Response	RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap	RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	false
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID	RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	false
http://sevxv17pn.top:80/v1/upload.php	joffer2.exe, 0000001B.00000003.2303951126.00000000014AA000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault	RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/10/wsat	RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.17/f1ddeb6592c03206/softokn3.dllKv	stealc_default2.exe, 00000019.00000002.2212357774.00000000010E7000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9	RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp	false
http://ddl.safone.dev/3823166/crypted.exe?hash=AgADZlqos.dll	axplong.exe, 00000006.00000002.3941033997.000000000137F000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.16/Jo89Ku7d/index.phpncoded	axplong.exe, 00000006.00000002.3941033997.000000000140B000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.17/2fb6c2cc8dce150a.php3A	stealc_default2.exe, 00000019.00000002.2212357774.0000000001107000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey	RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	false
https://api.ip.sb/ip	build.exe, 00000021.00000002.2475331078.0000000002E3E000.00000004.00000800.00020000.00000000.sdmp, crypted.exe, 0000002D.00000002.2654323842.0000000003E64000.00000004.00000800.00020000.00000000.sdmp	false
https://www.x-ways.net/winhex/forum/www.x-ways.net/winhex/templates/www.x-ways.net/dongle_protection	1.exe, 0000001C.00000002.2269545389.0000000002E90000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 0000001D.00000000.2252940170.0000000000401000.00000020.00000001.01000000.0000001C.sdmp	false
http://185.215.113.19/CoreOPT/index.php369.jpg	AppLaunch.exe, 00000028.00000002.3940385031.0000000000C83000.00000004.00000020.00020000.00000000.sdmp	false
https://locatedblsoqp.shop/apiOs	BitLockerToGo.exe, 00000020.00000002.2486647276.0000000000BAE000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1	RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.19/CoreOPT/index.php	AppLaunch.exe, 00000028.00000002.3940385031.0000000000BED000.00000004.00000020.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id24Response	RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	false
https://www.ecosia.org/newtab/	stealc_default2.exe, 00000019.00000002.2212357774.0000000001107000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 0000001A.00000003.2263669528.00000000032FB000.00000004.00000020.00020000.00000000.sdmp, joffer2.exe, 0000001B.00000003.2314097440.00000000031BB000.00000004.00000020.00020000.00000000.sdmp, CAAAAFBK.25.dr	false
http://185.215.113.19/CoreOPT/index.php?scr=1c	AppLaunch.exe, 00000028.00000002.3950662047.0000000007A90000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 00000028.00000002.3940385031.0000000000C83000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.26/3405117-2476756634-10039)	Hkbsse.exe, 00000018.00000002.3939638853.0000000000B28000.00000004.00000020.00020000.00000000.sdmp	false
https://www.cloudflare.com/5xx-error-landing	BitLockerToGo.exe, 00000020.00000003.2456024901.0000000000BFE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000020.00000003.2456093433.0000000000BAE000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000026.00000003.2543520838.00000000009CD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000026.00000003.2543717376.0000000000959000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000026.00000003.2543717376.0000000000972000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego	RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	false
https://locatedblsoqp.shop:443/api	BitLockerToGo.exe, 00000026.00000003.2543717376.0000000000972000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.17/2fb6c2cc8dce150a.php5	stealc_default2.exe, 00000019.00000002.2212357774.00000000010E7000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/08/addressing	RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	false
http://fivexv5vs.top/v1/upload.phpao	Set-up.exe, 0000001A.00000003.2226001214.00000000014E8000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 0000001A.00000003.2226204284.00000000014EC000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.17/2fb6c2cc8dce150a.php-	stealc_default2.exe, 00000019.00000002.2212357774.0000000001107000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.19/CoreOPT/index.php?scr=1AF	AppLaunch.exe, 00000028.00000002.3940385031.0000000000C83000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.17/2fb6c2cc8dce150a.phpE	stealc_default2.exe, 00000019.00000002.2212357774.00000000010E7000.00000004.00000020.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id10ResponseD	RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse	RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.17/2fb6c2cc8dce150a.php9	stealc_default2.exe, 00000019.00000002.2212357774.00000000010E7000.00000004.00000020.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id5Response	RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id15ResponseD	RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id10Response	RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.17/2fb6c2cc8dce150a.phpQ	stealc_default2.exe, 00000019.00000002.2212357774.00000000010E7000.00000004.00000020.00020000.00000000.sdmp	false
https://transfer.adminforge.de/get/5dfLDESaxz/crypted.exe6789	AppLaunch.exe, 00000028.00000002.3940385031.0000000000BED000.00000004.00000020.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id8Response	RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	false
http://91.202.233.158D4v	svchost015.exe, 0000001D.00000002.2273964707.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.17/2fb6c2cc8dce150a.phpI	stealc_default2.exe, 00000019.00000002.2212357774.00000000010E7000.00000004.00000020.00020000.00000000.sdmp	false
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID	RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.26/Dem7kTu/index.phpv	Hkbsse.exe, 00000018.00000002.3939638853.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2006/02/addressingidentity	RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.26/Dem7kTu/index.phpu	Hkbsse.exe, 00000018.00000002.3939638853.0000000000B28000.00000004.00000020.00020000.00000000.sdmp	false
https://millyscroqwp.shop/(	BitLockerToGo.exe, 00000026.00000002.2598623828.0000000000953000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.19/CoreOPT/index.php?scr=1FC	AppLaunch.exe, 00000028.00000002.3940385031.0000000000C83000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.19/CoreOPT/index.php81001	AppLaunch.exe, 00000028.00000002.3940385031.0000000000C83000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT	RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	false
http://fivexv5vs.top/v1/upload.php	Set-up.exe, 0000001A.00000003.2896925548.00000000014E8000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce	RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.26/Dem7kTu/index.phpR	Hkbsse.exe, 00000018.00000002.3939638853.0000000000B28000.00000004.00000020.00020000.00000000.sdmp	false
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510	RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.26/Dem7kTu/index.phpU	Hkbsse.exe, 00000018.00000002.3939638853.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, Hkbsse.exe, 00000018.00000002.3939638853.0000000000AD7000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.19/CoreOPT/index.php?scr=19	AppLaunch.exe, 00000028.00000002.3940385031.0000000000C1B000.00000004.00000020.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id13Response	RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	false
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1	RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	false
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1	RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty	RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.26/Dem7kTu/index.phpe	Hkbsse.exe, 00000018.00000002.3939638853.0000000000B28000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement	RegAsm.exe, 0000000D.00000002.2087513413.0000000003441000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002981000.00000004.00000800.00020000.00000000.sdmp	false
http://154.216.17.170/joffer2.exe69c8c83ebf0f2	Hkbsse.exe, 00000018.00000002.3939638853.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.19/CoreOPT/index.php?scr=1oreOPT/index.php	AppLaunch.exe, 00000028.00000002.3940385031.0000000000C83000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.26/Dem7kTu/index.php0	Hkbsse.exe, 00000018.00000002.3939638853.0000000000B28000.00000004.00000020.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id4ResponseD	RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap	RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.26/Dem7kTu/index.php5	Hkbsse.exe, 00000018.00000002.3939638853.0000000000B28000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.26/Dem7kTu/index.php:	Hkbsse.exe, 00000018.00000002.3939638853.0000000000B28000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.16/inc/runtime.exef62	axplong.exe, 00000006.00000002.3941033997.00000000013E5000.00000004.00000020.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id22ResponseD	RegAsm.exe, 0000000D.00000002.2087513413.00000000037F1000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002BF9000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.19/ProlongedPortable.dll	runtime.exe, 00000023.00000002.2598170248.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, runtime.exe, 0000002C.00000002.3947221893.0000000002F21000.00000004.00000800.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id16ResponseD	RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue	RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext	RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/trust/Issue	RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id19ResponseD	RegAsm.exe, 0000000D.00000002.2087513413.0000000003765000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.26/Dem7kTu/index.phpE	Hkbsse.exe, 00000018.00000002.3939638853.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, Hkbsse.exe, 00000018.00000002.3939638853.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.16/inc/runtime.exeS	axplong.exe, 00000006.00000002.3941033997.00000000013E5000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/trust/spnego	RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/sc	RegAsm.exe, 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, ER1CZAgbcY.exe, 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp	false

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
91.202.233.158	unknown	Russian Federation	9009	M247GB	true
185.215.113.26	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
194.87.248.136	unknown	Russian Federation	20853	ETOP-ASPL	false
185.215.113.19	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
185.215.113.16	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
185.215.113.17	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
95.179.250.45	unknown	Netherlands	20473	AS-CHOOPAUS	true
176.9.8.206	unknown	Germany	24940	HETZNER-ASDE	false
52.212.52.84	unknown	United States	16509	AMAZON-02US	false
65.21.18.51	unknown	United States	199592	CP-ASDE	false
188.114.96.3	unknown	European Union	13335	CLOUDFLARENETUS	false
195.133.48.136	unknown	Russian Federation	48347	MTW-ASRU	false
147.45.60.44	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
154.216.17.170	unknown	Seychelles	135357	SKHT-ASShenzhenKatherineHengTechnologyInformationCo	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1502862
Start date and time:	2024-09-02 12:24:13 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 17m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	49
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@70/71@0/14
EGA Information:	Successful, ratio: 83.3%
HCA Information:	Successful, ratio: 79% Number of executed functions: 274 Number of non-executed functions: 125
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Execution Graph export aborted for target SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe, PID 4268 because there are no executed function
Execution Graph export aborted for target axplong.exe, PID 7092 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Skipping network analysis since amount of network traffic is too extensive
VT rate limit hit for: SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe

Simulations

Behavior and APIs

Time	Type	Description
06:26:01	API Interceptor	5592034x Sleep call for process: axplong.exe modified
06:26:12	API Interceptor	521061x Sleep call for process: Hkbsse.exe modified
06:26:16	API Interceptor	18x Sleep call for process: RegAsm.exe modified
06:26:20	API Interceptor	17x Sleep call for process: ER1CZAgbcY.exe modified
06:26:31	API Interceptor	3x Sleep call for process: Set-up.exe modified
06:26:35	API Interceptor	3x Sleep call for process: joffer2.exe modified
06:26:55	API Interceptor	2x Sleep call for process: BitLockerToGo.exe modified
06:26:58	API Interceptor	3x Sleep call for process: runtime.exe modified
06:27:00	API Interceptor	289720x Sleep call for process: AppLaunch.exe modified
12:25:20	Task Scheduler	Run new task: axplong path: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
12:26:12	Task Scheduler	Run new task: Hkbsse path: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
12:26:49	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Amadeus.exe C:\Users\user\1000238002\Amadeus.exe
12:26:59	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Amadeus.exe C:\Users\user\1000238002\Amadeus.exe
12:27:04	Task Scheduler	Run new task: runtime path: C:\Users\user\Pictures\Lighter s>Tech\runtime.exe
12:27:13	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce runtime C:\Users\user\Pictures\Lighter Tech\runtime.exe
12:27:24	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce runtime C:\Users\user\Pictures\Lighter Tech\runtime.exe

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1373607036346451
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c9G/k4:MnlyfnGtxnfVuSVumEHUM4
MD5:	64BCCF32ED2142E76D142DF7AAC75730
SHA1:	30AB1540F7909BEE86C0542B2EBD24FB73E5D629
SHA-256:	B274913369030CD83E1C76E8D486F501E349D067824C6A519F2DAB378AD0CC09
SHA-512:	0C2B4FC0D38F97C8411E1541AB15B78C57FEA370F02C17F8CB26101A936F19E636B02AF1DF2A62C8EAEE6B785FE17879E2723D8618C9C3C8BD11EB943BA7AB31
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\CAAAAFBKFIECAAKECGCAAKJECB

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\CGIDAAAKJJDBGCBFCBGI

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\DAAAFBKECAKEHIEBAFIE

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\DGCBAFIJDGHCAKECAEGCAAKEHD

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8475592208333753
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBOF30AvJ3qj/880C4pwE1:TeAFawNLopFgU10XJBORJ6px4p7
MD5:	BE99679A2B018331EACD3A1B680E3757
SHA1:	6E6732E173C91B0C3287AB4B161FE3676D33449A
SHA-256:	C382A020682EDEE086FBC56D11E70214964D39318774A19B184672E9FD0DD3E0
SHA-512:	9CFE1932522109D73602A342A15B7326A3E267B77FFF0FC6937B6DD35A054BF4C10ED79D34CA38D56330A5B325E08D8AFC786A8514C59ABB896864698B6DE099
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\FCAFIJJJ

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1209886597424439
Encrypted:	false
SSDEEP:	192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8QbnVcxjONC4Je5Q:r2qOB1nxCkvSAELyKOMq+8QTQKC+
MD5:	EFD26666EAE0E87B32082FF52F9F4C5E
SHA1:	603BFE6A7D6C0EC4B8BA1D38AEA6EFADDC42B5E0
SHA-256:	67D4CAA4255418EB18873F01597D1F4257C4146D1DCED78E26D5FD76B783F416
SHA-512:	28ADD7B8D88795F191567FD029E9F8BC9AEF7584CE3CD56DB40BBA52BC8335F2D8E53A5CE44C153C13A31FD0BE1D76D1E558A4AA5987D5456C000C4D64F08EAA
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\FHCAEGCBFHJDGCBFHDAFBAFIII

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.03708713717387235
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxW/Hy4XJwvnzfXfYf6zfTfN/0DApVJCI:58r54w0VW3xW/bXWzvACzbJ0DApVJ
MD5:	85D6E1D7F82C11DAC40C95C06B7B5DC5
SHA1:	96EA790BA7A295D78AD5A5019D7EA5E9E8F4B0BD
SHA-256:	D9AD18D2A91CB42FD55695B562D76337BBB4A6AEB45D28C4554297B4EE0DC800
SHA-512:	5DD2B75138EFB9588E14997D84C23C8225F9BFDCEA6A2A1D542AD2C6728484E7E578F06C4BA238853EAD9BE5F9A7CCCF7B2B49A0583FF93D67F072F2C5165B14
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\HJKKFIJKFCAKJJJKJKFI

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	ASCII text, with very long lines (1765), with CRLF line terminators
Category:	dropped
Size (bytes):	9976
Entropy (8bit):	5.499944288613473
Encrypted:	false
SSDEEP:	192:NzKneRdpYbBp6znmUzaX/6aRMKWPzDNBw8DK9mSl:Nz5eUmUtgmrwbw0
MD5:	42594FD09C4DF3B174CF5D59B1CAB13A
SHA1:	1B78FEB748C36A592C468A76BB60E98187D7BE4A
SHA-256:	F8B55E3B04E0A59BB745C43763D8FBC1CFFDBC247B5525A489B4B74A57319393
SHA-512:	E2430AB14ADF2EF1CC2CB1F96DEADAFB3598B803A5E7724FDDB68ACF015D7E052291626A3D100FED902731DBFD10A9AE3387581AD2867F64D0B27E8D51B9069F
Malicious:	false
Reputation:	unknown
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "38829aa4-f57e-4fd8-bfd3-d094d57ae30f");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696493966);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696493970);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

C:\ProgramData\freebl3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\mozglue.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\msvcp140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\ProgramData\nss3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\softokn3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\vcruntime140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\Desktop\Google Chrome.lnk

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Thu Oct 5 07:36:34 2023, atime=Wed Sep 27 04:28:27 2023, length=3242272, window=hide
Category:	dropped
Size (bytes):	2104
Entropy (8bit):	3.45753392932508
Encrypted:	false
SSDEEP:	48:8SUZ0dYTcltnRYrnvPdAKRkdAGdAKRFdAKR1:8SUZ7IS
MD5:	238D3344CB2022299E290C03D5516971
SHA1:	0B71A2A97BE4FB7FFE6AA70E6D1A089D1DEC38CD
SHA-256:	BFF754DABAB598B516149C3CDD3FC8EB806DD00836EC46EAE994ED6D4D1397A9
SHA-512:	8A33B5F7BBEE433774C4666E3FED9B5E172A6B1690B5BEFD1C0057B3F8AD2704252D745E1BB57569B1EA635A583006BE94B7364BA5193B46A2E3B646F9813784
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ......,....WhP.g......q.... y1.....................#....P.O. .:i.....+00.../C:\.....................1.....EW)C..PROGRA~1..t......O.IEWqD....B...............J.....V...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VEW+B....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VEW+B....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VEW @..........................."&.A.p.p.l.i.c.a.t.i.o.n.....`.2. y1.;W.+ .chrome.exe..F......CW.VEW.D..........................,.6.c.h.r.o.m.e...e.x.e.......d...............-.......c............F.......C:\Program Files\Google\Chrome\Application\chrome.exe....A.c.c.e.s.s. .t.h.e. .I.n.t.e.r.n.e.t.;.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.!.-.-.p.r.o.x.y.-.s.e.r.v.e.r

C:\Users\user\1000238002\Amadeus.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5562368
Entropy (8bit):	6.39372886031857
Encrypted:	false
SSDEEP:	49152:NXJxAIQfc7wXnJu1U30/jo5UJZUntHvVkgKJswamhqp1ROjyj/2wW0j94lNI/pB+:BAIdik7/junt/2wr3/
MD5:	36A627B26FAE167E6009B4950FF15805
SHA1:	F3CB255AB3A524EE05C8BAB7B4C01C202906B801
SHA-256:	A2389DE50F83A11D6FE99639FC5C644F6D4DCEA6834ECBF90A4EAD3D5F36274A
SHA-512:	2133ABA3E2A41475B2694C23A9532C238ABAB0CBAE7771DE83F9D14A8B2C0905D44B1BA0B1F7AAE501052F4EBA0B6C74018D66C3CBC8E8E3443158438A621094
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 37%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.........R...............$..l....... ........J...@...........................W.......U...@...................................R.L.....T.......................R......................................................J..............................text...x.$.......$................. ..`.rdata..d.%...$...%...$.............@..@.data...`.....J.......J.............@....idata..L.....R.......P.............@....reloc........R......$P.............@..B.symtab.......T.......R................B.rsrc.........T.......R.............@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ER1CZAgbcY.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3274
Entropy (8bit):	5.3318368586986695
Encrypted:	false
SSDEEP:	96:Pq5qHwCYqh3oPtI6eqzxP0aymRLKTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0at9KTqdqlqY
MD5:	0B2E58EF6402AD69025B36C36D16B67F
SHA1:	5ECC642327EF5E6A54B7918A4BD7B46A512BF926
SHA-256:	4B0FB8EECEAD6C835CED9E06F47D9021C2BCDB196F2D60A96FEE09391752C2D7
SHA-512:	1464106CEC5E264F8CEA7B7FF03C887DA5192A976FBC9369FC60A480A7B9DB0ED1956EFCE6FFAD2E40A790BD51FD27BB037256964BC7B4B2DA6D4D5C6B267FA1
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3274
Entropy (8bit):	5.3318368586986695
Encrypted:	false
SSDEEP:	96:Pq5qHwCYqh3oPtI6eqzxP0aymRLKTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0at9KTqdqlqY
MD5:	0B2E58EF6402AD69025B36C36D16B67F
SHA1:	5ECC642327EF5E6A54B7918A4BD7B46A512BF926
SHA-256:	4B0FB8EECEAD6C835CED9E06F47D9021C2BCDB196F2D60A96FEE09391752C2D7
SHA-512:	1464106CEC5E264F8CEA7B7FF03C887DA5192A976FBC9369FC60A480A7B9DB0ED1956EFCE6FFAD2E40A790BD51FD27BB037256964BC7B4B2DA6D4D5C6B267FA1
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\build.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000241001\build.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1119
Entropy (8bit):	5.345080863654519
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0Hj
MD5:	88593431AEF401417595E7A00FE86E5F
SHA1:	1714B8F6F6DCAAB3F3853EDABA7687F16DD331F4
SHA-256:	ED5E60336FB00579E0867B9615CBD0C560BB667FE3CEE0674F690766579F1032
SHA-512:	1D442441F96E69D8A6D5FB7E8CF01F13AF88CA2C2D0960120151B15505DD1CADC607EF9983373BA8E422C65FADAB04A615968F335A875B5C075BB9A6D0F346C9
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\crypted.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.0050635535766075
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUy:Q3La/xwQ
MD5:	84CFDB4B995B1DBF543B26B86C863ADC
SHA1:	D2F47764908BF30036CF8248B9FF5541E2711FA2
SHA-256:	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
SHA-512:	485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\crypteda.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.0050635535766075
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUy:Q3La/xwQ
MD5:	84CFDB4B995B1DBF543B26B86C863ADC
SHA1:	D2F47764908BF30036CF8248B9FF5541E2711FA2
SHA-256:	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
SHA-512:	485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\muDv2ygaMe.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\muDv2ygaMe.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1119
Entropy (8bit):	5.345080863654519
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0Hj
MD5:	88593431AEF401417595E7A00FE86E5F
SHA1:	1714B8F6F6DCAAB3F3853EDABA7687F16DD331F4
SHA-256:	ED5E60336FB00579E0867B9615CBD0C560BB667FE3CEE0674F690766579F1032
SHA-512:	1D442441F96E69D8A6D5FB7E8CF01F13AF88CA2C2D0960120151B15505DD1CADC607EF9983373BA8E422C65FADAB04A615968F335A875B5C075BB9A6D0F346C9
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\1[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3639176
Entropy (8bit):	7.398157669285365
Encrypted:	false
SSDEEP:	98304:H+sv/t4BT7/Z/U6NVQFamv1oOgEoYYkTZ9:H+it4x7RcsmFxv+OgEoYvTZ9
MD5:	17D51083CCB2B20074B1DC2CAC5BEA36
SHA1:	0A046864AD4304F63DBDE5AC14D3DC05CFB48D46
SHA-256:	681EEECECD77EB1433111641C33C8424EAF2C1265E2D4A7E4D6F023865FB5D94
SHA-512:	7DA8A2FD0321231C17FDDF414BF1D5A03D71DBC619F68958FF1D167003F972920F0F3C830B8A25AA715DF4FCC044D88D739B6EAB115A5B0B0A53852A70F4238A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 38%
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................H....2......V.......`....@...........................7.......7..........@............................... ...P...v1..........f7..!......Dd..................................................................................CODE....`F.......H.................. ..`DATA....d....`.......L..............@...BSS.....Q............f...................idata... ......."...f..............@....tls.....................................rdata..............................@..P.reloc..Dd.......f..................@..P.rsrc....v1..P...v1.................@..P..............7......f7.............@..P........................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\joffer2[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6692483
Entropy (8bit):	6.623590781025775
Encrypted:	false
SSDEEP:	98304:CpRHlLqhLzrgp+4/9Ec+NrtzUdQ/+goNvwv0lkU:URHpqJr4+4lhGxwGdoNS0lkU
MD5:	1D99EB774773EA9F2E71E0A2E2DABC59
SHA1:	22EA95F6E679A7579EC4F8D51F2501B0F8B692D5
SHA-256:	5511F3EDEA868F08ADC5D40AA22B52D3299E4C3B9F3D21735CF905781B575A9F
SHA-512:	95A9B6527AF9DC320F8B01C369B266917E19D5CA2C3D4E175156F5CA767BFA0D66EE13E242D964DEC7468133A17BB1A708FD9EE7DF78B0AC28AE0C3A9B1EA101
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...9T.f.\|_..&.........#..H...Z...f..........0H...@...................................f....... .........................B.......................................$............................H......................................................text...T.H.......H.................`.P`.data........0H.......H.............@.`..rdata......PH......6H.............@.`@/4............H.......H.............@.0@.bss....T.f...L.......................`..edata..B.............L.............@.0@.idata................L.............@.0..CRT....4............L.............@.0..tls.................L.............@.0..reloc...$......&....L.............@.0B/14.......... ........Z.............@..B/29.........0........Z.............@..B/41.....XL.......N....\.............@..B/55.....B....0........\.............@..B/67.....T.... ........].............@.0B/80.....a....@........].

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\GetSys[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11113984
Entropy (8bit):	5.684743272146382
Encrypted:	false
SSDEEP:	98304:Kg2TEd+xbEHT/M7j/oEg7xl5eilKAUuSVVf6zG:OEcCJrlKA7G
MD5:	87939A5B42854B08804A9A0AE605B260
SHA1:	E21EC74F722D3A5BAE0D183A73156A0D42D4B251
SHA-256:	D742A6AE9C12E159C3F74559899934CBF1A4EC7E1E4AE8620F372C59789D8ACE
SHA-512:	46A08EA0002F8BEEF34A5CB167FB2D8AA821A5380952BC9967AFDF525B729FC5CA6976AF558923811DD2D338D2EC5CAE39CCE67F666BC811F5ABDCA1D2D8EB55
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 46%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.......................HF......... ,....... ....@..........................p.......}....@.....................................L...............................H...................................................@3...............................text....GF......HF................. ..`.rdata..4.X..`F...X..LF.............@..@.data... .... ......................@....idata..L...........................@....reloc..H...........................@..B.symtab...............................B.rsrc..............................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\crypted[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	322048
Entropy (8bit):	7.985128056067976
Encrypted:	false
SSDEEP:	6144:d/vtLE/OOyVWU4MaqmF5N5KtkuDuPH8AVZG0QMMRhgO+sPnxl:ddo/OOyFXptkusHZLGlRhV+sPnj
MD5:	6134586375C01F97F8777BAE1BF5ED98
SHA1:	4787FA996B75DBC54632CC321725EE62666868A1
SHA-256:	414BECB8AABD4E8C406E84DF062BEE1A45CFFA334AE30022078CFA71DA9E330D
SHA-512:	652ED16D96B5700F105C2BAB8E7258F167BC1615B6397BE7340C08DF7C977842844326E07FDEF677AECFAF07263F99BB7968C9FC926E90E5A33D2ED793F8436B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 83%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...`..f................................. ........@.. .......................@......._....`.................................X...S............................ ...... ................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......x...................................................................B...(..\|=C5H..........<6..2.......&...+.3..*....g^.c..F1..u....p.(C...:..(..S+..?.EV...\.K..........x...M.r..=62`.~B5=......rQ..-]@m...1wL6RH......T..Z.+.....\|....6....iP".g.....,..d.l....b....$?=s.jL...l.N.A.B......<<.Y.5...........s.T..<....]....M&R\|.......P.E:j....Q.N9r"...,....N.uT..Y..r.Y...........M.9...I..`.5............H........e..c..:[.d2{....{n9.9u....)b.S............b.1.9

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\stealc_default2[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	192000
Entropy (8bit):	6.395265378509869
Encrypted:	false
SSDEEP:	3072:QJlVTFj5qDao8KaxfE54HnnGSail+bOX8bX60UFHJKa:QJP5j5Ka2aOanGSabY860UFpKa
MD5:	7A02AA17200AEAC25A375F290A4B4C95
SHA1:	7CC94CA64268A9A9451FB6B682BE42374AFC22FD
SHA-256:	836799FD760EBA25E15A55C75C50B977945C557065A708317E00F2C8F965339E
SHA-512:	F6EBFE7E087AA354722CEA3FDDD99B1883A862FB92BB5A5A86782EA846A1BFF022AB7DB4397930BCABAA05CB3D817DE3A89331D41A565BC1DA737F2C5E3720B6
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\stealc_default2[1].exe, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 96%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b...............u^......uk......u_......{v.....fz.......{f..............uZ......uh.....Rich............PE..L......f.....................B"......d............@..........................0$...........@....................................<.............................#..$...................................................................................text...J........................... ....rdata..............................@..@.data....+!.........................@....reloc..*D....#..F..................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\Set-up[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6662059
Entropy (8bit):	6.630283296879029
Encrypted:	false
SSDEEP:	98304:YNMJ9r+xEJ3cLCB4Ty9Q0GhdjzK4KcNaUqE:RJ9r+x+iiyH7U4KcEPE
MD5:	06B767BF2A7DEAC9B9E524C5B6986BF7
SHA1:	8A0D79D7D04B89658394D72C4071A1F4037F32B2
SHA-256:	C4C861DDA94E9B3275D123E78D73BB9180B618855730EB2217A656D14E35A854
SHA-512:	0BA0E7D75355847BF9A124FD35A69F3F5281A351F730BD4BAB23AD3C5466A40FDA58871C77314557D42082C98A476B20FB68351DFBFB635CD6A958AB19765300
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 58%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...L..f.2_.E&.........#..G...Z...f...........H...@..................................~f....... ......................`..B....p..................................,$............................H......................q...............................text.....G.......G.................`.P`.data...H.....H.......G.............@.`..rdata...... H.......H.............@.`@/4............H.......H.............@.0@.bss....T.f..pL.......................`..edata..B....`.......TL.............@.0@.idata.......p.......VL.............@.0..CRT....4............`L.............@.0..tls.................bL.............@.0..reloc..,$.......&...dL.............@.0B/14...................Z.............@..B/29..................Z.............@..B/41.....XL.......N...:\.............@..B/55.....B.............\.............@..B/67.....T............l].............@.0B/80.....a.............].

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\build[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	423424
Entropy (8bit):	6.131000136533007
Encrypted:	false
SSDEEP:	6144:iEA/WL7JVwOzx3TPI/AnfFx7tbEO1jOTktBJ8WF7zu4P+fF4a6gqbDc:ih/WhVwOl3TI/mJdQYK+O2Fb
MD5:	05C1BAAA01BD0AA0CCB5EC1C43A7D853
SHA1:	E47D7F53987EB147F599321C858FE8D71EBC0D71
SHA-256:	9998D38B192309056D5109AC27A8B13F2B36FC27BAC9EBDF5385452B2C1B0CDB
SHA-512:	996450FC8C8B702327EACFE2EB819C86BACCF4D49F2EB58D3DD2B3CE35733F1E00857AC71B290BC99DB71BAAB08D7D7B22EF5223504C93B26ADE0DF6C9369501
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\build[1].exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\build[1].exe, Author: Joe Security Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\build[1].exe, Author: ditekSHen
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 58%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...].D...............0..B...2.......a... ........@.. ....................................@.................................`a..K.................................................................................... ............... ..H............text....A... ...B.................. ..`.rsrc............0...D..............@..@.reloc...............t..............@..B.................a......H.......DZ..h...............................................................(....(.....0...........s........~....%:....&~......&...s....%.....(...+o.....8[....o...............%..F~(...(.....%..G~(...(.....%..H~(...(.....%..e~(...(.....~)...(.......o......8......(......s.......s........~....}....~...........s....(....o....}......{.....I~(...(....o........9......I~(...(.......8C........~(...(....o....:......{....~*...(....8......{....~+...(.........(...........9........o.....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\crypteda[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1104936
Entropy (8bit):	7.998181628509962
Encrypted:	true
SSDEEP:	24576:lxaesWtTVxFP96Hu0jjjfQNggJRhc2BIVTit:3FsWTzqjjW/BV
MD5:	8E74497AFF3B9D2DDB7E7F819DFC69BA
SHA1:	1D18154C206083EAD2D30995CE2847CBEB6CDBC1
SHA-256:	D8E81D9E336EF37A37CAE212E72B6F4EF915DB4B0F2A8DF73EB584BD25F21E66
SHA-512:	9AACC5C130290A72F1087DAA9E79984565CCAB6DBCAD5114BFED0919812B9BA5F8DEE9C37D230EECA4DF3CCA47BA0B355FBF49353E53F10F0EBC266E93F49F97
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\..f................................. ........@.. ....................... ............`.....................................O.......................(&........................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H...........................................................................L.v.lT.p#.E..'&..@cC...tE.....% ...pr*QA.U.v6..V.=.Cx..G.H.E.....i.....(hh.q.Bf..}...gL-.S.1),p.....$.8.ij3.....7....!Ts......T.[...X..PUE.c.j...s.].E........q.X.wsS.Y....g)......7I...OK..m(..d.(.T........0`.V`...o....E.G...#.I..q.....lh9..+........>6Q..=.S ...........-....#..].......rA.R..........1?.[..}l....jqD.$....N..xE1p....x[.h~.....i..d...u.!x.o..D..yue...S../z..>.\|.!. .0.^.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\Amadeus[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5562368
Entropy (8bit):	6.39372886031857
Encrypted:	false
SSDEEP:	49152:NXJxAIQfc7wXnJu1U30/jo5UJZUntHvVkgKJswamhqp1ROjyj/2wW0j94lNI/pB+:BAIdik7/junt/2wr3/
MD5:	36A627B26FAE167E6009B4950FF15805
SHA1:	F3CB255AB3A524EE05C8BAB7B4C01C202906B801
SHA-256:	A2389DE50F83A11D6FE99639FC5C644F6D4DCEA6834ECBF90A4EAD3D5F36274A
SHA-512:	2133ABA3E2A41475B2694C23A9532C238ABAB0CBAE7771DE83F9D14A8B2C0905D44B1BA0B1F7AAE501052F4EBA0B6C74018D66C3CBC8E8E3443158438A621094
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 37%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.........R...............$..l....... ........J...@...........................W.......U...@...................................R.L.....T.......................R......................................................J..............................text...x.$.......$................. ..`.rdata..d.%...$...%...$.............@..@.data...`.....J.......J.............@....idata..L.....R.......P.............@....reloc........R......$P.............@..B.symtab.......T.......R................B.rsrc.........T.......R.............@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\Nework[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	425984
Entropy (8bit):	6.513416731775012
Encrypted:	false
SSDEEP:	12288:ISqMakU3v+GYLWIjD9dSbvBG5u2uQjdQco:jq53v+G4Wwub8Ljaco
MD5:	F5D7B79EE6B6DA6B50E536030BCC3B59
SHA1:	751B555A8EEDE96D55395290F60ADC43B28BA5E2
SHA-256:	2F1AFF28961BA0CE85EA0E35B8936BC387F84F459A4A1D63D964CE79E34B8459
SHA-512:	532B17CD2A6AC5172B1DDBA1E63EDD51AB53A4527204415241E3A78E8FFEB9728071BDE5AE1EEFABEFD2627F00963F8A5458668CD7B8DF041C8683252FF56B46
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\Nework[1].exe, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>.................PE..L......f............................E.............@.......................................@.................................D...................................<L......8...............................@............................................text............................... ..`.rdata..8...........................@..@.data...\|f... ...4..................@....rsrc................0..............@..@.reloc..<L.......N...2..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\freebl3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\mozglue[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\msvcp140[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\nss3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\runtime[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	45056
Entropy (8bit):	6.21373937610103
Encrypted:	false
SSDEEP:	768:BMbuPxqzgDwNIH/335cJX2om4VQRIEvmg5+FOKo5O:B1xv/H/335C2ozVQRItgMF4O
MD5:	9D78AB0DA1948DE3977123755EF0FE7C
SHA1:	B000AA9B5DF426225A02F208B78416CC2F8DAB86
SHA-256:	7D9733030E72C5ED1016FF372FFDE715883BB827391F50FDB9CD7F000F7A67DF
SHA-512:	9576FDBEB8AD20A8EBCFC3121247F4E70A7E9240BEA4122F471B813EA321566E45BC4DB86FE5BED11CE17BBE14DC68CB82F29FE9DF0CEE78F0F6F90B5C756BF1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 34%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...[............."...0.............j.... ........@.. ....................... ............@.....................................O...................................t...8............................................ ............... ..H............text...p.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................J.......H........1..............TJ.. y............................................~....}.....~....}.....~....}.....(.....(......{....t....}....6..s....(.......0..>........{....r...po...........o....&..{........(....(....}.....(.......0..!.........{........(....(....}.....(........0..!.........{........(....(....}.....(........0..!.........{........(....(....}.....(........0..!.........{........(....(....}.....(........0..!.........{........(....(....}.....(........0..!.......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\softokn3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\vcruntime140[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	425984
Entropy (8bit):	6.513416731775012
Encrypted:	false
SSDEEP:	12288:ISqMakU3v+GYLWIjD9dSbvBG5u2uQjdQco:jq53v+G4Wwub8Ljaco
MD5:	F5D7B79EE6B6DA6B50E536030BCC3B59
SHA1:	751B555A8EEDE96D55395290F60ADC43B28BA5E2
SHA-256:	2F1AFF28961BA0CE85EA0E35B8936BC387F84F459A4A1D63D964CE79E34B8459
SHA-512:	532B17CD2A6AC5172B1DDBA1E63EDD51AB53A4527204415241E3A78E8FFEB9728071BDE5AE1EEFABEFD2627F00963F8A5458668CD7B8DF041C8683252FF56B46
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>.................PE..L......f............................E.............@.......................................@.................................D...................................<L......8...............................@............................................text............................... ..`.rdata..8...........................@..@.data...\|f... ...4..................@....rsrc................0..............@..@.reloc..<L.......N...2..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	322048
Entropy (8bit):	7.985128056067976
Encrypted:	false
SSDEEP:	6144:d/vtLE/OOyVWU4MaqmF5N5KtkuDuPH8AVZG0QMMRhgO+sPnxl:ddo/OOyFXptkusHZLGlRhV+sPnj
MD5:	6134586375C01F97F8777BAE1BF5ED98
SHA1:	4787FA996B75DBC54632CC321725EE62666868A1
SHA-256:	414BECB8AABD4E8C406E84DF062BEE1A45CFFA334AE30022078CFA71DA9E330D
SHA-512:	652ED16D96B5700F105C2BAB8E7258F167BC1615B6397BE7340C08DF7C977842844326E07FDEF677AECFAF07263F99BB7968C9FC926E90E5A33D2ED793F8436B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 83%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...`..f................................. ........@.. .......................@......._....`.................................X...S............................ ...... ................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......x...................................................................B...(..\|=C5H..........<6..2.......&...+.3..*....g^.c..F1..u....p.(C...:..(..S+..?.EV...\.K..........x...M.r..=62`.~B5=......rQ..-]@m...1wL6RH......T..Z.+.....\|....6....iP".g.....,..d.l....b....$?=s.jL...l.N.A.B......<<.Y.5...........s.T..<....]....M&R\|.......P.E:j....Q.N9r"...,....N.uT..Y..r.Y...........M.9...I..`.5............H........e..c..:[.d2{....{n9.9u....)b.S............b.1.9

C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1104936
Entropy (8bit):	7.998181628509962
Encrypted:	true
SSDEEP:	24576:lxaesWtTVxFP96Hu0jjjfQNggJRhc2BIVTit:3FsWTzqjjW/BV
MD5:	8E74497AFF3B9D2DDB7E7F819DFC69BA
SHA1:	1D18154C206083EAD2D30995CE2847CBEB6CDBC1
SHA-256:	D8E81D9E336EF37A37CAE212E72B6F4EF915DB4B0F2A8DF73EB584BD25F21E66
SHA-512:	9AACC5C130290A72F1087DAA9E79984565CCAB6DBCAD5114BFED0919812B9BA5F8DEE9C37D230EECA4DF3CCA47BA0B355FBF49353E53F10F0EBC266E93F49F97
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\..f................................. ........@.. ....................... ............`.....................................O.......................(&........................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H...........................................................................L.v.lT.p#.E..'&..@cC...tE.....% ...pr*QA.U.v6..V.=.Cx..G.H.E.....i.....(hh.q.Bf..}...gL-.S.1),p.....$.8.ij3.....7....!Ts......T.[...X..PUE.c.j...s.].E........q.X.wsS.Y....g)......7I...OK..m(..d.(.T........0`.V`...o....E.G...#.I..q.....lh9..+........>6Q..=.S ...........-....#..].......rA.R..........1?.[..}l....jqD.$....N..xE1p....x[.h~.....i..d...u.!x.o..D..yue...S../z..>.\|.!. .0.^.

C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	425984
Entropy (8bit):	6.513416731775012
Encrypted:	false
SSDEEP:	12288:ISqMakU3v+GYLWIjD9dSbvBG5u2uQjdQco:jq53v+G4Wwub8Ljaco
MD5:	F5D7B79EE6B6DA6B50E536030BCC3B59
SHA1:	751B555A8EEDE96D55395290F60ADC43B28BA5E2
SHA-256:	2F1AFF28961BA0CE85EA0E35B8936BC387F84F459A4A1D63D964CE79E34B8459
SHA-512:	532B17CD2A6AC5172B1DDBA1E63EDD51AB53A4527204415241E3A78E8FFEB9728071BDE5AE1EEFABEFD2627F00963F8A5458668CD7B8DF041C8683252FF56B46
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>.................PE..L......f............................E.............@.......................................@.................................D...................................<L......8...............................@............................................text............................... ..`.rdata..8...........................@..@.data...\|f... ...4..................@....rsrc................0..............@..@.reloc..<L.......N...2..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6692483
Entropy (8bit):	6.623590781025775
Encrypted:	false
SSDEEP:	98304:CpRHlLqhLzrgp+4/9Ec+NrtzUdQ/+goNvwv0lkU:URHpqJr4+4lhGxwGdoNS0lkU
MD5:	1D99EB774773EA9F2E71E0A2E2DABC59
SHA1:	22EA95F6E679A7579EC4F8D51F2501B0F8B692D5
SHA-256:	5511F3EDEA868F08ADC5D40AA22B52D3299E4C3B9F3D21735CF905781B575A9F
SHA-512:	95A9B6527AF9DC320F8B01C369B266917E19D5CA2C3D4E175156F5CA767BFA0D66EE13E242D964DEC7468133A17BB1A708FD9EE7DF78B0AC28AE0C3A9B1EA101
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...9T.f.\|_..&.........#..H...Z...f..........0H...@...................................f....... .........................B.......................................$............................H......................................................text...T.H.......H.................`.P`.data........0H.......H.............@.`..rdata......PH......6H.............@.`@/4............H.......H.............@.0@.bss....T.f...L.......................`..edata..B.............L.............@.0@.idata................L.............@.0..CRT....4............L.............@.0..tls.................L.............@.0..reloc...$......&....L.............@.0B/14.......... ........Z.............@..B/29.........0........Z.............@..B/41.....XL.......N....\.............@..B/55.....B....0........\.............@..B/67.....T.... ........].............@.0B/80.....a....@........].

C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	192000
Entropy (8bit):	6.395265378509869
Encrypted:	false
SSDEEP:	3072:QJlVTFj5qDao8KaxfE54HnnGSail+bOX8bX60UFHJKa:QJP5j5Ka2aOanGSabY860UFpKa
MD5:	7A02AA17200AEAC25A375F290A4B4C95
SHA1:	7CC94CA64268A9A9451FB6B682BE42374AFC22FD
SHA-256:	836799FD760EBA25E15A55C75C50B977945C557065A708317E00F2C8F965339E
SHA-512:	F6EBFE7E087AA354722CEA3FDDD99B1883A862FB92BB5A5A86782EA846A1BFF022AB7DB4397930BCABAA05CB3D817DE3A89331D41A565BC1DA737F2C5E3720B6
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 96%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b...............u^......uk......u_......{v.....fz.......{f..............uZ......uh.....Rich............PE..L......f.....................B"......d............@..........................0$...........@....................................<.............................#..$...................................................................................text...J........................... ....rdata..............................@..@.data....+!.........................@....reloc..*D....#..F..................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6662059
Entropy (8bit):	6.630283296879029
Encrypted:	false
SSDEEP:	98304:YNMJ9r+xEJ3cLCB4Ty9Q0GhdjzK4KcNaUqE:RJ9r+x+iiyH7U4KcEPE
MD5:	06B767BF2A7DEAC9B9E524C5B6986BF7
SHA1:	8A0D79D7D04B89658394D72C4071A1F4037F32B2
SHA-256:	C4C861DDA94E9B3275D123E78D73BB9180B618855730EB2217A656D14E35A854
SHA-512:	0BA0E7D75355847BF9A124FD35A69F3F5281A351F730BD4BAB23AD3C5466A40FDA58871C77314557D42082C98A476B20FB68351DFBFB635CD6A958AB19765300
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 58%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...L..f.2_.E&.........#..G...Z...f...........H...@..................................~f....... ......................`..B....p..................................,$............................H......................q...............................text.....G.......G.................`.P`.data...H.....H.......G.............@.`..rdata...... H.......H.............@.`@/4............H.......H.............@.0@.bss....T.f..pL.......................`..edata..B....`.......TL.............@.0@.idata.......p.......VL.............@.0..CRT....4............`L.............@.0..tls.................bL.............@.0..reloc..,$.......&...dL.............@.0B/14...................Z.............@..B/29..................Z.............@..B/41.....XL.......N...:\.............@..B/55.....B.............\.............@..B/67.....T............l].............@.0B/80.....a.............].

C:\Users\user\AppData\Local\Temp\1000191001\1.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3639176
Entropy (8bit):	7.398157669285365
Encrypted:	false
SSDEEP:	98304:H+sv/t4BT7/Z/U6NVQFamv1oOgEoYYkTZ9:H+it4x7RcsmFxv+OgEoYvTZ9
MD5:	17D51083CCB2B20074B1DC2CAC5BEA36
SHA1:	0A046864AD4304F63DBDE5AC14D3DC05CFB48D46
SHA-256:	681EEECECD77EB1433111641C33C8424EAF2C1265E2D4A7E4D6F023865FB5D94
SHA-512:	7DA8A2FD0321231C17FDDF414BF1D5A03D71DBC619F68958FF1D167003F972920F0F3C830B8A25AA715DF4FCC044D88D739B6EAB115A5B0B0A53852A70F4238A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 38%
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................H....2......V.......`....@...........................7.......7..........@............................... ...P...v1..........f7..!......Dd..................................................................................CODE....`F.......H.................. ..`DATA....d....`.......L..............@...BSS.....Q............f...................idata... ......."...f..............@....tls.....................................rdata..............................@..P.reloc..Dd.......f..................@..P.rsrc....v1..P...v1.................@..P..............7......f7.............@..P........................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000228001\GetSys.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11113984
Entropy (8bit):	5.684743272146382
Encrypted:	false
SSDEEP:	98304:Kg2TEd+xbEHT/M7j/oEg7xl5eilKAUuSVVf6zG:OEcCJrlKA7G
MD5:	87939A5B42854B08804A9A0AE605B260
SHA1:	E21EC74F722D3A5BAE0D183A73156A0D42D4B251
SHA-256:	D742A6AE9C12E159C3F74559899934CBF1A4EC7E1E4AE8620F372C59789D8ACE
SHA-512:	46A08EA0002F8BEEF34A5CB167FB2D8AA821A5380952BC9967AFDF525B729FC5CA6976AF558923811DD2D338D2EC5CAE39CCE67F666BC811F5ABDCA1D2D8EB55
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 46%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.......................HF......... ,....... ....@..........................p.......}....@.....................................L...............................H...................................................@3...............................text....GF......HF................. ..`.rdata..4.X..`F...X..LF.............@..@.data... .... ......................@....idata..L...........................@....reloc..H...........................@..B.symtab...............................B.rsrc..............................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000241001\build.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	423424
Entropy (8bit):	6.131000136533007
Encrypted:	false
SSDEEP:	6144:iEA/WL7JVwOzx3TPI/AnfFx7tbEO1jOTktBJ8WF7zu4P+fF4a6gqbDc:ih/WhVwOl3TI/mJdQYK+O2Fb
MD5:	05C1BAAA01BD0AA0CCB5EC1C43A7D853
SHA1:	E47D7F53987EB147F599321C858FE8D71EBC0D71
SHA-256:	9998D38B192309056D5109AC27A8B13F2B36FC27BAC9EBDF5385452B2C1B0CDB
SHA-512:	996450FC8C8B702327EACFE2EB819C86BACCF4D49F2EB58D3DD2B3CE35733F1E00857AC71B290BC99DB71BAAB08D7D7B22EF5223504C93B26ADE0DF6C9369501
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe, Author: Joe Security Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 58%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...].D...............0..B...2.......a... ........@.. ....................................@.................................`a..K.................................................................................... ............... ..H............text....A... ...B.................. ..`.rsrc............0...D..............@..@.reloc...............t..............@..B.................a......H.......DZ..h...............................................................(....(.....0...........s........~....%:....&~......&...s....%.....(...+o.....8[....o...............%..F~(...(.....%..G~(...(.....%..H~(...(.....%..e~(...(.....~)...(.......o......8......(......s.......s........~....}....~...........s....(....o....}......{.....I~(...(....o........9......I~(...(.......8C........~(...(....o....:......{....~*...(....8......{....~+...(.........(...........9........o.....

C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	45056
Entropy (8bit):	6.21373937610103
Encrypted:	false
SSDEEP:	768:BMbuPxqzgDwNIH/335cJX2om4VQRIEvmg5+FOKo5O:B1xv/H/335C2ozVQRItgMF4O
MD5:	9D78AB0DA1948DE3977123755EF0FE7C
SHA1:	B000AA9B5DF426225A02F208B78416CC2F8DAB86
SHA-256:	7D9733030E72C5ED1016FF372FFDE715883BB827391F50FDB9CD7F000F7A67DF
SHA-512:	9576FDBEB8AD20A8EBCFC3121247F4E70A7E9240BEA4122F471B813EA321566E45BC4DB86FE5BED11CE17BBE14DC68CB82F29FE9DF0CEE78F0F6F90B5C756BF1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 34%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...[............."...0.............j.... ........@.. ....................... ............@.....................................O...................................t...8............................................ ............... ..H............text...p.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................J.......H........1..............TJ.. y............................................~....}.....~....}.....~....}.....(.....(......{....t....}....6..s....(.......0..>........{....r...po...........o....&..{........(....(....}.....(.......0..!.........{........(....(....}.....(........0..!.........{........(....(....}.....(........0..!.........{........(....(....}.....(........0..!.........{........(....(....}.....(........0..!.........{........(....(....}.....(........0..!.......

C:\Users\user\AppData\Local\Temp\1000281001\crypted.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	320000
Entropy (8bit):	7.989672073571282
Encrypted:	false
SSDEEP:	6144:H2dbvTyG8N6VjCaPxg+kERtJ4h1Kfq4Vop4u7O8Owsb:U+CFCAnXJ1RU4uK8O
MD5:	7E8C1E8B4C37553A6BC11083B18CEBDF
SHA1:	E34F459CB50A966089AFF945D81D97BB5578C8F7
SHA-256:	423E1C433FDE9AC5E1011A28A5CC2CCFA4D8A6C43A59CFEB969F204F76334129
SHA-512:	562685A9C2A52E97BAB98540175CEDDBE1430314718026E312ACE4C856882B0CB00A252D1CC4C6F695DB3597ECD1490B6AC0480AA9C0855C8BCC923ED04BE72C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...o..f................................. ........@.. .......................@............`.................................t...W............................ ......<................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H...........l.............................................................;E..F.../..........S......&Mifb..M_.7.9[^+X.fQ... ...}...J..ev......q.^.-8t~..s...\|.Z...+.X..Mk[.....-...V.N.b-b..^.......B....G..g..Q.FR...]../\...&.w.t..ztMA....uyH....ob...p...v.s..3......f.#\#.E..s.f....#..C....\....G...".....A.....%%....U_..Q.v...............yP.G.[..k.,3.....v{.8..r...VK2..../....n..._.^..<.&.?.....@....eC..:.V.6.Sz7kHaR..@H...Y.V.H..h..B=.CC..n}...".8...J.../.

C:\Users\user\AppData\Local\Temp\246122658369

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
Category:	dropped
Size (bytes):	85369
Entropy (8bit):	7.850692352411153
Encrypted:	false
SSDEEP:	1536:C8kShGhyjcahs0GusVR1ZYjhnrd00U7HCw5PMb5kO/UG2m9K:vkShGhyjcahRGtVvZYjhnrd0djCwhSON
MD5:	15D1A3CBD3C5A07D6B5F8B27F0267441
SHA1:	872C0FD32FF5D16163AE4F5BBDCC0BC369047861
SHA-256:	1E9F849996BE88557AC984F2ABAF59F71A1A1F0DF7F6CF7D08B8CE2EB1CAA4EC
SHA-512:	225B10743571BEC894C428785584969B09ECA435C5202C7175C8812A01E5FDFB79DB62F4C0B45235D31F3D95014EACD5300495CD1F449453EB0DC501398699FD
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(..?3...m..,.X.c.#....O..i.....w...._.#.z..p.....MR...%.f..r.....Uf.....?.2......S.]9o..s......T..W6.y.:.....CPWJi......%-....Z(.(..<.t..A...#'..N>.._.u.......^y.[......1..].+..B....%?........r.....{f`.'(Xw...&e.......Q...8X.V..._.^.(..(...&(....~....[.....).....+.F"8x{I.t.p....pj.g.Ez..+..........O.Wz.......\..4;?...O.........QA..Z.DqCr.Y...L....V..\A.

C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1928704
Entropy (8bit):	7.949893081290532
Encrypted:	false
SSDEEP:	24576:VMys5CGyb9XUjVZ7ngTPA33oeEo02k27mQHsafW2JuC4j6iSk5yxKuWBjEO9R:Vy5C9pkX7gcIerOCmQHwEuZQ5WZ9R
MD5:	C1C625415C8141D6E45B74FC6AA5640E
SHA1:	1D4DB07132F91C8C75DBA8645EC7FF1D9FC2E744
SHA-256:	83EAA1B744A80100205EF0DF2FC1E0B161AE8E0DEAE153B9DCAD6C889E76FD82
SHA-512:	0018D7DFFC9A836EC9A0011E4B00C3B8B4A3128A38A689006CB4E16653FF4E7CCAE59A5FBAEB38C801AB786415CD5CED49943C5C340F1AA7B394BACA1BB3EE5B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 61%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>.................PE..L....@.f..............................L...........@...........................L......x....@.................................W...k............................aL.............................laL..................................................... . ............................@....rsrc...............................@....idata ............................@... .`+.........................@...hwadqtea.`....2..T..................@...goyyausu.....pL......H..............@....taggant.0....L.."...L..............@...........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	unknown
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\JhCTEUiuPFSAmdKyCcGU.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	315835392
Entropy (8bit):	0.055782840516224765
Encrypted:	false
SSDEEP:	24576:H9Mrc2pAL6A3ypEm6LOVsWSpfzO3rBpiXwnUeuRbOu:H9MF96LOVgi7HfuR
MD5:	9BC65E24721425D5EACD03CA9D59EFE4
SHA1:	1BBA432ECE1563926683B566E9F2CFCACEE8DD35
SHA-256:	1B250495215ACF2F63BED5E5F3F120EC9443049EA01168AC80828D3971C3B832
SHA-512:	10139021D51880216B0ED05D60C4B2FAD71E6816BA94610D67EBA070703D74040709126A2C9BC7081B7008730E707D6EA119674A2A30565A4392440C02D841B0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 11%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...k..f...........#...#.H...@...............`.....j................................>.....@... .........................`....................................0..........................................................t............................text...LF.......H..................`.P`.data........`.......L..............@.`..rdata..@............b..............@.`@.eh_fram.....P.......&..............@.0@.bss....t.............................`..edata..`...........................@.0@.idata..............................@.0..CRT....,...........................@.0..tls......... ......................@.0..reloc.......0......................@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Tmp9CE.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe
File Type:	data
Category:	dropped
Size (bytes):	2662
Entropy (8bit):	7.8230547059446645
Encrypted:	false
SSDEEP:
MD5:	1420D30F964EAC2C85B2CCFE968EEBCE
SHA1:	BDF9A6876578A3E38079C4F8CF5D6C79687AD750
SHA-256:	F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
SHA-512:	6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
Malicious:	false
Reputation:	unknown
Preview:	0..b...0.."...H..............0...0......H..............0...0......H............0...0....H.......0...p.,\|.(.............mW.....$\|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%...X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...\|B.d..kr.=G.g.v..f.d.C.?...0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..\|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....\|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

C:\Users\user\AppData\Local\Temp\Tmp9DF.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe
File Type:	data
Category:	dropped
Size (bytes):	2662
Entropy (8bit):	7.8230547059446645
Encrypted:	false
SSDEEP:
MD5:	1420D30F964EAC2C85B2CCFE968EEBCE
SHA1:	BDF9A6876578A3E38079C4F8CF5D6C79687AD750
SHA-256:	F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
SHA-512:	6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
Malicious:	false
Reputation:	unknown
Preview:	0..b...0.."...H..............0...0......H..............0...0......H............0...0....H.......0...p.,\|.(.............mW.....$\|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%...X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...\|B.d..kr.=G.g.v..f.d.C.?...0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..\|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....\|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

C:\Users\user\AppData\Local\Temp\TmpFC42.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	2662
Entropy (8bit):	7.8230547059446645
Encrypted:	false
SSDEEP:
MD5:	1420D30F964EAC2C85B2CCFE968EEBCE
SHA1:	BDF9A6876578A3E38079C4F8CF5D6C79687AD750
SHA-256:	F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
SHA-512:	6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
Malicious:	false
Reputation:	unknown
Preview:	0..b...0.."...H..............0...0......H..............0...0......H............0...0....H.......0...p.,\|.(.............mW.....$\|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%...X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...\|B.d..kr.=G.g.v..f.d.C.?...0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..\|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....\|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

C:\Users\user\AppData\Local\Temp\TmpFC62.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	2662
Entropy (8bit):	7.8230547059446645
Encrypted:	false
SSDEEP:
MD5:	1420D30F964EAC2C85B2CCFE968EEBCE
SHA1:	BDF9A6876578A3E38079C4F8CF5D6C79687AD750
SHA-256:	F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
SHA-512:	6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
Malicious:	false
Reputation:	unknown
Preview:	0..b...0.."...H..............0...0......H..............0...0......H............0...0....H.......0...p.,\|.(.............mW.....$\|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%...X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...\|B.d..kr.=G.g.v..f.d.C.?...0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..\|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....\|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

C:\Users\user\AppData\Local\Temp\fBzeZmUWdBgmhZfvjyDr.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	315835392
Entropy (8bit):	0.055787627924721125
Encrypted:	false
SSDEEP:
MD5:	CFAF9CD208D37DC3BFBCABFB8EB8F6D1
SHA1:	270A99F713B85DDEDC36A32261B89FBEFC5897F8
SHA-256:	9C1007942750D3E698ABA005A3947F2A1C112087630DEBC49042189E16D32C78
SHA-512:	DEF93AF3051F0F1519226FEAD82ED6E0F661937B97D21E2BAC9C0E2C3A2AC178B2EB27214502417D666BFA28FED7447F3CBA51BD9B11E472DE4782538B5E39DC
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...[R.f...........#...#.H...@...............`.....j................................F.....@... .........................`....................................0..........................................................t............................text...LF.......H..................`.P`.data........`.......L..............@.`..rdata..@............b..............@.`@.eh_fram.....P.......&..............@.0@.bss....t.............................`..edata..`...........................@.0@.idata..............................@.0..CRT....,...........................@.0..tls......... ......................@.0..reloc.......0......................@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\service123.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	314613760
Entropy (8bit):	0.002153570483798253
Encrypted:	false
SSDEEP:
MD5:	1E005BCE5E00FB30B9E1D0930F2E75D8
SHA1:	AEECDCA31E4FB09A7B26602F14C3EBD4064786F1
SHA-256:	9A71B11472E6CD0B1767D6F0177D6FCCC4453A0B574C26A2A622EA569E8CE539
SHA-512:	D4AA13E6236B70CD306746CDB13251A4760C829C095F1659F7FAB8975EA8B405019B52BEC196F4F602C4AE051DBEF2D9BAC9514C64A96F001AC5ED61ED4FF480
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...VR.f...............#.v........................@..................................8....@... .................................................................h...................................................X................................text....u.......v..................`.P`.data...X............z..............@.0..rdata..X............\|..............@.`@.eh_fram............................@.0@.bss..................................`..idata..............................@.0..CRT....4...........................@.0..tls................................@.0..reloc..h...........................@.0B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\svchost015.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000191001\1.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2990472
Entropy (8bit):	6.459856200541649
Encrypted:	false
SSDEEP:
MD5:	B826DD92D78EA2526E465A34324EBEEA
SHA1:	BF8A0093ACFD2EB93C102E1A5745FB080575372E
SHA-256:	7824B50ACDD144764DAC7445A4067B35CF0FEF619E451045AB6C1F54F5653A5B
SHA-512:	1AC4B731B9B31CABF3B1C43AEE37206AEE5326C8E786ABE2AB38E031633B778F97F2D6545CF745C3066F3BD47B7AAF2DED2F9955475428100EAF271DD9AEEF17
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Local\Temp\svchost015.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....\"f..................#.........l.#.......#...@..........................p1.....?.-...`...(..@...........................p&.l3....(...............-..!....................................&.....................................................CODE......#.......#................. ..`DATA....0.....#.......#.............@...BSS...........$......\$..................idata..l3...p&..4...\$.............@....tls....\|.....&.......$..................rdata........&.......$.............@..P.reloc.......&.......$.............@..P.rsrc.........(.......$.............@..P.............p1......,/.............@..P........................................................................................................................................

C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	311296
Entropy (8bit):	5.082156492931411
Encrypted:	false
SSDEEP:
MD5:	30F46F4476CDC27691C7FDAD1C255037
SHA1:	B53415AF5D01F8500881C06867A49A5825172E36
SHA-256:	3A8F5F6951DAD3BA415B23B35422D3C93F865146DA3CCF7849B75806E0B67CE0
SHA-512:	271AADB524E94ED1019656868A133C9E490CC6F8E4608C8A41C29EFF7C12DE972895A01F171E8F625D07994FF3B723BB308D362266F96CB20DFF82689454C78F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 92%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...d.9...............0................. ... ....@.. ....................... ............@.................................t...O.... ..............................X................................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\5058f5e8a8fee3bc6f70d4adcfd7797d_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe
File Type:	data
Category:	dropped
Size (bytes):	2251
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	0158FE9CEAD91D1B027B795984737614
SHA1:	B41A11F909A7BDF1115088790A5680AC4E23031B
SHA-256:	513257326E783A862909A2A0F0941D6FF899C403E104FBD1DBC10443C41D9F9A
SHA-512:	C48A55CC7A92CEFCEFE5FB2382CCD8EF651FC8E0885E88A256CD2F5D83B824B7D910F755180B29ECCB54D9361D6AF82F9CC741BD7E6752122949B657DA973676
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	2251
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	0158FE9CEAD91D1B027B795984737614
SHA1:	B41A11F909A7BDF1115088790A5680AC4E23031B
SHA-256:	513257326E783A862909A2A0F0941D6FF899C403E104FBD1DBC10443C41D9F9A
SHA-512:	C48A55CC7A92CEFCEFE5FB2382CCD8EF651FC8E0885E88A256CD2F5D83B824B7D910F755180B29ECCB54D9361D6AF82F9CC741BD7E6752122949B657DA973676
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-shm

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Reputation:	unknown
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite-shm

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Reputation:	unknown
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\muDv2ygaMe.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	557056
Entropy (8bit):	6.311657384729558
Encrypted:	false
SSDEEP:
MD5:	88367533C12315805C059E688E7CDFE9
SHA1:	64A107ADCBAC381C10BD9C5271C2087B7AA369EC
SHA-256:	C6FC5C06AD442526A787989BAE6CE0D32A2B15A12A41F78BACA336B6560997A9
SHA-512:	7A8C3D767D19395CE9FFEF964B0347A148E517982AFCF2FC5E45B4C524FD44EC20857F6BE722F57FF57722B952EF7B88F6249339551949B9E89CF60260F0A714
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe, Author: Joe Security Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 92%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A/................0..,...R......^J... ...`....@.. ....................................@..................................J..K....`...O........................................................................... ............... ..H............text...d... ...,.................. ..`.rsrc....O...`...P..................@..@.reloc...............~..............@..B................@J......H.......\|Z...x......<...X....)..............................................(....*..0...........s........~....%:....&~......!...s....%.....(...+o.....8[....o...............%..F~s...(.....%..G~s...(.....%..H~s...(.....%..e~s...(.....~t...(.......o......8......(......s.......sK.......~....}....~...........s....(....o....}......{.....I~s...(....o........9......I~s...(.......8C........~s...(....o....:......{....~u...(....8......{....~v...(.........(...........9........o........(

C:\Users\user\Pictures\Lighter Tech\runtime.exe

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	45056
Entropy (8bit):	6.21373937610103
Encrypted:	false
SSDEEP:
MD5:	9D78AB0DA1948DE3977123755EF0FE7C
SHA1:	B000AA9B5DF426225A02F208B78416CC2F8DAB86
SHA-256:	7D9733030E72C5ED1016FF372FFDE715883BB827391F50FDB9CD7F000F7A67DF
SHA-512:	9576FDBEB8AD20A8EBCFC3121247F4E70A7E9240BEA4122F471B813EA321566E45BC4DB86FE5BED11CE17BBE14DC68CB82F29FE9DF0CEE78F0F6F90B5C756BF1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 34%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...[............."...0.............j.... ........@.. ....................... ............@.....................................O...................................t...8............................................ ............... ..H............text...p.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................J.......H........1..............TJ.. y............................................~....}.....~....}.....~....}.....(.....(......{....t....}....6..s....(.......0..>........{....r...po...........o....&..{........(....(....}.....(.......0..!.........{........(....(....}.....(........0..!.........{........(....(....}.....(........0..!.........{........(....(....}.....(........0..!.........{........(....(....}.....(........0..!.........{........(....(....}.....(........0..!.......

C:\Windows\Tasks\Hkbsse.job

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe
File Type:	data
Category:	dropped
Size (bytes):	290
Entropy (8bit):	3.435121220139931
Encrypted:	false
SSDEEP:
MD5:	4F9B1A6413938944E2852D00F4285366
SHA1:	2EC170C8D8F0D789B17D5E60676234A9049B4A4C
SHA-256:	99873F3EC1FFB2A55822F3F8D001A22B998B76B3FAAB0C36A8DABA1D9D5B5B0D
SHA-512:	A3192545F3DD513050382B15A32261A3F0761895894FD0C9C4112647F686D792FB2D47E1B632DDF280D082A90693496EB90B5F87E23107952CDCCDAC4E9D279B
Malicious:	false
Reputation:	unknown
Preview:	....TWt.7..H..*..q.FF.......<... .....s.......... ....................9.C.:.\.U.s.e.r.s.\.h.u.b.e.r.t.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.0.5.4.f.d.c.5.f.7.0.\.H.k.b.s.s.e...e.x.e.........H.U.B.E.R.T.-.P.C.\.h.u.b.e.r.t...................0...................@3P.........................

C:\Windows\Tasks\axplong.job

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe
File Type:	data
Category:	dropped
Size (bytes):	292
Entropy (8bit):	3.4627253978500847
Encrypted:	false
SSDEEP:
MD5:	1AF50581F675FB3B4BED584242732908
SHA1:	0B85286508F1AA8BCB3DF32794EB5DFCF8DBC3AE
SHA-256:	8E5EF632272C2079B61080539A829F0186EFA2CFE6E8F117CEF4A94C3FDB0D6D
SHA-512:	E8446B030BCE665681F914940682C4C4FD658E9BB0380184C60512E03B88ABAA178ACFF981362BBC7D74CB6D17C8F3BB21F50AC3F909E23743448FB002A6FD0B
Malicious:	false
Reputation:	unknown
Preview:	........t..A.A.:V...F.......<... .....s.......... ....................:.C.:.\.U.s.e.r.s.\.h.u.b.e.r.t.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.4.4.1.1.1.d.b.c.4.9.\.a.x.p.l.o.n.g...e.x.e.........H.U.B.E.R.T.-.P.C.\.h.u.b.e.r.t...................0...................@3P.........................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.949893081290532
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe
File size:	1'928'704 bytes
MD5:	c1c625415c8141d6e45b74fc6aa5640e
SHA1:	1d4db07132f91c8c75dba8645ec7ff1d9fc2e744
SHA256:	83eaa1b744a80100205ef0df2fc1e0b161ae8e0deae153b9dcad6c889e76fd82
SHA512:	0018d7dffc9a836ec9a0011e4b00c3b8b4a3128a38a689006cb4e16653ff4e7ccae59a5fbaeb38c801ab786415cd5ced49943c5c340f1aa7b394baca1bb3ee5b
SSDEEP:	24576:VMys5CGyb9XUjVZ7ngTPA33oeEo02k27mQHsafW2JuC4j6iSk5yxKuWBjEO9R:Vy5C9pkX7gcIerOCmQHwEuZQ5WZ9R
TLSH:	DF953352AFE70173CF399ABB08564F3411F606CF46A9F889E1996BD5E44F3A66D02C0C
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x8c8000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66A240BE [Thu Jul 25 12:10:38 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F64BD2780BAh
cmovl ebx, dword ptr [00000000h]
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [ebx], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+00000000h], cl
add byte ptr [eax], al
add byte ptr [edx], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add cl, byte ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6a057	0x6b	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x69000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4c61bc	0x10	hwadqtea
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x4c616c	0x18	hwadqtea
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x68000	0x2de00	fe0e2b8d30acda3f3a29370ec93fd7b2	False	0.9969186393051771	data	7.98015965484696	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x69000	0x1e0	0x200	de62a25a7b4f26bda0bf72fd685d49f4	False	0.583984375	data	4.550844013001639	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x6a000	0x1000	0x200	cc76e3822efdc911f469a3e3cc9ce9fe	False	0.1484375	data	1.0428145631430756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x6b000	0x2b6000	0x200	2180f98514cdb08dc476d2b0dbe70c56	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
hwadqtea	0x321000	0x1a6000	0x1a5400	ca3d1eb2beab4937d96a8d11cf0eac7c	False	0.9943944732937685	data	7.954042204005219	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
goyyausu	0x4c7000	0x1000	0x400	4513c5a3a489eade98c2c3e6b65f6dce	False	0.767578125	data	6.062978499980805	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x4c8000	0x3000	0x2200	8f716547e863ef68235278864c0fdb36	False	0.06135110294117647	DOS executable (COM)	0.8013544209139546	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x4c61cc	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
kernel32.dll	lstrcpy

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	06:25:17
Start date:	02/09/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe"
Imagebase:	0x220000
File size:	1'928'704 bytes
MD5 hash:	C1C625415C8141D6E45B74FC6AA5640E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000003.1486966046.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.1541104272.0000000000221000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:25:22
Start date:	02/09/2024
Path:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
Imagebase:	0x710000
File size:	1'928'704 bytes
MD5 hash:	C1C625415C8141D6E45B74FC6AA5640E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000002.1579348090.0000000000711000.00000040.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000003.1539084353.0000000005090000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 61%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	06:26:00
Start date:	02/09/2024
Path:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Imagebase:	0x710000
File size:	1'928'704 bytes
MD5 hash:	C1C625415C8141D6E45B74FC6AA5640E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000006.00000002.3937837542.0000000000711000.00000040.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000006.00000003.1911621771.0000000005090000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	06:26:04
Start date:	02/09/2024
Path:	C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000002001\crypted.exe"
Imagebase:	0xaf0000
File size:	322'048 bytes
MD5 hash:	6134586375C01F97F8777BAE1BF5ED98
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000009.00000002.1948777736.0000000003F95000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 83%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	06:26:04
Start date:	02/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	06:26:04
Start date:	02/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x2d0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	06:26:04
Start date:	02/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x360000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	06:26:04
Start date:	02/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xf10000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000D.00000002.2084760629.0000000000421000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000D.00000002.2087513413.00000000034E8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	06:26:07
Start date:	02/09/2024
Path:	C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe"
Imagebase:	0xe40000
File size:	1'104'936 bytes
MD5 hash:	8E74497AFF3B9D2DDB7E7F819DFC69BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	06:26:07
Start date:	02/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x1c0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	06:26:07
Start date:	02/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xbf0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000011.00000002.1984060520.0000000000479000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	06:26:08
Start date:	02/09/2024
Path:	C:\Users\user\AppData\Roaming\muDv2ygaMe.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\muDv2ygaMe.exe"
Imagebase:	0x140000
File size:	557'056 bytes
MD5 hash:	88367533C12315805C059E688E7CDFE9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000012.00000000.1981672290.0000000000142000.00000002.00000001.01000000.0000000E.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe, Author: Joe Security Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: C:\Users\user\AppData\Roaming\muDv2ygaMe.exe, Author: ditekSHen
Antivirus matches:	Detection: 92%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	06:26:08
Start date:	02/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	06:26:08
Start date:	02/09/2024
Path:	C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe"
Imagebase:	0x7c0000
File size:	311'296 bytes
MD5 hash:	30F46F4476CDC27691C7FDAD1C255037
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000014.00000000.1982243767.00000000007C2000.00000002.00000001.01000000.0000000F.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000014.00000002.2133601259.0000000002A28000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Roaming\ER1CZAgbcY.exe, Author: Joe Security
Antivirus matches:	Detection: 92%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	06:26:10
Start date:	02/09/2024
Path:	C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe"
Imagebase:	0xce0000
File size:	425'984 bytes
MD5 hash:	F5D7B79EE6B6DA6B50E536030BCC3B59
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000016.00000002.2011003083.0000000000CE1000.00000020.00000001.01000000.00000013.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000016.00000000.2003355241.0000000000CE1000.00000020.00000001.01000000.00000013.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	06:26:11
Start date:	02/09/2024
Path:	C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
Imagebase:	0x70000
File size:	425'984 bytes
MD5 hash:	F5D7B79EE6B6DA6B50E536030BCC3B59
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000017.00000000.2008973826.0000000000071000.00000020.00000001.01000000.00000014.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000017.00000002.2011664885.0000000000071000.00000020.00000001.01000000.00000014.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 100%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	06:26:12
Start date:	02/09/2024
Path:	C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
Imagebase:	0x70000
File size:	425'984 bytes
MD5 hash:	F5D7B79EE6B6DA6B50E536030BCC3B59
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000018.00000002.3937835844.0000000000071000.00000020.00000001.01000000.00000014.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000018.00000000.2024822913.0000000000071000.00000020.00000001.01000000.00000014.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	25
Start time:	06:26:13
Start date:	02/09/2024
Path:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe"
Imagebase:	0xd40000
File size:	192'000 bytes
MD5 hash:	7A02AA17200AEAC25A375F290A4B4C95
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000019.00000002.2212357774.0000000001107000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000019.00000002.2212357774.00000000010AE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000019.00000002.2212357774.00000000010AE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe, Author: Joe Security
Antivirus matches:	Detection: 96%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	06:26:20
Start date:	02/09/2024
Path:	C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000129001\Set-up.exe"
Imagebase:	0x400000
File size:	6'662'059 bytes
MD5 hash:	06B767BF2A7DEAC9B9E524C5B6986BF7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Clipboard_Hijacker_5, Description: Yara detected Clipboard Hijacker, Source: 0000001A.00000003.3140000961.0000000003E8E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 58%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	06:26:24
Start date:	02/09/2024
Path:	C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000013001\joffer2.exe"
Imagebase:	0x400000
File size:	6'692'483 bytes
MD5 hash:	1D99EB774773EA9F2E71E0A2E2DABC59
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Clipboard_Hijacker_5, Description: Yara detected Clipboard Hijacker, Source: 0000001B.00000003.3297043789.0000000001564000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	06:26:29
Start date:	02/09/2024
Path:	C:\Users\user\AppData\Local\Temp\1000191001\1.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000191001\1.exe"
Imagebase:	0x400000
File size:	3'639'176 bytes
MD5 hash:	17D51083CCB2B20074B1DC2CAC5BEA36
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Crypt, Description: Yara detected CryptOne packer, Source: 0000001C.00000002.2269545389.0000000003199000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000001C.00000002.2269545389.0000000002E90000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000001C.00000002.2269545389.0000000002E90000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 38%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	06:26:35
Start date:	02/09/2024
Path:	C:\Users\user\AppData\Local\Temp\svchost015.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\svchost015.exe
Imagebase:	0x400000
File size:	2'990'472 bytes
MD5 hash:	B826DD92D78EA2526E465A34324EBEEA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 0000001D.00000002.2273964707.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000001D.00000000.2252940170.0000000000401000.00000020.00000001.01000000.0000001C.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Local\Temp\svchost015.exe, Author: Joe Security
Antivirus matches:	Detection: 4%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	06:26:40
Start date:	02/09/2024
Path:	C:\Users\user\AppData\Local\Temp\1000228001\GetSys.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000228001\GetSys.exe"
Imagebase:	0xd30000
File size:	11'113'984 bytes
MD5 hash:	87939A5B42854B08804A9A0AE605B260
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 0000001E.00000002.2626655297.000000000260A000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 0000001E.00000002.2626655297.000000000238E000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 0000001E.00000002.2626655297.000000000254C000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 0000001E.00000002.2496293194.00000000020BC000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 46%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	06:26:47
Start date:	02/09/2024
Path:	C:\Users\user\1000238002\Amadeus.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\1000238002\Amadeus.exe"
Imagebase:	0x2f0000
File size:	5'562'368 bytes
MD5 hash:	36A627B26FAE167E6009B4950FF15805
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 0000001F.00000002.2688945254.0000000001706000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 0000001F.00000002.2627787489.0000000001552000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 37%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	06:26:51
Start date:	02/09/2024
Path:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Imagebase:	0xf10000
File size:	231'736 bytes
MD5 hash:	A64BEAB5D4516BECA4C40B25DC0C1CD8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000020.00000002.2474240837.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	06:26:52
Start date:	02/09/2024
Path:	C:\Users\user\AppData\Local\Temp\1000241001\build.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000241001\build.exe"
Imagebase:	0xa80000
File size:	423'424 bytes
MD5 hash:	05C1BAAA01BD0AA0CCB5EC1C43A7D853
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000021.00000000.2421089096.0000000000A82000.00000002.00000001.01000000.0000001F.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe, Author: Joe Security Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: C:\Users\user\AppData\Local\Temp\1000241001\build.exe, Author: ditekSHen
Antivirus matches:	Detection: 58%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	06:26:53
Start date:	02/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	06:26:55
Start date:	02/09/2024
Path:	C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe"
Imagebase:	0xf60000
File size:	45'056 bytes
MD5 hash:	9D78AB0DA1948DE3977123755EF0FE7C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000023.00000002.2609308568.00000000131C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000023.00000002.2651827464.000000001DAF0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 34%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	06:26:59
Start date:	02/09/2024
Path:	C:\Users\user\1000238002\Amadeus.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\1000238002\Amadeus.exe"
Imagebase:	0x2f0000
File size:	5'562'368 bytes
MD5 hash:	36A627B26FAE167E6009B4950FF15805
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000025.00000002.2725651381.0000000001610000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000025.00000002.2661614424.0000000001494000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	06:26:59
Start date:	02/09/2024
Path:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Imagebase:	0xf10000
File size:	231'736 bytes
MD5 hash:	A64BEAB5D4516BECA4C40B25DC0C1CD8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000026.00000002.2582962886.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	06:26:59
Start date:	02/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Imagebase:	0xdf0000
File size:	103'528 bytes
MD5 hash:	89D41E1CF478A3D3C2C701A27A5692B2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	06:27:00
Start date:	02/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Imagebase:	0xdf0000
File size:	103'528 bytes
MD5 hash:	89D41E1CF478A3D3C2C701A27A5692B2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000028.00000002.3937747782.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	41
Start time:	06:27:00
Start date:	02/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c copy "C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe" "C:\Users\user\Pictures\Lighter Tech\runtime.exe" && schtasks /Create /SC MINUTE /MO 1 /TN "runtime" /TR "C:\Users\user\Pictures\Lighter Tech\runtime.exe" /F
Imagebase:	0x7ff6860f0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	06:27:00
Start date:	02/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	06:27:02
Start date:	02/09/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks /Create /SC MINUTE /MO 1 /TN "runtime" /TR "C:\Users\user\Pictures\Lighter Tech\runtime.exe" /F
Imagebase:	0x7ff7c3a90000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	06:27:04
Start date:	02/09/2024
Path:	C:\Users\user\Pictures\Lighter Tech\runtime.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Pictures\Lighter Tech\runtime.exe"
Imagebase:	0xd40000
File size:	45'056 bytes
MD5 hash:	9D78AB0DA1948DE3977123755EF0FE7C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 34%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	45
Start time:	06:27:05
Start date:	02/09/2024
Path:	C:\Users\user\AppData\Local\Temp\1000281001\crypted.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000281001\crypted.exe"
Imagebase:	0xb30000
File size:	320'000 bytes
MD5 hash:	7E8C1E8B4C37553A6BC11083B18CEBDF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000002D.00000002.2654323842.0000000003E64000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	06:27:06
Start date:	02/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 04C201C7 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1546688298.0000000004C20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29c57b753e4ff13d5cc0718434401fcf78fc7c47c8c1e873d8f5782d5416b43d
Instruction ID: 38d54a5fd65d52eab7e8ebdf3625fbf69a13f0150c2df4357a632180bba6975e
Opcode Fuzzy Hash: 29c57b753e4ff13d5cc0718434401fcf78fc7c47c8c1e873d8f5782d5416b43d
Instruction Fuzzy Hash: BD216DEB24C131BE714281472F54AFB6A2FE5C27303398427F903D6642F2D46E4A6071

Analysis Process: axplong.exePID: 3528, Parent PID: 660COMMON

Execution Graph

Execution Coverage:	10.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	8.2%
Total number of Nodes:	1970
Total number of Limit Nodes:	43

Executed Functions

Function 0071BD60 Relevance: 28.3, APIs: 6, Strings: 10, Instructions: 310
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(00768D70,00000000,00000000,00000000,00000000), ref: 0071BDEC
InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 0071BE10
HttpOpenRequestA.WININET(?,00000000), ref: 0071BE5B
HttpSendRequestA.WININET(?,00000000), ref: 0071BF1B
InternetReadFile.WININET(?,?,000003FF,?), ref: 0071BFCD
InternetReadFile.WININET(?,?,000003FF,?,?,?,?,?), ref: 0071C081
InternetCloseHandle.WININET(?), ref: 0071C0A7
InternetCloseHandle.WININET(?), ref: 0071C0AF
InternetCloseHandle.WININET(?), ref: 0071C0B7

Strings

8KG0fymoFx==, xrefs: 0071C2EB, 0071C543
=nm6, xrefs: 0071B934, 0071BD77, 0071C297, 0071CD7B, 0071D4B5, 0071D60B, 0071DC3F
8KG0fCKZFzY=, xrefs: 0071C385
invalid stoi argument, xrefs: 0071E404
d4w, xrefs: 0071E2FF
=nm6, xrefs: 0071C871
stoi argument out of range, xrefs: 0071E3FA
=nm6, xrefs: 0071C8D7, 0071C8DA
RHYTYv==, xrefs: 0071BE33
RpKt, xrefs: 0071D516

Memory Dump Source

Source File: 00000006.00000002.3937837542.0000000000711000.00000040.00000001.01000000.00000008.sdmp, Offset: 00710000, based on PE: true

Associated: 00000006.00000002.3937689077.0000000000710000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3937837542.0000000000772000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938062654.0000000000779000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.000000000077B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000909000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.00000000009EA000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A19000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A21000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A31000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939241627.0000000000A32000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939894959.0000000000BD6000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3940024258.0000000000BD8000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_710000_axplong.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$FileHttpOpenReadRequest$ConnectSend
String ID: 8KG0fCKZFzY=$8KG0fymoFx==$=nm6$=nm6$=nm6$RHYTYv==$RpKt$d4w$invalid stoi argument$stoi argument out of range
API String ID: 1354133546-2734198084
Opcode ID: 9a85027c1c3c3c6cdb997b566ae68f0f57b199a6b2d35160651b4e0f756beeae
Instruction ID: 0fdf1f1ddfcf404242cbd0dfd342d908ef9d237bb96516835ef041dc4f21ad86
Opcode Fuzzy Hash: 9a85027c1c3c3c6cdb997b566ae68f0f57b199a6b2d35160651b4e0f756beeae
Instruction Fuzzy Hash: A0B1E4B1600118DBEB29CF28CC84BEDBB79EF45304F5041A8F509972C2E7799AC4CBA5

Function 0071E440 Relevance: 15.9, Strings: 12, Instructions: 878
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

246122658369, xrefs: 0071F647, 0071F924, 007204F7
fed3aa, xrefs: 0071FA9E
=nm6, xrefs: 0071E457, 0071E9FA, 0071F604, 0071F8E5, 0071FA87
GqKudSO2, xrefs: 0071E47F
WWp=, xrefs: 007204DA
111, xrefs: 0071F6B0
d4w, xrefs: 0071F6D5
MJB+, xrefs: 0071E734
MT==, xrefs: 0071E4A5
WGt=, xrefs: 0071F62D, 0071F90A
#, xrefs: 00720534
UD==, xrefs: 0071EA1F, 0071EC66

Memory Dump Source

Source File: 00000006.00000002.3937837542.0000000000711000.00000040.00000001.01000000.00000008.sdmp, Offset: 00710000, based on PE: true

Associated: 00000006.00000002.3937689077.0000000000710000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3937837542.0000000000772000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938062654.0000000000779000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.000000000077B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000909000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.00000000009EA000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A19000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A21000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A31000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939241627.0000000000A32000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939894959.0000000000BD6000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3940024258.0000000000BD8000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_710000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: #$111$246122658369$=nm6$GqKudSO2$MJB+$MT==$UD==$WGt=$WWp=$d4w$fed3aa
API String ID: 0-4083415280
Opcode ID: 145128c9a9a7f950e6b9fc78f5557fde098cfdd2b221db0127ccacd9908871cf
Instruction ID: 212c5853a94561dc2fcb53d4dc4ce02f814000e411b9ad5401551127c891d4ee
Opcode Fuzzy Hash: 145128c9a9a7f950e6b9fc78f5557fde098cfdd2b221db0127ccacd9908871cf
Instruction Fuzzy Hash: 0C72C570A04248DBEF18EF68C9497DD7BB6AF45304F508198E815673C2D77D9A88CBD2

Function 0072D312 Relevance: 2.7, Strings: 2, Instructions: 172COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0071247E

Strings

=nm6, xrefs: 0072D324, 0072DCA4
=nm6, xrefs: 0072DCEC

Memory Dump Source

Source File: 00000006.00000002.3937837542.0000000000711000.00000040.00000001.01000000.00000008.sdmp, Offset: 00710000, based on PE: true

Associated: 00000006.00000002.3937689077.0000000000710000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3937837542.0000000000772000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938062654.0000000000779000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.000000000077B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000909000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.00000000009EA000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A19000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A21000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A31000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939241627.0000000000A32000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939894959.0000000000BD6000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3940024258.0000000000BD8000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_710000_axplong.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: =nm6$=nm6
API String ID: 2659868963-2952038358
Opcode ID: 20a49895eabaeb988f29c8f6d819a88184857687f88a1816b10a8e697010f622
Instruction ID: 9c57a3726c3ebf708687fb3a059f6ea4c03a667ea875508c05e7cfc9c59e292c
Opcode Fuzzy Hash: 20a49895eabaeb988f29c8f6d819a88184857687f88a1816b10a8e697010f622
Instruction Fuzzy Hash: 71518DB1A00615CFEB25CF54E8856ADBBF4FB08350F24C56AD409EB291D778AD81CF54

Function 00723550 Relevance: 55.0, APIs: 1, Strings: 30, Instructions: 761
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0072425F

Part of subcall function 00727870: __Cnd_unregister_at_thread_exit.LIBCPMT ref: 0072795C
Part of subcall function 00727870: __Cnd_destroy_in_situ.LIBCPMT ref: 00727968
Part of subcall function 00727870: __Mtx_destroy_in_situ.LIBCPMT ref: 00727971

Strings

V0N6, xrefs: 0072537A
246122658369, xrefs: 00721EA5, 007227EE, 00722A43, 00722AB0, 00722E88, 00723373, 007233D4, 00724F4D, 00724F8F, 00724F99, 007254F4
aqB6, xrefs: 007254DB
V0x6, xrefs: 0072541E
invalid stoi argument, xrefs: 00722DE9, 00722DF8, 0072425A, 00724E9D
stoi argument out of range, xrefs: 00722E02, 00724269, 00724EAC
MJB+, xrefs: 00724776, 007247ED, 00724A95, 00724B0C
5F6, xrefs: 00725497
96B6, xrefs: 00725470
MJF+, xrefs: 007247BD, 007248EC, 00724ADC, 00724C0B
Fz==, xrefs: 0072369E, 00724D2D
8ZF6, xrefs: 00725502
", xrefs: 00723E99
9KN6, xrefs: 00725351
=nm6, xrefs: 00721DE7, 00722E34, 00723567, 007242B4, 007246D4, 00724EFB
HBhr, xrefs: 0072378F
W07l, xrefs: 00723AEE
-w, xrefs: 00724F3A
WJP6, xrefs: 007253A3
fed3aa, xrefs: 00725489
9526, xrefs: 0072531D
5120, xrefs: 00723ABF, 00723BAA
mP=, xrefs: 00726383
Vp 6, xrefs: 00725447
JB6, xrefs: 007253F5
V5Qk, xrefs: 00723DC0
6F9fr==, xrefs: 00724712
KFT0PL==, xrefs: 007254B9
WJms, xrefs: 00723BD9
aZT6, xrefs: 007253CC

Memory Dump Source

Source File: 00000006.00000002.3937837542.0000000000711000.00000040.00000001.01000000.00000008.sdmp, Offset: 00710000, based on PE: true

Associated: 00000006.00000002.3937689077.0000000000710000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3937837542.0000000000772000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938062654.0000000000779000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.000000000077B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000909000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.00000000009EA000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A19000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A21000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A31000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939241627.0000000000A32000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939894959.0000000000BD6000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3940024258.0000000000BD8000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_710000_axplong.jbxd

Yara matches

Similarity

API ID: Cnd_destroy_in_situCnd_unregister_at_thread_exitMtx_destroy_in_situXinvalid_argumentstd::_
String ID: 5F6$ 6F9fr==$ JB6$ mP=$"$246122658369$5120$8ZF6$9526$96B6$9KN6$=nm6$Fz==$HBhr$KFT0PL==$MJB+$MJF+$V0N6$V0x6$V5Qk$Vp 6$W07l$WJP6$WJms$aZT6$aqB6$fed3aa$invalid stoi argument$stoi argument out of range$-w
API String ID: 4234742559-3092645269
Opcode ID: 2d52bfbd4a4cd72e42cdfad683ee82688645bb24989abde106406991bea4bcde
Instruction ID: ff43ec9e8becb48db083f42c924c26ddb7561ad5ee53cf97f87cc5cccdd82971
Opcode Fuzzy Hash: 2d52bfbd4a4cd72e42cdfad683ee82688645bb24989abde106406991bea4bcde
Instruction Fuzzy Hash: DE522570A00258DBDF18EF78DD4A79DBBB5AF45300F50419CE445AB282E77D9B84CBA2

Function 007246C0 Relevance: 38.5, APIs: 1, Strings: 23, Instructions: 2484COMMON

Download Yara Rule

APIs

Part of subcall function 00727870: __Cnd_unregister_at_thread_exit.LIBCPMT ref: 0072795C
Part of subcall function 00727870: __Cnd_destroy_in_situ.LIBCPMT ref: 00727968
Part of subcall function 00727870: __Mtx_destroy_in_situ.LIBCPMT ref: 00727971

Part of subcall function 0071BD60: InternetOpenW.WININET(00768D70,00000000,00000000,00000000,00000000), ref: 0071BDEC
Part of subcall function 0071BD60: InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 0071BE10
Part of subcall function 0071BD60: HttpOpenRequestA.WININET(?,00000000), ref: 0071BE5B

std::_Xinvalid_argument.LIBCPMT ref: 00724EA2

Strings

V0N6, xrefs: 0072537A
=nm6, xrefs: 00723567, 007242B4, 007246D4, 00724EFB, 00726AF6
246122658369, xrefs: 00724F4D, 00724F8F, 00724F99, 007254F4
aqB6, xrefs: 007254DB
V0x6, xrefs: 0072541E
stoi argument out of range, xrefs: 00724269, 00724EAC
MJB+, xrefs: 00724776, 007247ED, 00724A95, 00724B0C
-w, xrefs: 00724F3A
5F6, xrefs: 00725497
96B6, xrefs: 00725470
MJF+, xrefs: 007247BD, 007248EC, 00724ADC, 00724C0B
Fz==, xrefs: 0072369E, 00724D2D
WJP6, xrefs: 007253A3
8ZF6, xrefs: 00725502
fed3aa, xrefs: 00725489
9526, xrefs: 0072531D
mP=, xrefs: 00726383, 00726652
Vp 6, xrefs: 00725447
JB6, xrefs: 007253F5
9KN6, xrefs: 00725351
6F9fr==, xrefs: 00724712
KFT0PL==, xrefs: 007254B9
aZT6, xrefs: 007253CC

Memory Dump Source

Source File: 00000006.00000002.3937837542.0000000000711000.00000040.00000001.01000000.00000008.sdmp, Offset: 00710000, based on PE: true

Associated: 00000006.00000002.3937689077.0000000000710000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3937837542.0000000000772000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938062654.0000000000779000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.000000000077B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000909000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.00000000009EA000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A19000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A21000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A31000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939241627.0000000000A32000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939894959.0000000000BD6000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3940024258.0000000000BD8000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_710000_axplong.jbxd

Yara matches

Similarity

API ID: InternetOpen$Cnd_destroy_in_situCnd_unregister_at_thread_exitConnectHttpMtx_destroy_in_situRequestXinvalid_argumentstd::_
String ID: 5F6$ 6F9fr==$ JB6$ mP=$246122658369$8ZF6$9526$96B6$9KN6$=nm6$Fz==$KFT0PL==$MJB+$MJF+$V0N6$V0x6$Vp 6$WJP6$aZT6$aqB6$fed3aa$stoi argument out of range$-w
API String ID: 2414744145-3014874344
Opcode ID: b5e8e151c4d555dcab880bb60a4ea7b5e8c0f2330d99ae7a9dfa492e21b0b227
Instruction ID: 3da2a512eb3fc94546eb5c24ec9924f86d61f2fc45c6e3806421e9955e367a54
Opcode Fuzzy Hash: b5e8e151c4d555dcab880bb60a4ea7b5e8c0f2330d99ae7a9dfa492e21b0b227
Instruction Fuzzy Hash: D0231671A00168CBEB29DB28DD8979DBB769B81304F5481D8E0486B2C2EB7D5FC4CF91

Function 00722E20 Relevance: 38.1, APIs: 5, Strings: 16, Instructions: 1325COMMON

Download Yara Rule

APIs

Part of subcall function 00727870: __Cnd_unregister_at_thread_exit.LIBCPMT ref: 0072795C
Part of subcall function 00727870: __Cnd_destroy_in_situ.LIBCPMT ref: 00727968
Part of subcall function 00727870: __Mtx_destroy_in_situ.LIBCPMT ref: 00727971

std::_Xinvalid_argument.LIBCPMT ref: 0072425F

Strings

8KG0fymoFx==, xrefs: 00722EC7, 00723136
=nm6, xrefs: 00721DE7, 00722E34, 00723567
246122658369, xrefs: 00721EA5, 007227EE, 00722A43, 00722AB0, 00722E88, 00723373, 007233D4
HBhr, xrefs: 0072378F
WWp=, xrefs: 00722A93, 00723359
W07l, xrefs: 00723AEE
invalid stoi argument, xrefs: 00722DE9, 00722DF8, 0072425A
stoi argument out of range, xrefs: 00722E02, 00724269
Fz==, xrefs: 0072369E
", xrefs: 00723E99
8KG0fCKZFzY=, xrefs: 00722F64
WWt=, xrefs: 00721E88, 00722A26, 00722E6E
5120, xrefs: 00723ABF, 00723BAA
V5Qk, xrefs: 00723DC0
WGt=, xrefs: 007227D1, 007233BA
WJms, xrefs: 00723BD9

Memory Dump Source

Source File: 00000006.00000002.3937837542.0000000000711000.00000040.00000001.01000000.00000008.sdmp, Offset: 00710000, based on PE: true

Associated: 00000006.00000002.3937689077.0000000000710000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3937837542.0000000000772000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938062654.0000000000779000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.000000000077B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000909000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.00000000009EA000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A19000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A21000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A31000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939241627.0000000000A32000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939894959.0000000000BD6000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3940024258.0000000000BD8000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_710000_axplong.jbxd

Yara matches

Similarity

API ID: Cnd_destroy_in_situCnd_unregister_at_thread_exitMtx_destroy_in_situXinvalid_argumentstd::_
String ID: "$246122658369$5120$8KG0fCKZFzY=$8KG0fymoFx==$=nm6$Fz==$HBhr$V5Qk$W07l$WGt=$WJms$WWp=$WWt=$invalid stoi argument$stoi argument out of range
API String ID: 4234742559-734793047
Opcode ID: 15e68d4b5f5e34e9f165e4c52cc28fa1448de6e505f66296c5bb3e335befcfda
Instruction ID: 6f77ea14fcb9095bb34e1f497a49938519782cf147dfc1418568f16356f51ca5
Opcode Fuzzy Hash: 15e68d4b5f5e34e9f165e4c52cc28fa1448de6e505f66296c5bb3e335befcfda
Instruction Fuzzy Hash: ABB21670A00258DBEF18EF68DD4A7DDBBB2AF45304F50415CE445AB282E77D9B84CB92

Function 00715DF0 Relevance: 14.4, APIs: 2, Strings: 6, Instructions: 364
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

=nm6, xrefs: 00715904, 00715B34, 00715C77, 00715DF6, 00715F4B, 007165C7, 0071707C
00000422, xrefs: 00715FD9
00000423, xrefs: 0071600A
00000419, xrefs: 00715FA8
Keyboard Layout\Preload, xrefs: 00715F64
0000043f, xrefs: 0071603B

Memory Dump Source

Source File: 00000006.00000002.3937837542.0000000000711000.00000040.00000001.01000000.00000008.sdmp, Offset: 00710000, based on PE: true

Associated: 00000006.00000002.3937689077.0000000000710000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3937837542.0000000000772000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938062654.0000000000779000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.000000000077B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000909000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.00000000009EA000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A19000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A21000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A31000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939241627.0000000000A32000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939894959.0000000000BD6000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3940024258.0000000000BD8000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_710000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: 00000419$00000422$00000423$0000043f$=nm6$Keyboard Layout\Preload
API String ID: 0-1244227919
Opcode ID: 6d89e3e68425e925eaab818fec1b4c30fce6280d034c814e1ae8094e200fe60a
Instruction ID: 2cf1c3ce58c8333aa72431ba091151d1d15393261252b7aca2e82f0093f451ec
Opcode Fuzzy Hash: 6d89e3e68425e925eaab818fec1b4c30fce6280d034c814e1ae8094e200fe60a
Instruction Fuzzy Hash: A3E16E71900268ABEB24DFA4CD8DBDDB779AF04304F5042D9E509A7292E7789BC4CF91

Function 00728E70 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

P#q, xrefs: 0071246D
P#q, xrefs: 00712486
=nm6, xrefs: 00728E76
=nm6*, xrefs: 00728E79, 00728F95
=nm6, xrefs: 00712440
=nm6, xrefs: 00728F4C

Memory Dump Source

Source File: 00000006.00000002.3937837542.0000000000711000.00000040.00000001.01000000.00000008.sdmp, Offset: 00710000, based on PE: true

Associated: 00000006.00000002.3937689077.0000000000710000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3937837542.0000000000772000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938062654.0000000000779000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.000000000077B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000909000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.00000000009EA000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A19000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A21000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A31000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939241627.0000000000A32000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939894959.0000000000BD6000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3940024258.0000000000BD8000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_710000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: =nm6$=nm6$=nm6$=nm6*$P#q$P#q
API String ID: 0-2052016203
Opcode ID: fc73a722856fbb1b9962a2070b15c6277a581a7d5197826ca10374821559a69c
Instruction ID: d1ced583d722d2e73ae90922fb327d160bc66edf3576705ccb856a5827317033
Opcode Fuzzy Hash: fc73a722856fbb1b9962a2070b15c6277a581a7d5197826ca10374821559a69c
Instruction Fuzzy Hash: 47513A72A00119DBCB14EF68EC419AEB7A9EF44300F144679F915DB342EB39EE1087D2

Function 00717D00 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 392
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNEL32(?), ref: 00717EA3

Strings

=nm6, xrefs: 00717D2B
JmpxQb==, xrefs: 007181B2
JmpyPb==, xrefs: 0071810A
JmpxRL==, xrefs: 00718062

Memory Dump Source

Source File: 00000006.00000002.3937837542.0000000000711000.00000040.00000001.01000000.00000008.sdmp, Offset: 00710000, based on PE: true

Associated: 00000006.00000002.3937689077.0000000000710000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3937837542.0000000000772000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938062654.0000000000779000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.000000000077B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000909000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.00000000009EA000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A19000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A21000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A31000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939241627.0000000000A32000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939894959.0000000000BD6000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3940024258.0000000000BD8000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_710000_axplong.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID: =nm6$JmpxQb==$JmpxRL==$JmpyPb==
API String ID: 1721193555-2429494396
Opcode ID: 7802038023d220f58f22a8e34523b111e616c57a5efd142a0cf9d135c96597c5
Instruction ID: 558511f028f43b4ecb2b41c2598ab019d7f0526e54fc5c84164bb2354116106e
Opcode Fuzzy Hash: 7802038023d220f58f22a8e34523b111e616c57a5efd142a0cf9d135c96597c5
Instruction Fuzzy Hash: 6ED1C5B1E04614DBDF28AB2CDD4A3ED7772AB81310F544288E4196B2D2DB3D5EC58BD2

Function 00746E01 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNEL32(?,?,00000000,00000000), ref: 00746E23
GetFileInformationByHandle.KERNEL32(?,?), ref: 00746E7D
__dosmaperr.LIBCMT ref: 00746F12

Part of subcall function 00747177: __dosmaperr.LIBCMT ref: 007471AC

Strings

=nm6, xrefs: 00746E09

Memory Dump Source

Source File: 00000006.00000002.3937837542.0000000000711000.00000040.00000001.01000000.00000008.sdmp, Offset: 00710000, based on PE: true

Associated: 00000006.00000002.3937689077.0000000000710000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3937837542.0000000000772000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938062654.0000000000779000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.000000000077B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000909000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.00000000009EA000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A19000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A21000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A31000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939241627.0000000000A32000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939894959.0000000000BD6000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3940024258.0000000000BD8000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_710000_axplong.jbxd

Yara matches

Similarity

API ID: File__dosmaperr$HandleInformationType
String ID: =nm6
API String ID: 2531987475-2124781881
Opcode ID: dfaa32f8f6278595a8e661497a466d1b9a1a79634f76689255e322332d84797e
Instruction ID: 05dd5851c3f6146623d8d269036085c07583d592578acfa34db7f64624aedbde
Opcode Fuzzy Hash: dfaa32f8f6278595a8e661497a466d1b9a1a79634f76689255e322332d84797e
Instruction Fuzzy Hash: 15416D75900644EBCB28EFB5E8459AFB7F9EF89300B10442DF596D7211EB38A948CB61

Function 007182B0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNEL32(?), ref: 00718454

Strings

=nm6, xrefs: 007182DB

Memory Dump Source

Source File: 00000006.00000002.3937837542.0000000000711000.00000040.00000001.01000000.00000008.sdmp, Offset: 00710000, based on PE: true

Associated: 00000006.00000002.3937689077.0000000000710000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3937837542.0000000000772000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938062654.0000000000779000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.000000000077B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000909000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.00000000009EA000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A19000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A21000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A31000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939241627.0000000000A32000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939894959.0000000000BD6000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3940024258.0000000000BD8000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_710000_axplong.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID: =nm6
API String ID: 1721193555-2124781881
Opcode ID: 803680c8bed8b1dfd60cecc3805b29c754d41b30d53b523da4aa8a7b81a74f50
Instruction ID: 608dde87d1930f3f0cb0a4fd10573bd69f8f252e19ca9c65f138dca382e33559
Opcode Fuzzy Hash: 803680c8bed8b1dfd60cecc3805b29c754d41b30d53b523da4aa8a7b81a74f50
Instruction Fuzzy Hash: 8E51F671910258DBEB24EF28DD497DDB775EB45310F504299E814A72C1EF399AC08BA2

Function 00718A60 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 140
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathA.KERNEL32(00000104,?,366D6E3D,?,00000000), ref: 00718AA7

Strings

=nm6, xrefs: 00718A77

Memory Dump Source

Source File: 00000006.00000002.3937837542.0000000000711000.00000040.00000001.01000000.00000008.sdmp, Offset: 00710000, based on PE: true

Associated: 00000006.00000002.3937689077.0000000000710000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3937837542.0000000000772000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938062654.0000000000779000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.000000000077B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000909000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.00000000009EA000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A19000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A21000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A31000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939241627.0000000000A32000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939894959.0000000000BD6000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3940024258.0000000000BD8000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_710000_axplong.jbxd

Yara matches

Similarity

API ID: PathTemp
String ID: =nm6
API String ID: 2920410445-2124781881
Opcode ID: 1d151bef8e3bc164f813e53b86ee02e58d93af5cccbefaa7f21e87cf73ab2ad3
Instruction ID: ef856e2cba7d6fb154dbb103620e5dc9d3de3c167891deaf3cf2f667da168bb1
Opcode Fuzzy Hash: 1d151bef8e3bc164f813e53b86ee02e58d93af5cccbefaa7f21e87cf73ab2ad3
Instruction Fuzzy Hash: 5051D171A011689BDB28DB28CD897DDB775EB46310F0082D9E409A72C2DB795FC5CFA1

Function 00746F71 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00746FB3

Strings

=nm6, xrefs: 00746F79

Memory Dump Source

Source File: 00000006.00000002.3937837542.0000000000711000.00000040.00000001.01000000.00000008.sdmp, Offset: 00710000, based on PE: true

Associated: 00000006.00000002.3937689077.0000000000710000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3937837542.0000000000772000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938062654.0000000000779000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.000000000077B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000909000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.00000000009EA000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A19000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A21000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A31000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939241627.0000000000A32000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939894959.0000000000BD6000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3940024258.0000000000BD8000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_710000_axplong.jbxd

Yara matches

Similarity

API ID: Time$LocalSpecificSystem
String ID: =nm6
API String ID: 2574697306-2124781881
Opcode ID: a43ef2cd675460ad92dc178d7041efd70985987a302dc918bd0367cba8cad232
Instruction ID: 00882256e663fd43cf7a05597a06f8c300b055d8567d80d5a009c4eb6bb3cdb1
Opcode Fuzzy Hash: a43ef2cd675460ad92dc178d7041efd70985987a302dc918bd0367cba8cad232
Instruction Fuzzy Hash: D511FEB690020CABCB15DE95D944EDFB7BCAF09310F505266E555E7180EB34EB48CB62

Function 0074AF0B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 33memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,366D6E3D,?,=nm6,0072D32C,=nm6,?,007278FB,?,?,?,?,?,?,00717435,?), ref: 0074AF3E

Strings

=nm6, xrefs: 0074AF0D

Memory Dump Source

Source File: 00000006.00000002.3937837542.0000000000711000.00000040.00000001.01000000.00000008.sdmp, Offset: 00710000, based on PE: true

Associated: 00000006.00000002.3937689077.0000000000710000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3937837542.0000000000772000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938062654.0000000000779000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.000000000077B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000909000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.00000000009EA000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A19000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A21000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A31000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939241627.0000000000A32000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939894959.0000000000BD6000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3940024258.0000000000BD8000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_710000_axplong.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: =nm6
API String ID: 1279760036-2124781881
Opcode ID: 53f24edb8cb8449fccfb85bb7d1ba29e8bde5442505c88781fc04adfe0cf7c89
Instruction ID: ad4dcccc70c1c8c4e91816b8885025b54f347dd44238c400596da8a620f0dc47
Opcode Fuzzy Hash: 53f24edb8cb8449fccfb85bb7d1ba29e8bde5442505c88781fc04adfe0cf7c89
Instruction Fuzzy Hash: 46E022B26CA222B6EB6132655C45F6B7B889F923F2F050150EC08A24C1CF2CCC0486F7

Function 00746C99 Relevance: 3.1, APIs: 2, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3937837542.0000000000711000.00000040.00000001.01000000.00000008.sdmp, Offset: 00710000, based on PE: true

Associated: 00000006.00000002.3937689077.0000000000710000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3937837542.0000000000772000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938062654.0000000000779000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.000000000077B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000909000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.00000000009EA000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A19000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A21000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A31000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939241627.0000000000A32000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939894959.0000000000BD6000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3940024258.0000000000BD8000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_710000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a91e5ea556aad284927911fb267443f6d18384f9c657363af53fc27ff0cff69
Instruction ID: 34881991a27b7e35b23d1487fe356f84efc24ce63ff6f73106cb8ad8af5fab80
Opcode Fuzzy Hash: 0a91e5ea556aad284927911fb267443f6d18384f9c657363af53fc27ff0cff69
Instruction Fuzzy Hash: 8721C572B05208BAEF117B689C46BAE37299F42778F204354F9243B1D1DB785E05DAA2

Function 00726AE0 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 40sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00726B65

Strings

=nm6, xrefs: 007246D4, 00724EFB, 00726AF6

Memory Dump Source

Source File: 00000006.00000002.3937837542.0000000000711000.00000040.00000001.01000000.00000008.sdmp, Offset: 00710000, based on PE: true

Associated: 00000006.00000002.3937689077.0000000000710000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3937837542.0000000000772000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938062654.0000000000779000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.000000000077B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000909000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.00000000009EA000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A19000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A21000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A31000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939241627.0000000000A32000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939894959.0000000000BD6000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3940024258.0000000000BD8000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_710000_axplong.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: =nm6
API String ID: 3472027048-2124781881
Opcode ID: d129ac65da88e3837829634497056e3958441051f6ab4b515fd97f7609940bf7
Instruction ID: b18edda42aa4f110c7b16b8e94fe23c4ca096699d7a44afccd434b2f20194a18
Opcode Fuzzy Hash: d129ac65da88e3837829634497056e3958441051f6ab4b515fd97f7609940bf7
Instruction Fuzzy Hash: 28F0F9B1E00614EBC7147B6CDD0B75D7B75A746760F904358E825672E2EA7C590087D2

Function 052A0273 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3982766687.00000000052A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_52a0000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab775c0edefac74ad2b758b5a788adbee32d8363c23bcb8b0379b171cbfaf1f9
Instruction ID: 1541aabe608e7aba070e1e7fdb2665d0b227192022fba62a7766da267b2a3662
Opcode Fuzzy Hash: ab775c0edefac74ad2b758b5a788adbee32d8363c23bcb8b0379b171cbfaf1f9
Instruction Fuzzy Hash: 0701C8EB26C220BE7146C5816B68AFB676EE9C6770330C86BF803D5402E2D41E4D6532

Function 052A027C Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3982766687.00000000052A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_52a0000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0298e4ee62870a8b82505cb28559620f67261a1c7f4d8b7bf1d3aa5a96c841ea
Instruction ID: d606846ea4ebd218f39981c73eac74259a2204d6f0534ad1fce470e2e6c3f251
Opcode Fuzzy Hash: 0298e4ee62870a8b82505cb28559620f67261a1c7f4d8b7bf1d3aa5a96c841ea
Instruction Fuzzy Hash: 47011AFB26C220BF7146C5916B28AFA676ED9C6770330C867F407C6502D2D51E4EA532

Function 052A02E6 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3982766687.00000000052A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_52a0000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48e856f12790de743201cbb617001271d5cb7d1cebd4ae7d54bc47a97c9cab23
Instruction ID: c8827b3197f953be9f351f2a09ae03ed55cac8c52260eb9899fbac5bf16489a3
Opcode Fuzzy Hash: 48e856f12790de743201cbb617001271d5cb7d1cebd4ae7d54bc47a97c9cab23
Instruction Fuzzy Hash: F8012CFB26D220BF7146C1923B68AFA676EE9C6771330C867F407C5501E2D45E4EA631

Function 052A030D Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3982766687.00000000052A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_52a0000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5157c61806a0f7969b173475ac922c12ab2bc5372a2cda689f69f4b62c68f190
Instruction ID: e2f9594c5ac1f9d8de220659777871fe6699410fec5a1af244cbbba1cb359e73
Opcode Fuzzy Hash: 5157c61806a0f7969b173475ac922c12ab2bc5372a2cda689f69f4b62c68f190
Instruction Fuzzy Hash: DC01F7E717D1616F7A06C9912B689F62B6AECC2370330849BF447C8402D1851E4E9131

Function 052A02C2 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3982766687.00000000052A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_52a0000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75c2b6830770d421c1a091a4ba4f36dedd15c48fe4017118266c5eb5645740c3
Instruction ID: be303bacb23e361ec532b3ded7f84fb6ad6858b6934199b21dc0fdbd1e6c8e62
Opcode Fuzzy Hash: 75c2b6830770d421c1a091a4ba4f36dedd15c48fe4017118266c5eb5645740c3
Instruction Fuzzy Hash: 9001A4E706C250AFF349C6516B68AFA67ADE9C73313348877F443C5002D3D91A4E9132

Function 052A02AC Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3982766687.00000000052A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_52a0000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12fa471fbf87c147db474693c299277c487b04ebe02ee422c0fbb4c77dd1bcb2
Instruction ID: 00b34f43daae82f47719a5e0fc9a70bcd5d0e85d3d23834b46a5c866b9ff75db
Opcode Fuzzy Hash: 12fa471fbf87c147db474693c299277c487b04ebe02ee422c0fbb4c77dd1bcb2
Instruction Fuzzy Hash: 3BF0C2EB27D260BF7246C6912B2CAFA276DECC677033085A7F442C6041D2C51E4EA132

Non-executed Functions

Function 00753068 Relevance: 11.8, APIs: 1, Strings: 5, Instructions: 1340COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 007531E3

Strings

=nm6, xrefs: 00753073
1#QNAN, xrefs: 00754381
1#INF, xrefs: 0075439E
1#IND, xrefs: 00754373
1#SNAN, xrefs: 0075437A

Memory Dump Source

Source File: 00000006.00000002.3937837542.0000000000711000.00000040.00000001.01000000.00000008.sdmp, Offset: 00710000, based on PE: true

Associated: 00000006.00000002.3937689077.0000000000710000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3937837542.0000000000772000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938062654.0000000000779000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.000000000077B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000909000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.00000000009EA000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A19000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A21000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A31000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939241627.0000000000A32000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939894959.0000000000BD6000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3940024258.0000000000BD8000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_710000_axplong.jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN$=nm6
API String ID: 4168288129-701099807
Opcode ID: 2b8fb40343b090b8a7024c8c00df0b3c01527a813e699333d2675ed3a916a834
Instruction ID: 8bd0d7c66970d1eb1824ad51b4e62285cc04f787a2b99a9435fbd9deb5af524f
Opcode Fuzzy Hash: 2b8fb40343b090b8a7024c8c00df0b3c01527a813e699333d2675ed3a916a834
Instruction Fuzzy Hash: 9BC24C71E046288FDB25CF28DD447E9B3B5EB48346F1441EAD84DE7250E7B9AE898F40

Function 00752BD0 Relevance: 3.4, APIs: 2, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3937837542.0000000000711000.00000040.00000001.01000000.00000008.sdmp, Offset: 00710000, based on PE: true

Associated: 00000006.00000002.3937689077.0000000000710000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3937837542.0000000000772000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938062654.0000000000779000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.000000000077B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000909000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.00000000009EA000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A19000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A21000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A31000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939241627.0000000000A32000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939894959.0000000000BD6000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3940024258.0000000000BD8000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_710000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bf072589c0c8c6daaa14a71d751704f1d0fc013c2abe94fbb674223392015af
Instruction ID: c723d02971c3ec83adad3c9866ec57a5015692cea7ab5a48009fd282e40c354d
Opcode Fuzzy Hash: 5bf072589c0c8c6daaa14a71d751704f1d0fc013c2abe94fbb674223392015af
Instruction Fuzzy Hash: B0F17071E002199FDF14CFA8D8806EEB7B1FF49315F15826AD819A7381D775AE06CB90

Function 0072CB1A Relevance: 1.5, APIs: 1, Instructions: 16timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,0072CE82,?,?,?,?,0072CEB7,?,?,?,?,?,?,0072C42D,?,00000001), ref: 0072CB33

Memory Dump Source

Source File: 00000006.00000002.3937837542.0000000000711000.00000040.00000001.01000000.00000008.sdmp, Offset: 00710000, based on PE: true

Associated: 00000006.00000002.3937689077.0000000000710000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3937837542.0000000000772000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938062654.0000000000779000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.000000000077B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000909000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.00000000009EA000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A19000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A21000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A31000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939241627.0000000000A32000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939894959.0000000000BD6000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3940024258.0000000000BD8000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_710000_axplong.jbxd

Yara matches

Similarity

API ID: Time$FilePreciseSystem
String ID:
API String ID: 1802150274-0
Opcode ID: 19da3aefccb138c24c0e95cc2aee1a2486702813d92b86c7ef4eb28a7ccbc1ab
Instruction ID: 12b98973f25c1cac32e3a81beb521963c61978b047910012fb495717b8e5153f
Opcode Fuzzy Hash: 19da3aefccb138c24c0e95cc2aee1a2486702813d92b86c7ef4eb28a7ccbc1ab
Instruction Fuzzy Hash: 43D0223260263C97CA022B90BC088ADBB089F00FA07008111EC0963A208AF85C504FD8

Function 00747D83 Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 00747EFF

Memory Dump Source

Source File: 00000006.00000002.3937837542.0000000000711000.00000040.00000001.01000000.00000008.sdmp, Offset: 00710000, based on PE: true

Associated: 00000006.00000002.3937689077.0000000000710000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3937837542.0000000000772000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938062654.0000000000779000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.000000000077B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000909000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.00000000009EA000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A19000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A21000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A31000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939241627.0000000000A32000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939894959.0000000000BD6000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3940024258.0000000000BD8000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_710000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
Instruction ID: 0af70f86a8d9440814af35bc99dea92d9a98bafe995495b4813aabe1e56cd312
Opcode Fuzzy Hash: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
Instruction Fuzzy Hash: FA518970B1C6589BDF3C8A3888DA7BE679A9F51300F140A5DD442EB682CB1DDD49C752

Function 00714AF0 Relevance: 1.4, Strings: 1, Instructions: 158COMMON

Download Yara Rule

Strings

=nm6, xrefs: 00714AF9

Memory Dump Source

Source File: 00000006.00000002.3937837542.0000000000711000.00000040.00000001.01000000.00000008.sdmp, Offset: 00710000, based on PE: true

Associated: 00000006.00000002.3937689077.0000000000710000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3937837542.0000000000772000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938062654.0000000000779000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.000000000077B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000909000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.00000000009EA000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A19000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A21000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A31000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939241627.0000000000A32000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939894959.0000000000BD6000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3940024258.0000000000BD8000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_710000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: =nm6
API String ID: 0-2124781881
Opcode ID: 467c3ee0e32d2c8c5a06d937a219492e96a58cc802db6d862e5a2dcfe579ba69
Instruction ID: 8b2b7cba40dcba98c8dc1d28d6cb0a9b1a3bc1a5fec182edce8ee61518f1e917
Opcode Fuzzy Hash: 467c3ee0e32d2c8c5a06d937a219492e96a58cc802db6d862e5a2dcfe579ba69
Instruction Fuzzy Hash: EC51A17160C3918FD329CF2D851567ABBE1AF95300F084A9EE4D687292D778DA44CBA2

Function 00714CF0 Relevance: .7, Instructions: 701COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3937837542.0000000000711000.00000040.00000001.01000000.00000008.sdmp, Offset: 00710000, based on PE: true

Associated: 00000006.00000002.3937689077.0000000000710000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3937837542.0000000000772000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938062654.0000000000779000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.000000000077B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000909000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.00000000009EA000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A19000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A21000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A31000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939241627.0000000000A32000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939894959.0000000000BD6000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3940024258.0000000000BD8000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_710000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c5e531c03b10bb820196dd16fd94160776ed84d2c8b917de8b3791f005ea4aa
Instruction ID: 56e575ee3ddc4a1a78d8d844ca8015cdb0745a1cd2d0f9addd93cd843d2e3430
Opcode Fuzzy Hash: 2c5e531c03b10bb820196dd16fd94160776ed84d2c8b917de8b3791f005ea4aa
Instruction Fuzzy Hash: 142250B3F515144BDB4CCB9DDCA27EDB2E3AFD8214B0E803DA40AE3345EA79D9158648

Function 00756F09 Relevance: .3, Instructions: 275COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3937837542.0000000000711000.00000040.00000001.01000000.00000008.sdmp, Offset: 00710000, based on PE: true

Associated: 00000006.00000002.3937689077.0000000000710000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3937837542.0000000000772000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938062654.0000000000779000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.000000000077B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000909000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.00000000009EA000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A19000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A21000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A31000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939241627.0000000000A32000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939894959.0000000000BD6000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3940024258.0000000000BD8000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_710000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 310b330411fff897bbfefb130f6682f0c5fc500b6e4678a87ae38bd9c8b50a9f
Instruction ID: e6589123d28794d299c4dd9959621ac444f2bf242068847f208be72bfb3caf21
Opcode Fuzzy Hash: 310b330411fff897bbfefb130f6682f0c5fc500b6e4678a87ae38bd9c8b50a9f
Instruction Fuzzy Hash: EEB18B31614608CFD718CF28D486BA57BE0FF45366F258658E899CF2E1C37AE986CB40

Function 0075777B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3937837542.0000000000711000.00000040.00000001.01000000.00000008.sdmp, Offset: 00710000, based on PE: true

Associated: 00000006.00000002.3937689077.0000000000710000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3937837542.0000000000772000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938062654.0000000000779000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.000000000077B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000909000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.00000000009EA000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A19000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A21000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A31000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939241627.0000000000A32000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939894959.0000000000BD6000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3940024258.0000000000BD8000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_710000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edf356ec1606043db62af8e56c65e394fa19d4ffbf852dcf011cd64aa8d21289
Instruction ID: 08acbd05345a0f1f1a70d48551ac7a20c4030fede2a8ee16b666074f9a64f048
Opcode Fuzzy Hash: edf356ec1606043db62af8e56c65e394fa19d4ffbf852dcf011cd64aa8d21289
Instruction Fuzzy Hash: 9321B673F204394B770CC57E8C572BDB6E1C68C541745823AE8A6EA2C1D96CD917E2E4

Function 0075765B Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3937837542.0000000000711000.00000040.00000001.01000000.00000008.sdmp, Offset: 00710000, based on PE: true

Associated: 00000006.00000002.3937689077.0000000000710000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3937837542.0000000000772000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938062654.0000000000779000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.000000000077B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000909000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.00000000009EA000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A19000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A21000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A31000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939241627.0000000000A32000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939894959.0000000000BD6000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3940024258.0000000000BD8000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_710000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44f0304a90eb15e3a61b06d715b515b908f0c1eaeced3ce5f6e63ce0ba39e341
Instruction ID: 2f14ef412fac43ce91cc1080443f9266a73ec2fa9e56d310375fc4d73a99cb6d
Opcode Fuzzy Hash: 44f0304a90eb15e3a61b06d715b515b908f0c1eaeced3ce5f6e63ce0ba39e341
Instruction Fuzzy Hash: 45118A23F30C255B775C817D8C172BAA5D6DBD825071F533AD826E7384E994DE23D290

Function 00758720 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3937837542.0000000000711000.00000040.00000001.01000000.00000008.sdmp, Offset: 00710000, based on PE: true

Associated: 00000006.00000002.3937689077.0000000000710000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3937837542.0000000000772000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938062654.0000000000779000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.000000000077B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000909000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.00000000009EA000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A19000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A21000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A31000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939241627.0000000000A32000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939894959.0000000000BD6000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3940024258.0000000000BD8000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_710000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 6747ce01ed2b13405c027f22aa3bc7d9fcf4db20beb390af6d38e38d000444a5
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: BF115E7720018143E68486BDC8F45F6A795EBDD323B3C4B75C841AB758EDAAD94CDA02

Function 0074645B Relevance: .0, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3937837542.0000000000711000.00000040.00000001.01000000.00000008.sdmp, Offset: 00710000, based on PE: true

Associated: 00000006.00000002.3937689077.0000000000710000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3937837542.0000000000772000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938062654.0000000000779000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.000000000077B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000909000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.00000000009EA000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A19000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A21000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A31000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939241627.0000000000A32000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939894959.0000000000BD6000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3940024258.0000000000BD8000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_710000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ee309927180ab63b75a427183837f4b30ab3670a778b7919178eb13b8f40ade
Instruction ID: 926606937d8e8ae22430983214b161e1e050e6beb4c4067622e26b0c68c5f2e7
Opcode Fuzzy Hash: 6ee309927180ab63b75a427183837f4b30ab3670a778b7919178eb13b8f40ade
Instruction Fuzzy Hash: BFE0C230290688FFCF257F28C84DE983B2AEF43750F004800FC044A261CB39EE82CA81

Function 0074A1C2 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3937837542.0000000000711000.00000040.00000001.01000000.00000008.sdmp, Offset: 00710000, based on PE: true

Associated: 00000006.00000002.3937689077.0000000000710000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3937837542.0000000000772000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938062654.0000000000779000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.000000000077B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000909000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.00000000009EA000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A19000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A21000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A31000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939241627.0000000000A32000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939894959.0000000000BD6000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3940024258.0000000000BD8000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_710000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
Instruction ID: 3cc575b2015c501114b6223f18dd0002b982bf9542d9b4f549e5c7ed56c3d48c
Opcode Fuzzy Hash: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
Instruction Fuzzy Hash: 71E0B672955228FBCB15DB998948D8AF2BCEB49B50F554496B501D3251C374DF00C7D1

Function 00712E80 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 272threadCOMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 00712F1F
GetCurrentThreadId.KERNEL32 ref: 00712F3E
__Mtx_unlock.LIBCPMT ref: 00712F8C
__Cnd_broadcast.LIBCPMT ref: 00712FA3
__Mtx_unlock.LIBCPMT ref: 007130B5
GetCurrentThreadId.KERNEL32 ref: 007130F2
__Mtx_unlock.LIBCPMT ref: 0071315B

Strings

=nm6, xrefs: 00712E97, 00713014, 007131C3

Memory Dump Source

Source File: 00000006.00000002.3937837542.0000000000711000.00000040.00000001.01000000.00000008.sdmp, Offset: 00710000, based on PE: true

Associated: 00000006.00000002.3937689077.0000000000710000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3937837542.0000000000772000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938062654.0000000000779000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.000000000077B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000909000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.00000000009EA000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A19000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A21000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A31000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939241627.0000000000A32000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939894959.0000000000BD6000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3940024258.0000000000BD8000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_710000_axplong.jbxd

Yara matches

Similarity

API ID: Mtx_unlock$CurrentThread$Cnd_broadcast
String ID: =nm6
API String ID: 57040152-2124781881
Opcode ID: 96c736f9f5bf1d218f5ded623f5a660121ff189b09f9c9b73a10a57b7bd508d2
Instruction ID: 04c956beee59577ecddd2d2a874d1b2294ab7dc7b20e1dcd87716814aea94c72
Opcode Fuzzy Hash: 96c736f9f5bf1d218f5ded623f5a660121ff189b09f9c9b73a10a57b7bd508d2
Instruction Fuzzy Hash: C1A1F3B0A00619EFDB11DF68D8497AAB7F9FF15310F008169E815D7282EB38EA55CB91

Function 00744770 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 007447A7
___except_validate_context_record.LIBVCRUNTIME ref: 007447AF
_ValidateLocalCookies.LIBCMT ref: 00744838
__IsNonwritableInCurrentImage.LIBCMT ref: 00744863
_ValidateLocalCookies.LIBCMT ref: 007448B8

Strings

=nm6, xrefs: 00744822, 0074489F
csm, xrefs: 0074484D

Memory Dump Source

Source File: 00000006.00000002.3937837542.0000000000711000.00000040.00000001.01000000.00000008.sdmp, Offset: 00710000, based on PE: true

Associated: 00000006.00000002.3937689077.0000000000710000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3937837542.0000000000772000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938062654.0000000000779000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.000000000077B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000909000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.00000000009EA000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A19000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A21000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A31000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939241627.0000000000A32000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939894959.0000000000BD6000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3940024258.0000000000BD8000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_710000_axplong.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: =nm6$csm
API String ID: 1170836740-524714076
Opcode ID: 76687c4074cf80031d27c800709085ae2bf3d041f5eaf9acba2610dd31d4d82d
Instruction ID: 7f25432768d21a3bf114c8170b0cd678f85428894f44f612554b322535df5e93
Opcode Fuzzy Hash: 76687c4074cf80031d27c800709085ae2bf3d041f5eaf9acba2610dd31d4d82d
Instruction Fuzzy Hash: 0351D534A00298DFCF10DF68C885BAE7BB9AF45314F148155E8199B353D77AEE06DB90

Function 00712670 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 207COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00712806
___std_exception_destroy.LIBVCRUNTIME ref: 007128A0

Strings

=nm6, xrefs: 00712698
P#q, xrefs: 007127BE, 00712899
P#q, xrefs: 00712811

Memory Dump Source

Source File: 00000006.00000002.3937837542.0000000000711000.00000040.00000001.01000000.00000008.sdmp, Offset: 00710000, based on PE: true

Associated: 00000006.00000002.3937689077.0000000000710000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3937837542.0000000000772000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938062654.0000000000779000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.000000000077B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000909000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.00000000009EA000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A19000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A21000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A31000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939241627.0000000000A32000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939894959.0000000000BD6000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3940024258.0000000000BD8000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_710000_axplong.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy___std_exception_destroy
String ID: =nm6$P#q$P#q
API String ID: 2970364248-1273455053
Opcode ID: be6b1cca08bac641992d884134a53d386332a5f485e9eb2c323395eaf84fd668
Instruction ID: bdd44d2b3156e6eb663dbd22bba1ee528ae59466de265b72c9c90a79eb3ddf62
Opcode Fuzzy Hash: be6b1cca08bac641992d884134a53d386332a5f485e9eb2c323395eaf84fd668
Instruction Fuzzy Hash: 93719271E00248DFDB04DFA8D885BDEFBB5EF59310F14412DE805A7282E778A994CBA5

Function 00727870 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 123COMMON

Download Yara Rule

APIs

__Cnd_unregister_at_thread_exit.LIBCPMT ref: 0072795C
__Cnd_destroy_in_situ.LIBCPMT ref: 00727968
__Mtx_destroy_in_situ.LIBCPMT ref: 00727971

Strings

@yr, xrefs: 0072794A
=nm6, xrefs: 00727879, 0072790B

Memory Dump Source

Source File: 00000006.00000002.3937837542.0000000000711000.00000040.00000001.01000000.00000008.sdmp, Offset: 00710000, based on PE: true

Associated: 00000006.00000002.3937689077.0000000000710000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3937837542.0000000000772000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938062654.0000000000779000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.000000000077B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000909000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.00000000009EA000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A19000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A21000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A31000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939241627.0000000000A32000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939894959.0000000000BD6000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3940024258.0000000000BD8000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_710000_axplong.jbxd

Yara matches

Similarity

API ID: Cnd_destroy_in_situCnd_unregister_at_thread_exitMtx_destroy_in_situ
String ID: =nm6$@yr
API String ID: 4078500453-626301145
Opcode ID: 39562f503d863cb96810aed8d0737577ebb6d52b50c5143e72e3040f72600af5
Instruction ID: a469c923a9caad704a9ef190921c96a0049206b8433768466f93a3dd63ef9591
Opcode Fuzzy Hash: 39562f503d863cb96810aed8d0737577ebb6d52b50c5143e72e3040f72600af5
Instruction Fuzzy Hash: 063116B1904314DFD724DF68E949A6AB7E8EF15310F10063EE985C3242E779FA94C7A1

Function 0072BAA2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

_xtime_get.LIBCPMT ref: 0072BAFA
__Xtime_diff_to_millis2.LIBCPMT ref: 0072BB14
_xtime_get.LIBCPMT ref: 0072BB37
__Xtime_diff_to_millis2.LIBCPMT ref: 0072BB43

Strings

=nm6, xrefs: 0072BAA8

Memory Dump Source

Source File: 00000006.00000002.3937837542.0000000000711000.00000040.00000001.01000000.00000008.sdmp, Offset: 00710000, based on PE: true

Associated: 00000006.00000002.3937689077.0000000000710000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3937837542.0000000000772000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938062654.0000000000779000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.000000000077B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000909000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.00000000009EA000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A19000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A21000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A31000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939241627.0000000000A32000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939894959.0000000000BD6000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3940024258.0000000000BD8000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_710000_axplong.jbxd

Yara matches

Similarity

API ID: Xtime_diff_to_millis2_xtime_get
String ID: =nm6
API String ID: 531285432-2124781881
Opcode ID: 39efc49d017f3dac135ee67a239a3805f9d70b1fcec1e9944f1222076bd86285
Instruction ID: 284b26e8eeadb2f16efcc5799a66fb09064662a6574495c7cd7b58b35a563941
Opcode Fuzzy Hash: 39efc49d017f3dac135ee67a239a3805f9d70b1fcec1e9944f1222076bd86285
Instruction Fuzzy Hash: DD215171E00229DFDF11EFA4EC859BEBBB8EF18710F104065F501A7251DB78AD418BA1

Function 007470C9 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMON

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 0074710B

Strings

.bat, xrefs: 0074713A
.com, xrefs: 0074714B
.cmd, xrefs: 00747129
.exe, xrefs: 00747118

Memory Dump Source

Source File: 00000006.00000002.3937837542.0000000000711000.00000040.00000001.01000000.00000008.sdmp, Offset: 00710000, based on PE: true

Associated: 00000006.00000002.3937689077.0000000000710000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3937837542.0000000000772000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938062654.0000000000779000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.000000000077B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000909000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.00000000009EA000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A19000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A21000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A31000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939241627.0000000000A32000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939894959.0000000000BD6000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3940024258.0000000000BD8000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_710000_axplong.jbxd

Yara matches

Similarity

API ID: _wcsrchr
String ID: .bat$.cmd$.com$.exe
API String ID: 1752292252-4019086052
Opcode ID: e0123e4776f682e7089ab7e59b72f621341912adda23af8b801637ae89a683a9
Instruction ID: ebc96bcfda548051a7c3ee6f2c44f8ba8099b12b94c3224fadab6e3c415fa562
Opcode Fuzzy Hash: e0123e4776f682e7089ab7e59b72f621341912adda23af8b801637ae89a683a9
Instruction Fuzzy Hash: 4A01F97770C61A66661C645D9C0667B17989BC2BB472A002BFD54F73C2EF4DEC03C1A0

Function 00712AD0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 51COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00712B23

Strings

=nm6, xrefs: 00712AF6
P#q, xrefs: 00712B18
P#q, xrefs: 00712B2E
This function cannot be called on a default constructed task, xrefs: 00712B03

Memory Dump Source

Source File: 00000006.00000002.3937837542.0000000000711000.00000040.00000001.01000000.00000008.sdmp, Offset: 00710000, based on PE: true

Associated: 00000006.00000002.3937689077.0000000000710000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3937837542.0000000000772000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938062654.0000000000779000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.000000000077B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000909000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.00000000009EA000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A19000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A21000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A31000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939241627.0000000000A32000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939894959.0000000000BD6000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3940024258.0000000000BD8000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_710000_axplong.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: =nm6$P#q$P#q$This function cannot be called on a default constructed task
API String ID: 2659868963-63969183
Opcode ID: 0e431ed7ed8cde2e7ce68df33d4cf4d741a8d5e2b1525ae28c1d39e58de901e7
Instruction ID: a7b12bc4813ad76670a0a9dbed5296be22e94601b5cd3fd49c44ccb13da9f3c6
Opcode Fuzzy Hash: 0e431ed7ed8cde2e7ce68df33d4cf4d741a8d5e2b1525ae28c1d39e58de901e7
Instruction Fuzzy Hash: BDF0F670A1030C9BC710DF68A84599EB7ED9F15300F5081ADFC0997201EB78AE948B95

Function 00727040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 236COMMON

Download Yara Rule

APIs

__Mtx_init_in_situ.LIBCPMT ref: 0072726C

Strings

=nm6, xrefs: 00727054
`zr, xrefs: 00727282
@.q, xrefs: 00727250

Memory Dump Source

Source File: 00000006.00000002.3937837542.0000000000711000.00000040.00000001.01000000.00000008.sdmp, Offset: 00710000, based on PE: true

Associated: 00000006.00000002.3937689077.0000000000710000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3937837542.0000000000772000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938062654.0000000000779000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.000000000077B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000909000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.00000000009EA000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A19000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A21000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A31000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939241627.0000000000A32000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939894959.0000000000BD6000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3940024258.0000000000BD8000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_710000_axplong.jbxd

Yara matches

Similarity

API ID: Mtx_init_in_situ
String ID: =nm6$@.q$`zr
API String ID: 3366076730-1186774250
Opcode ID: c9c8702d337837f748851c41e05e8507df53a86f7e854ca7635ed16f35e81f33
Instruction ID: 312e2b24fbceae79c823bd3e4efe59ee095c4a60a8ae5821bb933fd308c68886
Opcode Fuzzy Hash: c9c8702d337837f748851c41e05e8507df53a86f7e854ca7635ed16f35e81f33
Instruction Fuzzy Hash: B9A138B0A01629CFDB25CFA8D98479EBBF0FF48710F188159E819AB351E7799D01CB90

Function 00754AD4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 199COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 00754C8A

Part of subcall function 0074AF0B: RtlAllocateHeap.NTDLL(00000000,366D6E3D,?,=nm6,0072D32C,=nm6,?,007278FB,?,?,?,?,?,?,00717435,?), ref: 0074AF3E

__freea.LIBCMT ref: 00754C93
__freea.LIBCMT ref: 00754CB6

Strings

=nm6, xrefs: 00754ADB

Memory Dump Source

Source File: 00000006.00000002.3937837542.0000000000711000.00000040.00000001.01000000.00000008.sdmp, Offset: 00710000, based on PE: true

Associated: 00000006.00000002.3937689077.0000000000710000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3937837542.0000000000772000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938062654.0000000000779000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.000000000077B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000909000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.00000000009EA000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A19000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A21000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A31000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939241627.0000000000A32000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939894959.0000000000BD6000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3940024258.0000000000BD8000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_710000_axplong.jbxd

Yara matches

Similarity

API ID: __freea$AllocateHeap
String ID: =nm6
API String ID: 2243444508-2124781881
Opcode ID: de238465c5c9696b9b83a0bbb33ceff8dadd365505a8647fbb4ae5ba905f9c56
Instruction ID: 2eff5f7e0330a75ca6fd5226b880034422d42ae8c020b8b5e896361a6fe71548
Opcode Fuzzy Hash: de238465c5c9696b9b83a0bbb33ceff8dadd365505a8647fbb4ae5ba905f9c56
Instruction Fuzzy Hash: 0C510372901216FBEB259F64DC45FFB36A9EF8475AF154128FD0497140E7B8DC8486A0

Function 0072C382 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 144COMMON

Download Yara Rule

APIs

_xtime_get.LIBCPMT ref: 0072C428
__Xtime_diff_to_millis2.LIBCPMT ref: 0072C472
_xtime_get.LIBCPMT ref: 0072C491

Strings

=nm6, xrefs: 0072C388

Memory Dump Source

Source File: 00000006.00000002.3937837542.0000000000711000.00000040.00000001.01000000.00000008.sdmp, Offset: 00710000, based on PE: true

Associated: 00000006.00000002.3937689077.0000000000710000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3937837542.0000000000772000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938062654.0000000000779000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.000000000077B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000909000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.00000000009EA000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A19000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A21000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A31000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939241627.0000000000A32000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939894959.0000000000BD6000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3940024258.0000000000BD8000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_710000_axplong.jbxd

Yara matches

Similarity

API ID: _xtime_get$Xtime_diff_to_millis2
String ID: =nm6
API String ID: 2858396081-2124781881
Opcode ID: aa4d6f18d93728574ed2406f56515c299fd85db67a112c035b68fdcae1276a69
Instruction ID: 9be4481b9a0332343fd585f76abed6ba58d6c6ae34b7856e8a516292c893e4fc
Opcode Fuzzy Hash: aa4d6f18d93728574ed2406f56515c299fd85db67a112c035b68fdcae1276a69
Instruction Fuzzy Hash: 0951B430900165CFCF21EF24E5E59BEBBA4FF24300B21889AD8069B255D778ED41CF95

Function 0071DFD0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(?,?,00000004,00000000), ref: 0071E01B
recv.WS2_32(?,?,00000008,00000000), ref: 0071E050

Strings

=nm6, xrefs: 0071DFE4

Memory Dump Source

Source File: 00000006.00000002.3937837542.0000000000711000.00000040.00000001.01000000.00000008.sdmp, Offset: 00710000, based on PE: true

Associated: 00000006.00000002.3937689077.0000000000710000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3937837542.0000000000772000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938062654.0000000000779000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.000000000077B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000909000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.00000000009EA000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A19000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A21000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A31000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939241627.0000000000A32000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939894959.0000000000BD6000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3940024258.0000000000BD8000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_710000_axplong.jbxd

Yara matches

Similarity

API ID: recv
String ID: =nm6
API String ID: 1507349165-2124781881
Opcode ID: 7c52fe36f8d99b6bce6f4266194fba242d903277287900e46d7ab4b18f4722f9
Instruction ID: 6e4af6de4e6a0b641bfe561099b1deb825f54c2c9fa3d8d59a0291517569f420
Opcode Fuzzy Hash: 7c52fe36f8d99b6bce6f4266194fba242d903277287900e46d7ab4b18f4722f9
Instruction Fuzzy Hash: 013128B19002489FD710CB6CDC85BEE77A8EB0C774F104225E915E72C1DA7DA884CFA4

Function 00712440 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 32COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0071247E

Strings

P#q, xrefs: 0071246D
P#q, xrefs: 00712486
=nm6, xrefs: 00712440

Memory Dump Source

Source File: 00000006.00000002.3937837542.0000000000711000.00000040.00000001.01000000.00000008.sdmp, Offset: 00710000, based on PE: true

Associated: 00000006.00000002.3937689077.0000000000710000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3937837542.0000000000772000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938062654.0000000000779000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.000000000077B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000909000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.00000000009EA000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A19000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A21000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A31000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939241627.0000000000A32000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939894959.0000000000BD6000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3940024258.0000000000BD8000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_710000_axplong.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: =nm6$P#q$P#q
API String ID: 2659868963-1273455053
Opcode ID: e3f029e470ea36a0e6cc2710d1b3eb03f3f04f072cc4fdb795e8fba0f6bff143
Instruction ID: 8b2c40ad88ee7cc96d0336e78e92bc8a90d92870620fbe10cb82ba2dd6f46d6d
Opcode Fuzzy Hash: e3f029e470ea36a0e6cc2710d1b3eb03f3f04f072cc4fdb795e8fba0f6bff143
Instruction Fuzzy Hash: F9F0E5B191020CA7C714EBE8D80AC8AB7ACDE15310B008A35FA69E7501FBB8FA5487D1

Function 00712520 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 29COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00712552

Strings

=nm6, xrefs: 00712526
P#q, xrefs: 00712547
P#q, xrefs: 0071255D

Memory Dump Source

Source File: 00000006.00000002.3937837542.0000000000711000.00000040.00000001.01000000.00000008.sdmp, Offset: 00710000, based on PE: true

Associated: 00000006.00000002.3937689077.0000000000710000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3937837542.0000000000772000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938062654.0000000000779000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.000000000077B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000909000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.00000000009EA000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A19000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A21000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A31000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939241627.0000000000A32000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939894959.0000000000BD6000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3940024258.0000000000BD8000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_710000_axplong.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: =nm6$P#q$P#q
API String ID: 2659868963-1273455053
Opcode ID: ea62136a9f254b2a35388bb74528039d6f8460d7041d6df39d18398c159356ec
Instruction ID: 8138de412bf035f7fb269932be9619d63e1462c1bac05830258a0c2c062bacdd
Opcode Fuzzy Hash: ea62136a9f254b2a35388bb74528039d6f8460d7041d6df39d18398c159356ec
Instruction Fuzzy Hash: 33F0A771E1120DDBC715DF68D84198EBBF4AF55300F1082AEE84567201EB745A55CBD9

Function 0074C9B0 Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0074CA37

Memory Dump Source

Source File: 00000006.00000002.3937837542.0000000000711000.00000040.00000001.01000000.00000008.sdmp, Offset: 00710000, based on PE: true

Associated: 00000006.00000002.3937689077.0000000000710000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3937837542.0000000000772000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938062654.0000000000779000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.000000000077B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000909000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.00000000009EA000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A19000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A21000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A31000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939241627.0000000000A32000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939894959.0000000000BD6000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3940024258.0000000000BD8000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_710000_axplong.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 7941c91dc3c81985f55d5af0d0e5d35b4c2fcc41726f6f06d2574da038ee3747
Instruction ID: 1f261072dca00382767c1a5c4b3fc60a06c51000fec6879011763557bba0dfa2
Opcode Fuzzy Hash: 7941c91dc3c81985f55d5af0d0e5d35b4c2fcc41726f6f06d2574da038ee3747
Instruction Fuzzy Hash: BBB13772A022859FDB52CF28C8817BEBBE5EF55340F1481AAD845EB341E73C9D41CB60

Function 0074FB7F Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 322COMMON

Download Yara Rule

APIs

__fassign.LIBCMT ref: 0074FDA6
__fassign.LIBCMT ref: 0074FDC3

Strings

=nm6, xrefs: 0074FB8A

Memory Dump Source

Source File: 00000006.00000002.3937837542.0000000000711000.00000040.00000001.01000000.00000008.sdmp, Offset: 00710000, based on PE: true

Associated: 00000006.00000002.3937689077.0000000000710000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3937837542.0000000000772000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938062654.0000000000779000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.000000000077B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000909000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.00000000009EA000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A19000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A21000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A31000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939241627.0000000000A32000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939894959.0000000000BD6000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3940024258.0000000000BD8000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_710000_axplong.jbxd

Yara matches

Similarity

API ID: __fassign
String ID: =nm6
API String ID: 3965848254-2124781881
Opcode ID: 64c809fb75953dadb16b58f9922ef9d121fd150c59a44e5726384999c56ff61f
Instruction ID: c0b25e8e0d5184f91f3a67feb191bc889ef1e030df17694568bc0d6b89fde5fd
Opcode Fuzzy Hash: 64c809fb75953dadb16b58f9922ef9d121fd150c59a44e5726384999c56ff61f
Instruction Fuzzy Hash: 1FC19A71E012589FCF15CFA8C8809EDBBB5FF49314F28416AE855BB252D734AE46CB60

Function 0071DAF0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 189COMMON

Download Yara Rule

Strings

=nm6, xrefs: 0071DAF6, 0071DC3F
list too long, xrefs: 0071DFAD

Memory Dump Source

Source File: 00000006.00000002.3937837542.0000000000711000.00000040.00000001.01000000.00000008.sdmp, Offset: 00710000, based on PE: true

Associated: 00000006.00000002.3937689077.0000000000710000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3937837542.0000000000772000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938062654.0000000000779000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.000000000077B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000909000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.00000000009EA000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A19000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A21000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A31000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939241627.0000000000A32000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939894959.0000000000BD6000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3940024258.0000000000BD8000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_710000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: =nm6$list too long
API String ID: 0-2474633022
Opcode ID: e47aeee97441fd42b47c55112d53155edaa87a69ad98b9e5fcf60aedadd8af3e
Instruction ID: 5f37cc8f96bf6b57437ad6928d3a7236550dc520cd75ff4308d4d5ac4295ac4e
Opcode Fuzzy Hash: e47aeee97441fd42b47c55112d53155edaa87a69ad98b9e5fcf60aedadd8af3e
Instruction Fuzzy Hash: 5B61A4B0D44718DBDB20DF24DC49B99B7B8EF14310F0081A9E81D97291EB78AE95CF55

Function 0074F21F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0074F263

Strings

8"w, xrefs: 0074F30B
`'w, xrefs: 0074F235

Memory Dump Source

Source File: 00000006.00000002.3937837542.0000000000711000.00000040.00000001.01000000.00000008.sdmp, Offset: 00710000, based on PE: true

Associated: 00000006.00000002.3937689077.0000000000710000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3937837542.0000000000772000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938062654.0000000000779000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.000000000077B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000909000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.00000000009EA000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A19000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A21000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A31000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939241627.0000000000A32000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939894959.0000000000BD6000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3940024258.0000000000BD8000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_710000_axplong.jbxd

Yara matches

Similarity

API ID: ___free_lconv_mon
String ID: 8"w$`'w
API String ID: 3903695350-1951729946
Opcode ID: 44c38741897e436533c3c3db4f5d282a9e727d0ea9ab0320b38d3022d9adc4dc
Instruction ID: 6f246faa39c911f3b9a9a40f0fc56ecadda00e54cf908ec52d7bd9c7270d81db
Opcode Fuzzy Hash: 44c38741897e436533c3c3db4f5d282a9e727d0ea9ab0320b38d3022d9adc4dc
Instruction Fuzzy Hash: 3E313C31A40305EFEB61AF78E949B6A73E9BF44360F144429E45AD7151DF79EC808B21

Function 00713930 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__Mtx_init_in_situ.LIBCPMT ref: 00713962
__Mtx_init_in_situ.LIBCPMT ref: 007139A1

Strings

pBq, xrefs: 00713940

Memory Dump Source

Source File: 00000006.00000002.3937837542.0000000000711000.00000040.00000001.01000000.00000008.sdmp, Offset: 00710000, based on PE: true

Associated: 00000006.00000002.3937689077.0000000000710000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3937837542.0000000000772000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938062654.0000000000779000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.000000000077B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000909000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.00000000009EA000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A19000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A21000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A31000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939241627.0000000000A32000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939894959.0000000000BD6000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3940024258.0000000000BD8000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_710000_axplong.jbxd

Yara matches

Similarity

API ID: Mtx_init_in_situ
String ID: pBq
API String ID: 3366076730-1325260143
Opcode ID: 93b6e9790958df476948946825f0e70848998ca14b2db53dc4078c0d8ae4a73d
Instruction ID: 067cbc7a5dd966b081857ee625c919f34d032a3242414af1ca9dec596fe68950
Opcode Fuzzy Hash: 93b6e9790958df476948946825f0e70848998ca14b2db53dc4078c0d8ae4a73d
Instruction Fuzzy Hash: 834116B0501B059FD720CF19C588B9ABBF4FF44315F148619E96A8B381E7B9EA59CB80

Function 007128C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 94COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0071299F

Strings

=nm6, xrefs: 007128D5
P#q, xrefs: 00712991

Memory Dump Source

Source File: 00000006.00000002.3937837542.0000000000711000.00000040.00000001.01000000.00000008.sdmp, Offset: 00710000, based on PE: true

Associated: 00000006.00000002.3937689077.0000000000710000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3937837542.0000000000772000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938062654.0000000000779000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.000000000077B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000909000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.00000000009EA000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A19000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A21000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A31000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939241627.0000000000A32000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939894959.0000000000BD6000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3940024258.0000000000BD8000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_710000_axplong.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: =nm6$P#q
API String ID: 2659868963-3761233869
Opcode ID: 7414b1d3b8e207390b227545a10e62b1c273b8fc6285368473f1232c74de4d52
Instruction ID: 4eeb3884d745a7c3709ed44bea287d1e2a2caeb929ecfef9b562b0f6eba2f663
Opcode Fuzzy Hash: 7414b1d3b8e207390b227545a10e62b1c273b8fc6285368473f1232c74de4d52
Instruction Fuzzy Hash: A03195B1A102099FC714DF58C845BDEFBF9EF49720F10462AF815A7781E778A954CBA0

Function 0071E270 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0071E409

Strings

=nm6, xrefs: 0071E280
invalid stoi argument, xrefs: 0071E404

Memory Dump Source

Source File: 00000006.00000002.3937837542.0000000000711000.00000040.00000001.01000000.00000008.sdmp, Offset: 00710000, based on PE: true

Associated: 00000006.00000002.3937689077.0000000000710000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3937837542.0000000000772000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938062654.0000000000779000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.000000000077B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000909000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.00000000009EA000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A19000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A21000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A31000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939241627.0000000000A32000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939894959.0000000000BD6000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3940024258.0000000000BD8000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_710000_axplong.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_
String ID: =nm6$invalid stoi argument
API String ID: 909987262-2812719210
Opcode ID: 22b9f9e176c8257b4a6d8693453380ff795ce37baab366fe0f1600d58299a161
Instruction ID: ee46ac43efcdbc23aa6b8925dcf5491827b7b69976d831ffd014d9187c9391ac
Opcode Fuzzy Hash: 22b9f9e176c8257b4a6d8693453380ff795ce37baab366fe0f1600d58299a161
Instruction Fuzzy Hash: 17F09671900754DBD730AB289C0AAAB33D8EB55350F508835FD5493152E77CAD40D6F7

Function 007122A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 007122D2

Strings

=nm6, xrefs: 007122A6
P#q, xrefs: 007122C7

Memory Dump Source

Source File: 00000006.00000002.3937837542.0000000000711000.00000040.00000001.01000000.00000008.sdmp, Offset: 00710000, based on PE: true

Associated: 00000006.00000002.3937689077.0000000000710000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3937837542.0000000000772000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938062654.0000000000779000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.000000000077B000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000909000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.00000000009EA000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A19000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A21000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3938129496.0000000000A31000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939241627.0000000000A32000.00000080.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3939894959.0000000000BD6000.00000040.00000001.01000000.00000008.sdmpDownload File
Associated: 00000006.00000002.3940024258.0000000000BD8000.00000080.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_710000_axplong.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: =nm6$P#q
API String ID: 2659868963-3761233869
Opcode ID: 2ae8d5fe98facddb68328da5984ba5ef13495f800f9e1c1d48f2909e0b167778
Instruction ID: 7f141566830226227638e59520ba4b1ca449919182c1e80ec9d3633f4ef071b9
Opcode Fuzzy Hash: 2ae8d5fe98facddb68328da5984ba5ef13495f800f9e1c1d48f2909e0b167778
Instruction Fuzzy Hash: 1DF0A771E1020CDBC715DF68D84198EBBF49F55300F1082AEE80567201EA745A55CB99

Analysis Process: crypted.exePID: 6696, Parent PID: 3528COMMON

Execution Graph

Execution Coverage:	29.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	25.8%
Total number of Nodes:	31
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 02F92555 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 282
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 02F926C4
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 02F926D7
Wow64GetThreadContext.KERNEL32(?,00000000), ref: 02F926F5
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 02F92719
VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040), ref: 02F92744
TerminateProcess.KERNELBASE(?,00000000), ref: 02F92763
WriteProcessMemory.KERNELBASE(?,00000000,?,?,00000000,?), ref: 02F9279C
WriteProcessMemory.KERNELBASE(?,?,?,?,00000000,?,00000028), ref: 02F927E7
WriteProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 02F92825
Wow64SetThreadContext.KERNEL32(?,?), ref: 02F92861
ResumeThread.KERNELBASE(?), ref: 02F92870

Strings

GetP, xrefs: 02F925D7
Load, xrefs: 02F92593
ress, xrefs: 02F925DF
aryA, xrefs: 02F9259B

Memory Dump Source

Source File: 00000009.00000002.1948747415.0000000002F92000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F92000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2f92000_crypted.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResumeTerminate
String ID: GetP$Load$aryA$ress
API String ID: 2440066154-977067982
Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction ID: 06b4cccccaee06edde702a1921488a1e65b49bf2f24e2f771de96e822fac75cb
Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction Fuzzy Hash: 31B1E37664028AAFDB60CF68CC80BDA77A5FF88714F158524EA0CEB341D774FA418B94

Function 01490B3A Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 343
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(03F93594,?,?,?), ref: 01490FB9

Strings

#l>@, xrefs: 01490DA9
<1i;, xrefs: 01490CBC

Memory Dump Source

Source File: 00000009.00000002.1948522584.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_crypted.jbxd

Similarity

API ID: ProtectVirtual
String ID: #l>@$<1i;
API String ID: 544645111-2199172079
Opcode ID: 9a212bab367e719c7618532690804e4a83cab6b369a6e540745a0e53aeb3396d
Instruction ID: da511b98cb17f5a224dcd8344aa4c47abfae89e59bd74b2102d4c39dc90d7d6b
Opcode Fuzzy Hash: 9a212bab367e719c7618532690804e4a83cab6b369a6e540745a0e53aeb3396d
Instruction Fuzzy Hash: 6CD18EB0D002588FDF15CFA9C980BAEBFB6BF44314F24855AE459AB366C3749981CF90

Function 01490504 Relevance: 1.6, APIs: 1, Instructions: 69
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateRemoteThread.KERNELBASE(?,00000000,?,?,00000000,?,?), ref: 0149109C

Memory Dump Source

Source File: 00000009.00000002.1948522584.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_crypted.jbxd

Similarity

API ID: CreateRemoteThread
String ID:
API String ID: 4286614544-0
Opcode ID: 0e698d51544b982954c5e2b0cba85333c02ec12a348a76af1aae87a17ae2efb2
Instruction ID: 2e5343b33e27f26a7a691dcf7265080051105c147684156a966dfb0e5dcce94c
Opcode Fuzzy Hash: 0e698d51544b982954c5e2b0cba85333c02ec12a348a76af1aae87a17ae2efb2
Instruction Fuzzy Hash: C331F2B59002499FCF10CF9AD884ADEBBF5FB48310F20842AE918A7350D375A950CBA5

Function 01490FF8 Relevance: 1.6, APIs: 1, Instructions: 68
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateRemoteThread.KERNELBASE(?,00000000,?,?,00000000,?,?), ref: 0149109C

Memory Dump Source

Source File: 00000009.00000002.1948522584.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_crypted.jbxd

Similarity

API ID: CreateRemoteThread
String ID:
API String ID: 4286614544-0
Opcode ID: ac86906604b6be51e923fb9eb07cd36c466b44a37866b9190eae272a69f34de9
Instruction ID: bb796f6490fe8a677b3950a633f21880389ab545fdb514a89b4347b964bf73e5
Opcode Fuzzy Hash: ac86906604b6be51e923fb9eb07cd36c466b44a37866b9190eae272a69f34de9
Instruction Fuzzy Hash: 2431F3B5900249DFCF20CF99D884ADEBBF1FB48310F20842AE918A7350D375A950CFA5

Function 014904F8 Relevance: 1.6, APIs: 1, Instructions: 55
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(03F93594,?,?,?), ref: 01490FB9

Memory Dump Source

Source File: 00000009.00000002.1948522584.0000000001490000.00000040.00000800.00020000.00000000.sdmp, Offset: 01490000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1490000_crypted.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 19456bf3ad2984e7336cd6dd09e2262df31365b9f9bcf5d7bb7dfd5d878e3f9b
Instruction ID: 827c397726cc6bc0e5bbe6182c1ec8c6934dcf584b2ef21f6b0056cfbbaa078d
Opcode Fuzzy Hash: 19456bf3ad2984e7336cd6dd09e2262df31365b9f9bcf5d7bb7dfd5d878e3f9b
Instruction Fuzzy Hash: 5321E5759016599FDB10DF9AD884BDEFBB4FB48310F10811AE918A7350C3B4A954CFE5

Analysis Process: RegAsm.exePID: 7116, Parent PID: 6696COMMON

Execution Graph

Execution Coverage:	10.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	4.9%
Total number of Nodes:	122
Total number of Limit Nodes:	9

Executed Functions

Function 06FF3E78 Relevance: 1.6, APIs: 1, Instructions: 60libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 06FF3EDD

Memory Dump Source

Source File: 0000000D.00000002.2120688336.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6ff0000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c2ee8c00af98dea0ef0445d75bec88851f0217d9bb34a35100f9dc4cfd591a26
Instruction ID: 56df88e69ca90072a94fad49cb46691d2852399e8229b0b7aaf5444517eccfe7
Opcode Fuzzy Hash: c2ee8c00af98dea0ef0445d75bec88851f0217d9bb34a35100f9dc4cfd591a26
Instruction Fuzzy Hash: B521DB75E01218DFDB48DFA9E884ADDBBB2BF89310F10906AE505B7360DB306844CBA4

Function 0925DC70 Relevance: 1.6, APIs: 1, Instructions: 54encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 0925DCDD

Memory Dump Source

Source File: 0000000D.00000002.2124723889.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9250000_RegAsm.jbxd

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: 80b8467e3f9cf4464ba964226cbe633e3da74fd20e6aecc47728c52c80597d4e
Instruction ID: 026f79656dfe81b922cacbaf9dbf57941bfb15a9bcd6606517cff84f900a3401
Opcode Fuzzy Hash: 80b8467e3f9cf4464ba964226cbe633e3da74fd20e6aecc47728c52c80597d4e
Instruction Fuzzy Hash: 1E2167B2800689DFDB10CFA9C944BDEBFF1EF48320F14841AE914A7210C339A554CFA4

Function 0925DC78 Relevance: 1.6, APIs: 1, Instructions: 52encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 0925DCDD

Memory Dump Source

Source File: 0000000D.00000002.2124723889.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9250000_RegAsm.jbxd

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: 0f5ff8b6b3a84c83e23515abcf03420a42d3e9de21bf1ab70d347bf331d5d2af
Instruction ID: d24d4e5c7d74154aa58102f0564569c1072bd4f5611ba0f5f7df6229199f6a5c
Opcode Fuzzy Hash: 0f5ff8b6b3a84c83e23515abcf03420a42d3e9de21bf1ab70d347bf331d5d2af
Instruction Fuzzy Hash: CE1146B2800649DFDB10CF9AC944BDEBFF5EF48320F148419E918A7250C379A554DFA5

Function 06C33F50 Relevance: .5, Instructions: 524COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e32337fdd1e2ee7b70f47255b3612b3c6d3f1c980c0fe9de80aa76cfc701e06
Instruction ID: e840ee1419922ad8da297908d8f7accb1330ab96afd9b665038a7666a7a07ca0
Opcode Fuzzy Hash: 4e32337fdd1e2ee7b70f47255b3612b3c6d3f1c980c0fe9de80aa76cfc701e06
Instruction Fuzzy Hash: 99126234B002258FDB58DF69C894AAEBBF6BF89600B14816DE905EB365DF31DD41CB90

Function 093293B8 Relevance: .5, Instructions: 502COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2130813565.0000000009320000.00000040.00000800.00020000.00000000.sdmp, Offset: 09320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9320000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1620ff54da0cc427066d5209a942d8a478096434d3b6b895f30418941e4059a1
Instruction ID: 8a0336f90057481787d0b88b30dccc838c88105f2eed4229d855e464538d69ad
Opcode Fuzzy Hash: 1620ff54da0cc427066d5209a942d8a478096434d3b6b895f30418941e4059a1
Instruction Fuzzy Hash: 5C329F74E01228CFDB65DF65C990BDEBBB2BB89300F5081E9D50AAB250DB359E81CF54

Function 06C367D8 Relevance: .4, Instructions: 413COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9667f527ce3967c81b61defc130976adc8acb1b127776c7911b5ce3b03bb6e64
Instruction ID: e638f322f0bf659b5ea88f2c05f37061fe94416f388e9aecb0d4c90a779d0367
Opcode Fuzzy Hash: 9667f527ce3967c81b61defc130976adc8acb1b127776c7911b5ce3b03bb6e64
Instruction Fuzzy Hash: D2F19171A00225AFDF54DF69D880B9EBBF2FF88300F14856AE505AB261DB34DD45CB90

Function 06C3A688 Relevance: .3, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a12716cd3eefbb667d286cbe42851e667bdcc61bdce60ffd0e525d3a472b403f
Instruction ID: b25fe1af454ee5a189e1998ad4490b9001fe7f85e81375322f3678eca6f64645
Opcode Fuzzy Hash: a12716cd3eefbb667d286cbe42851e667bdcc61bdce60ffd0e525d3a472b403f
Instruction Fuzzy Hash: E6D1F570D02218CFCB14EFB4D854A9DBBB2FF8A301F5085A9D44AAB294DB399D85CF51

Function 016DD0A8 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 016DD136
GetCurrentThread.KERNEL32 ref: 016DD173
GetCurrentProcess.KERNEL32 ref: 016DD1B0
GetCurrentThreadId.KERNEL32 ref: 016DD209

Memory Dump Source

Source File: 0000000D.00000002.2086274379.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16d0000_RegAsm.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 44f42ee64e5c8de9ecc79976829a4b9c83d8d365136f08f063e7c6b5f05e5737
Instruction ID: 5a3fef303a6fffa829e3c18963e0ae7f283fe930d7145974f8a0ef910334d4f3
Opcode Fuzzy Hash: 44f42ee64e5c8de9ecc79976829a4b9c83d8d365136f08f063e7c6b5f05e5737
Instruction Fuzzy Hash: 465158B0D007498FDB18DFAAD948BDEBBF1EF88314F248459D019A73A0D7785984CB65

Function 016DD0B8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 016DD136
GetCurrentThread.KERNEL32 ref: 016DD173
GetCurrentProcess.KERNEL32 ref: 016DD1B0
GetCurrentThreadId.KERNEL32 ref: 016DD209

Memory Dump Source

Source File: 0000000D.00000002.2086274379.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16d0000_RegAsm.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 1d0bfd3e5c6fde22867abd9cd40da8171b3be082bbaf5f7858bbbb7504ad335c
Instruction ID: 18eca2ce901d676226147993cd6014363aef7d379080d2b3115e647de1d210aa
Opcode Fuzzy Hash: 1d0bfd3e5c6fde22867abd9cd40da8171b3be082bbaf5f7858bbbb7504ad335c
Instruction Fuzzy Hash: 8C5138B0D007498FDB14DFAAD948B9EBBF1EF88314F208459E519A73A0D7385984CB65

Function 06C10597 Relevance: 1.7, Strings: 1, Instructions: 462
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

JlPj, xrefs: 06C1059C

Memory Dump Source

Source File: 0000000D.00000002.2120029951.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c10000_RegAsm.jbxd

Similarity

API ID:
String ID: JlPj
API String ID: 0-2214363155
Opcode ID: 24fb6a2c0df10670ce6da925b43c014e8bc4e29408a7be6c22ed1ef7061eb6a6
Instruction ID: 0fa916a4dbf4dce42b41ac6277e0304672238e1e84ba05bf7822c2891333fa8f
Opcode Fuzzy Hash: 24fb6a2c0df10670ce6da925b43c014e8bc4e29408a7be6c22ed1ef7061eb6a6
Instruction Fuzzy Hash: 4F029B307006148FEB549F64D854A2E76B2FFCAA04F40495DD902AF3A1CFB9ED85CB96

Function 016DAE30 Relevance: 1.7, APIs: 1, Instructions: 212
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 016DB086

Memory Dump Source

Source File: 0000000D.00000002.2086274379.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16d0000_RegAsm.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 26fba084688f0b1d8340eaaaca8b3189e66050324e6aff9f6cca897e85232128
Instruction ID: 67944cfdba2d991999bf422f1bf560a5344a7614bb5cb6a8420c60cee387f467
Opcode Fuzzy Hash: 26fba084688f0b1d8340eaaaca8b3189e66050324e6aff9f6cca897e85232128
Instruction Fuzzy Hash: A48168B0A04B058FDB24DF6AD84075ABBF1FF88204F048A6DD446D7B51D775E846CB90

Function 06FF3C97 Relevance: 1.6, APIs: 1, Instructions: 132
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 06FF3DF0

Memory Dump Source

Source File: 0000000D.00000002.2120688336.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6ff0000_RegAsm.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a7a8d3adf3797cf3b723612ef327688a03978dec2e802f50c7b7d07ada5480cb
Instruction ID: cfd8698efd7398fe29fe310c567cd0a5c71088c1e854f0579f5e679e8510fe68
Opcode Fuzzy Hash: a7a8d3adf3797cf3b723612ef327688a03978dec2e802f50c7b7d07ada5480cb
Instruction Fuzzy Hash: 3551F575E01208DFEB48DFA5E4946DEBBB2FF89300F10806AE515AB364DB345946CF91

Function 016D5935 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 016D59F1

Memory Dump Source

Source File: 0000000D.00000002.2086274379.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16d0000_RegAsm.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 14b750b84dbd31c5a3ed7e04e16914e3a7c560344d61174eba9b3946f0654b57
Instruction ID: dc73bcc1f801a0b260055557c2bfca520132d1e99f0f162b4eb355a8b2742272
Opcode Fuzzy Hash: 14b750b84dbd31c5a3ed7e04e16914e3a7c560344d61174eba9b3946f0654b57
Instruction Fuzzy Hash: 1741F1B0C00729CFEB24CFA9C984B9EBBF5BF49304F24806AD409AB251DB755946CF91

Function 016D4248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 016D59F1

Memory Dump Source

Source File: 0000000D.00000002.2086274379.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16d0000_RegAsm.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 87393fb6a6bf41efd3969c1e4833cc0fb45d87cf2b4a6048672f2f0434dbafc3
Instruction ID: 548fbe6de6f00813dd8d62d767c7e66635345324cf32ac5f93f281f8fa70548c
Opcode Fuzzy Hash: 87393fb6a6bf41efd3969c1e4833cc0fb45d87cf2b4a6048672f2f0434dbafc3
Instruction Fuzzy Hash: 9741B070C00768CFDB24CFA9C984B9EBBF5BF49704F24806AD409AB251DB756946CF91

Function 06FF3D1A Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 06FF3DF0

Memory Dump Source

Source File: 0000000D.00000002.2120688336.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6ff0000_RegAsm.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: cbac044a30d0bba84c13ed04db347c5b078f2b69971da74d12918a9b9cb49b73
Instruction ID: 649805b4d4e69b9c150bcf0161857948f1133912c4d64e62dbc0dcf637654822
Opcode Fuzzy Hash: cbac044a30d0bba84c13ed04db347c5b078f2b69971da74d12918a9b9cb49b73
Instruction Fuzzy Hash: 8C319F74E01208DFDB04EFE4E590A9EBBB2FF89300F60806AD516AB254DB396D45CF91

Function 016DD2F9 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 016DD387

Memory Dump Source

Source File: 0000000D.00000002.2086274379.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16d0000_RegAsm.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ed3d235fe27de906141135e8d72399cecdf8009926cca5824079edc5c2aa7558
Instruction ID: 2688df642d77b1dee9a4d922b7b559dab511097e8eee61c767e2b5feb7af80ba
Opcode Fuzzy Hash: ed3d235fe27de906141135e8d72399cecdf8009926cca5824079edc5c2aa7558
Instruction Fuzzy Hash: 3921E3B5D002489FDB10CFAAD984ADEBBF5EB48324F14841AE918A3350C778A945CF64

Function 016DD300 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 016DD387

Memory Dump Source

Source File: 0000000D.00000002.2086274379.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16d0000_RegAsm.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 50582338a5e2c34d96da79f0599f4ccfad21a04fc54dbc07319455c708019185
Instruction ID: a1eb9d22d052a38426a144860a439e2d19aa5d6bb30f8d3cc2821e5c0f5b27e8
Opcode Fuzzy Hash: 50582338a5e2c34d96da79f0599f4ccfad21a04fc54dbc07319455c708019185
Instruction Fuzzy Hash: B821E4B5D002489FDB10CFAAD984ADEBFF4EB48320F14841AE918A3350D778A944CFA4

Function 06FF3AC0 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

GetKeyboardLayout.USER32(00000000), ref: 06FF3B36

Memory Dump Source

Source File: 0000000D.00000002.2120688336.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6ff0000_RegAsm.jbxd

Similarity

API ID: KeyboardLayout
String ID:
API String ID: 194098044-0
Opcode ID: 82e8f6e89ad9761c50114560c9c3f5c688ad81ea351ae74a45ef7750b4aed86d
Instruction ID: 1d70b833abbe891dd90611088d6ffe124bec9e86749fdf7d115e5f7773964abf
Opcode Fuzzy Hash: 82e8f6e89ad9761c50114560c9c3f5c688ad81ea351ae74a45ef7750b4aed86d
Instruction Fuzzy Hash: F9117CB1D017488FCB20DFA9D8187DEBFF4EF49220F10885AD614A7250C739A544CFA5

Function 016DA870 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,016DB101,00000800,00000000,00000000), ref: 016DB312

Memory Dump Source

Source File: 0000000D.00000002.2086274379.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16d0000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: dd6a953fb17eabe93da2d5a02d19c6fb95c840ae1bb1509d845fbfbbed44dd70
Instruction ID: 9cc64cefa742cdb82d7556cce4a05c39bc054783c063b39674d6466d669b42c0
Opcode Fuzzy Hash: dd6a953fb17eabe93da2d5a02d19c6fb95c840ae1bb1509d845fbfbbed44dd70
Instruction Fuzzy Hash: 191103B6C007498FDB20CF9AC844AEEFBF4EB89710F15842ED919A7200C778A545CFA4

Function 09251788 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(00000000,?,?,?,?,00000000,00000E58,?,?,092516EE), ref: 092517F6

Memory Dump Source

Source File: 0000000D.00000002.2124723889.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9250000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 3be4598a568bb815dbbdb1efcd83605016bfc673af149adf4b40563dd1dc5da8
Instruction ID: 644f7e9ed2f72ef873cf36ec43eceb26cdbbc533dcc5a8408b9c6e14eb0029a3
Opcode Fuzzy Hash: 3be4598a568bb815dbbdb1efcd83605016bfc673af149adf4b40563dd1dc5da8
Instruction Fuzzy Hash: 881114B5C006598FDB14CFAAC444BDEFBF4EF89324F14842AD819A7211C379A545CFA1

Function 09251314 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(00000000,?,?,?,?,00000000,00000E58,?,?,092516EE), ref: 092517F6

Memory Dump Source

Source File: 0000000D.00000002.2124723889.0000000009250000.00000040.00000800.00020000.00000000.sdmp, Offset: 09250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9250000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a658ccda14fcdf7452be94032a57e7d7dba1aec889ab3fbe585ffab094b3f7bb
Instruction ID: a89cda68acfd5b6009f19cbe6b4a020695321cb895e8d7049e4abf9b39bdfd31
Opcode Fuzzy Hash: a658ccda14fcdf7452be94032a57e7d7dba1aec889ab3fbe585ffab094b3f7bb
Instruction Fuzzy Hash: 9A1126B5C147498BDB10CF9AC444BDEFBF8EB88210F14841AD819B7610D378A545CFA4

Function 016DB2A4 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,016DB101,00000800,00000000,00000000), ref: 016DB312

Memory Dump Source

Source File: 0000000D.00000002.2086274379.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16d0000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9939c0e74305d4a0b79954168560268c425c8e7c7f16ad38e3412b536814f2f5
Instruction ID: 2f59604dbf55d67a13f84d0e1c69aea612c58d047effacb842291f378454983a
Opcode Fuzzy Hash: 9939c0e74305d4a0b79954168560268c425c8e7c7f16ad38e3412b536814f2f5
Instruction Fuzzy Hash: 781112B6C002488FDB14CFAAC844ADEFBF4EB89720F15842ED919A7200C778A545CFA4

Function 0932A33F Relevance: 1.6, APIs: 1, Instructions: 50windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0932AF8D

Memory Dump Source

Source File: 0000000D.00000002.2130813565.0000000009320000.00000040.00000800.00020000.00000000.sdmp, Offset: 09320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9320000_RegAsm.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 43c46a9e7fe6f20d6e220bca95da1118561b0ff6e547f88df34ddf5ffdd55336
Instruction ID: 98b316f887f31c928031c193df8911b4b2c7204dd2dcd9ace956bba04489d956
Opcode Fuzzy Hash: 43c46a9e7fe6f20d6e220bca95da1118561b0ff6e547f88df34ddf5ffdd55336
Instruction Fuzzy Hash: E7116AB5804358DFCB10CF9AC848BEEBFF8EB48310F14845AE514A7641C378A544CFA1

Function 06FF3BC8 Relevance: 1.5, APIs: 1, Instructions: 49comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06FF3C25

Memory Dump Source

Source File: 0000000D.00000002.2120688336.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6ff0000_RegAsm.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 40bf4bd88bb9021be8c20acfc358a6c15882f84f0d8ac64d1a5ec6a2514f148f
Instruction ID: 3fe98fce8c0e47aeb06e511da56da041b34e49c8ac1be1fbcf0ab3943b1bde35
Opcode Fuzzy Hash: 40bf4bd88bb9021be8c20acfc358a6c15882f84f0d8ac64d1a5ec6a2514f148f
Instruction Fuzzy Hash: 321133B2C007888FCB20CF9AD848BCEBBF8EB48324F10841AD518A7610C378A544CFA5

Function 06FF08D4 Relevance: 1.5, APIs: 1, Instructions: 49comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06FF3C25

Memory Dump Source

Source File: 0000000D.00000002.2120688336.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6ff0000_RegAsm.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 0450baeddc1de11a5cd74cff4619782ecbab311d26648cf1d490fe1966c1826c
Instruction ID: d0a2c7a824534a1a24a98aaec3b338a76f7789f776b763170e9f2065c1cb046c
Opcode Fuzzy Hash: 0450baeddc1de11a5cd74cff4619782ecbab311d26648cf1d490fe1966c1826c
Instruction Fuzzy Hash: 1E1116B1C047888FCB10DF9AC548BDEBBF4EF49324F148859D658A7610D378A545CFA5

Function 0932A3A8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0932AF8D

Memory Dump Source

Source File: 0000000D.00000002.2130813565.0000000009320000.00000040.00000800.00020000.00000000.sdmp, Offset: 09320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9320000_RegAsm.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 843317fd5dba3f295c9672b6d9ed7b3f0c98abd3e600d057e0663ecc18ca669a
Instruction ID: b84e2a20731d0d3dddfcf570f6bb8cb6674d861130b240ce3cc1e5f9d54e9f14
Opcode Fuzzy Hash: 843317fd5dba3f295c9672b6d9ed7b3f0c98abd3e600d057e0663ecc18ca669a
Instruction Fuzzy Hash: F31118B5800758DFDB10CF9AD984BDEFBF8EB48720F10841AE514A7640D378A954CFA5

Function 016DB020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 016DB086

Memory Dump Source

Source File: 0000000D.00000002.2086274379.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_16d0000_RegAsm.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: bd10dc5e7d5a87a2f4a5fb19ab2ad94d14bfb8df336bd23ad5356c37db0f4e37
Instruction ID: 924d5f5a5d558b9f038889f5bd7dd75f1d6da27ee6be0f9147c0e72ea5466d6e
Opcode Fuzzy Hash: bd10dc5e7d5a87a2f4a5fb19ab2ad94d14bfb8df336bd23ad5356c37db0f4e37
Instruction Fuzzy Hash: 951110B6C007498FDB20CF9AC844BDEFBF4EB89624F14841AD528B7210C379A549CFA5

Function 0932AF28 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 0932AF8D

Memory Dump Source

Source File: 0000000D.00000002.2130813565.0000000009320000.00000040.00000800.00020000.00000000.sdmp, Offset: 09320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_9320000_RegAsm.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 99848d51aeafbc785fe65880bbaf3f8ba444385f51fc89eb9e0a6fce8201e5a3
Instruction ID: bb99602bfa35b5a00fd7ed918793040347c9e51657ae39a8d6fae4278dccdf69
Opcode Fuzzy Hash: 99848d51aeafbc785fe65880bbaf3f8ba444385f51fc89eb9e0a6fce8201e5a3
Instruction Fuzzy Hash: 0B11F2B58006489FDB10CF9AD885BEEBFF4EB58720F10841AE518A7610C379A954CFA1

Function 06FF08DC Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06FF3C25

Memory Dump Source

Source File: 0000000D.00000002.2120688336.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6ff0000_RegAsm.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 40b8d048b917ac89c45f7b8d685bd6883c237b48108b04dd9b48901ff4293424
Instruction ID: d815a4f4e40e041c4d4db3b529439b256dc0fb2a236ed914c44962d79c145d8a
Opcode Fuzzy Hash: 40b8d048b917ac89c45f7b8d685bd6883c237b48108b04dd9b48901ff4293424
Instruction Fuzzy Hash: DF1103B69107488FDB20DF9AD548BDEBBF8EB48324F108819D618A7610D378A944CFA5

Function 06C11BA0 Relevance: 1.5, Instructions: 1451COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120029951.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c10000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad1d29da89783d88b161b108ba253e94edf63dd3e60863519f00b8d703a5f488
Instruction ID: a1c299b4a7bfbdace41a55b8790100d88ad044db0670bc107d857757bc81f0a9
Opcode Fuzzy Hash: ad1d29da89783d88b161b108ba253e94edf63dd3e60863519f00b8d703a5f488
Instruction Fuzzy Hash: 4AC27F74B002189FDB54DF64CD54BADBBB6EF89700F104099EA09AF3A1DB71AE81CB51

Function 06C13838 Relevance: 1.0, Instructions: 1023COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120029951.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c10000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba1167531407103dc97d1584b6be084180c4e454b79a51c9682d28aef36d409c
Instruction ID: 539d30f3a95b5780ac5e02466976eb2d0a4058a338cb9f80bc60b94981f87a30
Opcode Fuzzy Hash: ba1167531407103dc97d1584b6be084180c4e454b79a51c9682d28aef36d409c
Instruction Fuzzy Hash: 76823A74B002049FCB44DF68C994E6ABBF6FF89704F158099E606EB3A1DB71ED418B61

Function 06C100D8 Relevance: .7, Instructions: 676COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120029951.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c10000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35e47baeab9523c02768d55f06f847005a21267bd0c1b367998b50ae59411fc2
Instruction ID: 691d40cbef407b246aec5c4c8c6c9ed524445669ba641801d23ec6ae30ced8e2
Opcode Fuzzy Hash: 35e47baeab9523c02768d55f06f847005a21267bd0c1b367998b50ae59411fc2
Instruction Fuzzy Hash: 96426C307007149FEB64AF64D854A2E76B2FFC6A04B41495DC503AF390CFB9ED858B96

Function 06C10D80 Relevance: .6, Instructions: 632COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120029951.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c10000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18230a93d7fb0df81a4717db3247622eecca9f75e98680748b2c2a67041a4e13
Instruction ID: 049dbf0e0cb675c8df699a159818186591a6c6657bcdff6f5ef77cf945bbb9d3
Opcode Fuzzy Hash: 18230a93d7fb0df81a4717db3247622eecca9f75e98680748b2c2a67041a4e13
Instruction Fuzzy Hash: 9032F130B00245DFDB45DBA5C844A6EBBF6FF8A600B18805AE906CB7A1CB78DD41DB91

Function 06C348B8 Relevance: .6, Instructions: 593COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37691f790b2002b5615a854bdeeef2602ed9a89ccb162a14371ebd9eadf4ba90
Instruction ID: bba8ee335a39aa6612480ac9554ade30ad268d2be165cbd61c11a3b69858c8bd
Opcode Fuzzy Hash: 37691f790b2002b5615a854bdeeef2602ed9a89ccb162a14371ebd9eadf4ba90
Instruction Fuzzy Hash: CD324B34B006158FDB58DF29C884A6EBBF6FF89604B1584ADE506CB362DB34ED45CB90

Function 06C1060F Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120029951.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c10000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e25bc540fcb35fb05b1c76846fd2edb0d14764480e8a651acd3cf726f7ae037f
Instruction ID: 39c33273fa36057af209708abe4b6dd16f0984beb67b743f8f40eca94ffa3976
Opcode Fuzzy Hash: e25bc540fcb35fb05b1c76846fd2edb0d14764480e8a651acd3cf726f7ae037f
Instruction Fuzzy Hash: DB028C307002149FEB549B64D858B2E76B2FFCAA04F50445DD902AF3A1CFB9ED85CB96

Function 06C1151C Relevance: .4, Instructions: 438COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120029951.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c10000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3233c10dad6030997a0d1164736f60f9d5161dc3c6b24a65f48554d7f7245a7e
Instruction ID: f719bcbd6287b0a3053e51e192fad341e82591ed688081bc55d8544113632e10
Opcode Fuzzy Hash: 3233c10dad6030997a0d1164736f60f9d5161dc3c6b24a65f48554d7f7245a7e
Instruction Fuzzy Hash: 62F10F34B002049FEB45DBA5C854A2E77F7FF8A600F18845EE6028B7A1DB79ED45CB91

Function 06C10687 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120029951.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c10000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d96696dceb64b33f054d8e207a2493654a1883dcef520acca7ab779fd1f7d4eb
Instruction ID: 410986df6333f86ef535e816df27d425058f7342eeac9f1d77372fdc837f67db
Opcode Fuzzy Hash: d96696dceb64b33f054d8e207a2493654a1883dcef520acca7ab779fd1f7d4eb
Instruction Fuzzy Hash: 88E17A30B00214DFEB549B64C958B2976B2FF8A604F508459D902AF3A1CFB9ED85CB92

Function 06C106FF Relevance: .4, Instructions: 365COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120029951.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c10000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 623115b0fbbb467417397a39cbeb351c26537071f67488e26a040087a2a37216
Instruction ID: ef9dd1a89b87bd93214bd7e16137ecb59b82927b1441ecc157339cd665f57742
Opcode Fuzzy Hash: 623115b0fbbb467417397a39cbeb351c26537071f67488e26a040087a2a37216
Instruction Fuzzy Hash: 5ED17C30B00214DFEB54DB64C958B2976B6FF8A704F54805AD902AF3A1CFB9DD85CB92

Function 06C100B9 Relevance: .3, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120029951.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c10000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39a6ddc9849a1e62b8e6a8a7d7a0971e7c3274f2c7682e8dffd9ca24d23aa514
Instruction ID: d91532c8fe2a672438269fe585cf0efb487ae2d2111a695023e9540b49655dc3
Opcode Fuzzy Hash: 39a6ddc9849a1e62b8e6a8a7d7a0971e7c3274f2c7682e8dffd9ca24d23aa514
Instruction Fuzzy Hash: 3FC16D30B00204DFEB44DB65C958B697AB6FF8A704F54805AE902AF3A1CFB5DD81DB91

Function 06C348A8 Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ec5469895fca7aee09dfc3d33278d95b28cc422beccfe411fba53bf12c80aa2
Instruction ID: 24a112ebbdd5c14a885a66ab9def592a87833b24c9835b12d135f1635456e778
Opcode Fuzzy Hash: 4ec5469895fca7aee09dfc3d33278d95b28cc422beccfe411fba53bf12c80aa2
Instruction Fuzzy Hash: 4FB13834B006158FDB58DF39C988A6EBBF6BF88605B1584ACE406DB362DB34ED05CB50

Function 06C37D58 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9b1a4a1f59335b6b442f9f4d3b597d536c00f87e362cdecdf45cba4d1c23608
Instruction ID: 7b8bbc7ea6bef48934b032687e5c70ce44c1bf2c822a338cd1d9a0096dce9cf0
Opcode Fuzzy Hash: c9b1a4a1f59335b6b442f9f4d3b597d536c00f87e362cdecdf45cba4d1c23608
Instruction Fuzzy Hash: C85127B1E00368CFDB54CFAAC884BDEBBF6AF48714F14842AD415AB240DB749945CF94

Function 06C359C8 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f88ed4aa75aca5c4661e0acddb1962c34559451dd36d1acbef671552b9bacc68
Instruction ID: 5ceb7b0c8a4b6e838767232417d97a00795e367c9393075ce60e62e21fe0b245
Opcode Fuzzy Hash: f88ed4aa75aca5c4661e0acddb1962c34559451dd36d1acbef671552b9bacc68
Instruction Fuzzy Hash: 09515935B00615CFCB54CF58C880AAABBF2FF89314B59C9A9E5599B361DB30F911CB90

Function 06C134D8 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120029951.0000000006C10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c10000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 249731ac2c5b18c7d38d0538f1af7a366077c17a7f1d32decaf18ddb2e278eba
Instruction ID: 52e92788528c37692da87f1d86af7e2cff0efa60f82c62b352c985022a21381f
Opcode Fuzzy Hash: 249731ac2c5b18c7d38d0538f1af7a366077c17a7f1d32decaf18ddb2e278eba
Instruction Fuzzy Hash: 49515975B10618AFCB44CF69C98499EBBB2FF89714B118069E909AF361DB30ED45CB60

Function 06C37D4C Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bc7fe1fe63ef897b63324320cd9a4deb5bf3438088a61b38e1fff02e8a84a72
Instruction ID: 6024bcb4fa70347df65c6e50be90e7a62f17df5a69c2955c8034a41f2ce7c27e
Opcode Fuzzy Hash: 8bc7fe1fe63ef897b63324320cd9a4deb5bf3438088a61b38e1fff02e8a84a72
Instruction Fuzzy Hash: D95157B1D00368CFDB54CFAAC985BDDBBF5AF48700F14842AD415AB280DB749945CFA8

Function 06C38C78 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34b8394a2e4ab9d9183d630e0cd1569766ee2fb2b24399cbf0e5dec18181849f
Instruction ID: 9a79c033e3c143d26e51837bad6ea28ef932844fce74968e91a83d5acbbeff8a
Opcode Fuzzy Hash: 34b8394a2e4ab9d9183d630e0cd1569766ee2fb2b24399cbf0e5dec18181849f
Instruction Fuzzy Hash: F5313A31704229AFEB049EA9D41476F3AABEFC8250F10802AF905EB344CE35DC52C7E5

Function 06C33DE0 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49ead14fefc204bcd39d51ebf329236769a262fb1d5180779aaba54090d5e0cc
Instruction ID: 47ab0dcdd2554cd78b61badf3b208edf99259682dd4ec1f3c2d51565609482ee
Opcode Fuzzy Hash: 49ead14fefc204bcd39d51ebf329236769a262fb1d5180779aaba54090d5e0cc
Instruction Fuzzy Hash: D731E1317003618BCB29A738E854A6E77FAEFCA610715886ED449CB340CE39EC4787E1

Function 06C3FE88 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13e8b55ffb85db0ade5745f3304829bb16666f14f32cab825d7b1c16c1d1cb9f
Instruction ID: 0b622d4db384957696ae8e261914285b9ea9178badb702bffa4ace14394031e9
Opcode Fuzzy Hash: 13e8b55ffb85db0ade5745f3304829bb16666f14f32cab825d7b1c16c1d1cb9f
Instruction Fuzzy Hash: 52316B34B093449FCB069B78981456E3FB6AFC7210B1489EEE805C7292CE38CD46C7D2

Function 06C35579 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f81c4362394a38fd88d0d50b96729a1e3ec149e07f64eb7ef4049569bf0be97a
Instruction ID: 08d43e841d0220c77467d1b1df0c027086f2715f395d144b7ed0931a4d3c81ff
Opcode Fuzzy Hash: f81c4362394a38fd88d0d50b96729a1e3ec149e07f64eb7ef4049569bf0be97a
Instruction Fuzzy Hash: 68314835B002219FDB59DF38D884A6EBBB6BF89601B508469E905CB355DF34ED06CB90

Function 06C384D8 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0f31ec23f717d108729db920302c2afd7b697ee05acda86499cd3cae0774383
Instruction ID: bb5b8e9b7a2875f7d6ef639c063c8b11802c33ad2a378da1de747bb6ad7ec2f6
Opcode Fuzzy Hash: e0f31ec23f717d108729db920302c2afd7b697ee05acda86499cd3cae0774383
Instruction Fuzzy Hash: 49317F30B002158BDF09ABB9A8646AE3AE7EBCC612750443DD506DB384DF35DD4287E9

Function 06C35588 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d7de321250a41065f1571f9215acdc4a248b7d86b43962257a1e02d6ffe6532
Instruction ID: 580c0c7714d7686f490bba500642c6f250b60a97c8a733b2fa09d7a7948e0d6a
Opcode Fuzzy Hash: 4d7de321250a41065f1571f9215acdc4a248b7d86b43962257a1e02d6ffe6532
Instruction Fuzzy Hash: 55316935B002219FDB49DF34D88496EBBB6BFC9201B508469E905CB355DF34ED02CB90

Function 06C387A0 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18d5bc14abd1dedd008812cd3e8aa48ab82a5f6aa66b3c240079cad8ea14e541
Instruction ID: 0bec7500d035bb8515b0d3dd90d481db4836495b66a6349edd0d1b00eba4da4b
Opcode Fuzzy Hash: 18d5bc14abd1dedd008812cd3e8aa48ab82a5f6aa66b3c240079cad8ea14e541
Instruction Fuzzy Hash: 514112B1D01258DFDB18CFAAD944ADEFBF6AF88310F10802AE415B7250DB34A945CF91

Function 06C384C8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee50d51330f7b032de85e1fbf2dcda15d3e5a5a589cc29acc79d010de6f32177
Instruction ID: 5de5525771861cb74dd2df7d11dfb4a523c4ba00965b829d1ee7a9e592d7c382
Opcode Fuzzy Hash: ee50d51330f7b032de85e1fbf2dcda15d3e5a5a589cc29acc79d010de6f32177
Instruction Fuzzy Hash: 6121C130B012158BDF09AB78986467E3AE7AFCD602750483DD506DB3C5DF38DD4287A9

Function 06C38797 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae46ca0a08e8eda66d06cb94e44443aa3d422032e59b4b760cb5491f8f7d1852
Instruction ID: 23c132c6ad3bd3b7c06b0cedf53f718edd3eacdfa8be098fdf50cf497fc017da
Opcode Fuzzy Hash: ae46ca0a08e8eda66d06cb94e44443aa3d422032e59b4b760cb5491f8f7d1852
Instruction Fuzzy Hash: 4D3101B1D012589FDB18CFAAC984BDEBFF6AF48300F14802AE415BB250DB749945CF91

Function 06C38A98 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 866dcdace175893990a3acdcd05cbfd4d444e803519af9af259ff1bf4db2d457
Instruction ID: 7c318d63918634e9d9833fe2b7f9831224b2d4e7979fac388a4d3130fe5af0ae
Opcode Fuzzy Hash: 866dcdace175893990a3acdcd05cbfd4d444e803519af9af259ff1bf4db2d457
Instruction Fuzzy Hash: C03124B1D01259DFDB14CFAAD884BDEBBF5AF48314F24842AE409BB240C774A945CBA4

Function 0142D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2085371187.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_142d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87c394178aa847fbc1448d90e4e035a9dceda3816b902e1f1c206cb20778cd9d
Instruction ID: 7561d891ec63e7033358c5d68d2ce4f1a150f43b9fdbf44da78adfed5a67e716
Opcode Fuzzy Hash: 87c394178aa847fbc1448d90e4e035a9dceda3816b902e1f1c206cb20778cd9d
Instruction Fuzzy Hash: 8A2103B1904240EFDB15DF94D9C0F27BF61FB88318F64C56AE8094B226C376D4D6CAA2

Function 0142D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2085371187.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_142d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e61861392c67bb76530b99cf6ad732f28572a3636198b5a3028f9f3469981d20
Instruction ID: b99d066d83fe7c6f02bbf7fefbe03105cc9eee5b92c95055bc96a49a5986804e
Opcode Fuzzy Hash: e61861392c67bb76530b99cf6ad732f28572a3636198b5a3028f9f3469981d20
Instruction Fuzzy Hash: 222133B1904344DFDB05DF84C9C0B56BB65FB84324F60C17AD8090B226C33AE486CAA2

Function 0160D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2085900147.000000000160D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0160D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_160d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19287584a1e22a8783cb55b7649cbcc437973a7805f4fc3d425b49fac56192ea
Instruction ID: d165a4d4ceaa0f67e683044c7846dfcfc21a50c176906d51063619c76a4d59f6
Opcode Fuzzy Hash: 19287584a1e22a8783cb55b7649cbcc437973a7805f4fc3d425b49fac56192ea
Instruction Fuzzy Hash: E321D0B1604344EFDB1ADF94DD84B17BB65EB84314F24C669D84E4B386C33AD447CA62

Function 06C38A8C Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 133b2f0ce416dec2b198f65cb3d2fdb6a7d269b679fa3aff9be0fd150d1c683d
Instruction ID: 6c692b484e46db41636f23df87ccbcbed65e26e32a942c067c5b3a45cbee1189
Opcode Fuzzy Hash: 133b2f0ce416dec2b198f65cb3d2fdb6a7d269b679fa3aff9be0fd150d1c683d
Instruction Fuzzy Hash: 252125B1D01259DFDB14CFA9C994BDEBBF9AF48314F14842AE005BB240DB749945CBA4

Function 0160D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2085900147.000000000160D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0160D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_160d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db9ca3efdd66594267683fbc38a0935cbd33b9094ea8f1d8627994764df589c
Instruction ID: 56e5397a4442bd74ba67ccad7d9787f289103412b0641ff19f4460d6ebacebfc
Opcode Fuzzy Hash: 0db9ca3efdd66594267683fbc38a0935cbd33b9094ea8f1d8627994764df589c
Instruction Fuzzy Hash: DF2192755093808FCB07CF64D994716BF71EB46214F28C6DAD8498F6A7C33A984ACB62

Function 06C36E90 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c05df28d660a5c7b65f00fdeaa8f357dd86611407b62fee8d94f17bf769deabc
Instruction ID: 37c4594b0c479de06db09bbd7ebdf2519c3925627a7bd9fc0bfb9d8ab6581c38
Opcode Fuzzy Hash: c05df28d660a5c7b65f00fdeaa8f357dd86611407b62fee8d94f17bf769deabc
Instruction Fuzzy Hash: 950192773041A83FCF555E9A9C50EBB7FEDEBCD161B04412AFA94C2241C828C9169BB0

Function 06C38E70 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12bc57e253f9324b00d36fda40812491b296233b6df9ee118c3213592c814e20
Instruction ID: 99df195b31562172ea61ac36dfc758bcf6de98691b2305650053e626bf9860b1
Opcode Fuzzy Hash: 12bc57e253f9324b00d36fda40812491b296233b6df9ee118c3213592c814e20
Instruction Fuzzy Hash: 5121C275E022289FCB58DFA9E8846DDBBF2BF89300F10902AE805B3350DB345905CB54

Function 0142D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2085371187.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_142d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb4cb244cb16029d603d860230aab3f30c26606f735e4dfd21fd42635b0ffe34
Instruction ID: f2018397eef37804a55615a461c0f648d24c88f43231fee28c5e59b409f67b55
Opcode Fuzzy Hash: eb4cb244cb16029d603d860230aab3f30c26606f735e4dfd21fd42635b0ffe34
Instruction Fuzzy Hash: B911D272804280CFDB02CF44D9C4B56BF61FB84314F24C6AAD8094B626C33AD496CBA1

Function 0142D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2085371187.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_142d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb4cb244cb16029d603d860230aab3f30c26606f735e4dfd21fd42635b0ffe34
Instruction ID: c2c503c01eaf170e6e3b92806380c7c731a7abf8db58cbefedc6bf088c80f64f
Opcode Fuzzy Hash: eb4cb244cb16029d603d860230aab3f30c26606f735e4dfd21fd42635b0ffe34
Instruction Fuzzy Hash: 6111B176904280CFDB16CF54D9C4B16BF71FB84318F24C6AAD8494B626C336D496CBA1

Function 06C3BF2F Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 055f72fad8e6f51e2f0193e34eec7cb3783c65727bcd4aeaf3bdb61a26ad6980
Instruction ID: 3294fe6915c6bed0d3fde0b387de627571d7aac4c1bd5dd2ea02f5d31ba4f724
Opcode Fuzzy Hash: 055f72fad8e6f51e2f0193e34eec7cb3783c65727bcd4aeaf3bdb61a26ad6980
Instruction Fuzzy Hash: A9016BB52112014FC3456B34E91086E77BBFEE55007444C2DD606EBA20CF3CAD4A8BE6

Function 06C38F28 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 570722855b0dafcbb2ddc91cc708e0c05b43fbdbe49d219d8257944aec529244
Instruction ID: 5cb16ecccdd5e8597fcb9cd770c7ce2a7f7e8865225242f48ae05b36ef47893b
Opcode Fuzzy Hash: 570722855b0dafcbb2ddc91cc708e0c05b43fbdbe49d219d8257944aec529244
Instruction Fuzzy Hash: 9B110371E002198FCB18DFA9D944AEEBBB2FF89305F108069D515B7264DB355A45CFA0

Function 06C38350 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80d40a2c97d87d69227c7c406f2226749f516e5bdf94d996f421edc622584d0b
Instruction ID: e6d41f076b76c607139973d87e53452728b64891acbc4c132e73fce8f89cdf08
Opcode Fuzzy Hash: 80d40a2c97d87d69227c7c406f2226749f516e5bdf94d996f421edc622584d0b
Instruction Fuzzy Hash: 9501B132B002199BDF10DEA9AC44ABFBBBAEBC8211B14403AE504D3240DB30990687A0

Function 06C3C769 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 672e6627ea063704bb3f6ab48a43f19f11434addd6c9b831764cf74ee4a33852
Instruction ID: 8f5ecae85ce462142db733cdc3f83a058a177482313fb7b608dfdc9ebb96f32d
Opcode Fuzzy Hash: 672e6627ea063704bb3f6ab48a43f19f11434addd6c9b831764cf74ee4a33852
Instruction Fuzzy Hash: 2601E5B42043448FD3159F65E55451E3BB2FFD9311B10892ED4469B790DF78AC4ACBD2

Function 06C3BF40 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67548428463c110c8138698cfd61b8b84bcd9b70eeb6f6915fd8baddd974d6fe
Instruction ID: be1205b7c769618e18faef8bdef52b4ecffe9f7545d895e79c4b7abee54c40f8
Opcode Fuzzy Hash: 67548428463c110c8138698cfd61b8b84bcd9b70eeb6f6915fd8baddd974d6fe
Instruction Fuzzy Hash: B701F1B12002024B8348AB39E91082E32BBFED55407844C2DD606ABA24CF3CBC4687DA

Function 0142D885 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2085371187.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_142d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2acd91087e6b554f0cca0b0f132a30fe1f6541ecd2c56764e5733092a5dd1151
Instruction ID: d12cb747052c022d809bf014fba3e602a66a82d1678502e2826b66a83334f211
Opcode Fuzzy Hash: 2acd91087e6b554f0cca0b0f132a30fe1f6541ecd2c56764e5733092a5dd1151
Instruction Fuzzy Hash: 6001F771904790DFF7108B99CD84B67BBD8DF81624F58C45BED2C5A252C7B89880CA71

Function 06C38C10 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ab81e9d525f0ec340e49d1695324cffdafa4a5f58bbcb86a37301ef6246605a
Instruction ID: 74703bf632d7650b20ee2a0248997bb5c52f15e121acbfaccd628edbaf5c1b74
Opcode Fuzzy Hash: 9ab81e9d525f0ec340e49d1695324cffdafa4a5f58bbcb86a37301ef6246605a
Instruction Fuzzy Hash: 1BF04F726002156FD714DA69DC45BA77BADEBC8310F10452AE105D7281DA71E8058BA0

Function 06C3C778 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6e113c8e79cb9067ea6516e7358f6377585b1f116688cde2f59857396f6f550
Instruction ID: 49764df30001eb630cbb7419ab385210e792ad48303ceffa0cf5f68670acc628
Opcode Fuzzy Hash: d6e113c8e79cb9067ea6516e7358f6377585b1f116688cde2f59857396f6f550
Instruction Fuzzy Hash: 0A018C782042048BD324AF65D50461A77B6FFD8715B508A2DD04A97694DF78AC4A8B92

Function 06C35508 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 894a6c003b00e27ac657d673fa3d66bcb705f01e77eb9274fb4fc4961ba8abff
Instruction ID: 32e0bbb9d91883e7f8afe4a05f1d3fc3a764389193d5e813b1dd7f99afc90e7f
Opcode Fuzzy Hash: 894a6c003b00e27ac657d673fa3d66bcb705f01e77eb9274fb4fc4961ba8abff
Instruction Fuzzy Hash: 78018130A11726CFDBA99A36E804627B7F7BF84205794882CE44686654DF75F581CB90

Function 06C3B628 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec679516577645081ee7df8c8d500a4d82e86a5e9534625bb2bf59e92e8c8bda
Instruction ID: 743c933423f4051a96970f595afe8eb90306b645b0b977ee2f499950d196d92a
Opcode Fuzzy Hash: ec679516577645081ee7df8c8d500a4d82e86a5e9534625bb2bf59e92e8c8bda
Instruction Fuzzy Hash: 3D0124B8906349EFCB49EFB8E98459C7FB0FF95200F00049AD405E7221DB384E84CB92

Function 06C3EB70 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0aab8e781b6cbcbffb7a0f485bbb0122153281004e931037e99ef77676a342a
Instruction ID: 3e3345d4c32756a241df6e6a879983d061aac00212bda7861353f96c93b7a256
Opcode Fuzzy Hash: c0aab8e781b6cbcbffb7a0f485bbb0122153281004e931037e99ef77676a342a
Instruction Fuzzy Hash: 2A0181387083489FCB06DF78D9549693F7AEF8A20471488EAE405CF662DA36DC15CB91

Function 06C39158 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79027a0dd6fb8e8b6edcb347657102032cc8d083f1e52601f856542463d18ef1
Instruction ID: 89e316347cb65c0d7adc21f8a069be0742cd423f85b75ae032b178322f211703
Opcode Fuzzy Hash: 79027a0dd6fb8e8b6edcb347657102032cc8d083f1e52601f856542463d18ef1
Instruction Fuzzy Hash: 9E011370C0421ADFCB14DFA4C9486AEBBB4BF09300F1085AAC805B3381E7704A40CF90

Function 06C39168 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21e52cd01b45d397d3cb912a43fe6fd0972320dc93bd1798f7db9242dad10622
Instruction ID: 5720afa119d8154c7c394997fdc4798c688ef68882336059e9c62ae23f423ca3
Opcode Fuzzy Hash: 21e52cd01b45d397d3cb912a43fe6fd0972320dc93bd1798f7db9242dad10622
Instruction Fuzzy Hash: 3101D2B4D04219EFCB54EFA9D9486AEBBF5BB49300F1084AAD815B3390E7B44A40DF90

Function 0142D884 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2085371187.000000000142D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0142D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_142d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71d40107ee3d1a5a31b3574807c9c52e859f9fab8a2291d14055010b932e785e
Instruction ID: 6cc5e109319caff4af5464a0f987e14d9c0e9ba3e7006ce0ba44b1d04ce22371
Opcode Fuzzy Hash: 71d40107ee3d1a5a31b3574807c9c52e859f9fab8a2291d14055010b932e785e
Instruction Fuzzy Hash: 01F0C2718043949EE7208F09CC84B63FFD8DB41624F18C45BED1C5B293C2B89880CA71

Function 06C33EC8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fed6bce1bc78f42c1dc5a58e88a7c704790399fc23a59164d06c7634374728d
Instruction ID: 4f21d8ae7b5575605d5bc902878ecf1e9f2519d135689a43451502cd376bb625
Opcode Fuzzy Hash: 9fed6bce1bc78f42c1dc5a58e88a7c704790399fc23a59164d06c7634374728d
Instruction Fuzzy Hash: 35F06D303006218BDA18EB69E85096E77FBEBC9910350492DD44A9B354EF78ED4683E1

Function 06C38C20 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 776af75dc444ba80fbd3327cd4d836de900ce68fb0bc9f34afd2b69cb304bd79
Instruction ID: 68cf7b0b7e937b311c310c28f14f6113ea922225dfbed64776de1ef46140327f
Opcode Fuzzy Hash: 776af75dc444ba80fbd3327cd4d836de900ce68fb0bc9f34afd2b69cb304bd79
Instruction Fuzzy Hash: 74F03A727002159FE714DE59EC44AABB7AEEBC8714F10452AE11AD7291DAB1A8058BA0

Function 06C367C8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e62ce11a57e3ece0918573e8d21e8f62aaa4fd691eba6c2bd116d6cd0db272d
Instruction ID: 1ca429045ad2c77d7beb5976f2726b21e51f4ad7f7b8a12e702b2df01bb7bacf
Opcode Fuzzy Hash: 4e62ce11a57e3ece0918573e8d21e8f62aaa4fd691eba6c2bd116d6cd0db272d
Instruction Fuzzy Hash: 80F0B431B003106BD7208A29DC41F567FF5EB8A725F14826AF214CF1E2D7B1E805D741

Function 06C3C440 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4241380acfb63be72b9789f44dfb2b6936633f5a5d94276f70947193e48f513f
Instruction ID: 6cf26cec71d4611695ea4b49802a79f9e9921f734db391f0d7ae9267c534c961
Opcode Fuzzy Hash: 4241380acfb63be72b9789f44dfb2b6936633f5a5d94276f70947193e48f513f
Instruction Fuzzy Hash: 7501F4B5501B418FD756CF25E5081A6BBF2FF88300700C61EE48AC2A14DB38A94ACFC1

Function 06C36EA0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58aec13881ef57397ee19abca0a3afb420dc89e83c6c994b9fa5dd8de63fbcc8
Instruction ID: 5352bb7e3f017032af52edaeed89e0683b5c76bf3cfe819bd750f989d4f507e0
Opcode Fuzzy Hash: 58aec13881ef57397ee19abca0a3afb420dc89e83c6c994b9fa5dd8de63fbcc8
Instruction Fuzzy Hash: 5BF082662041E83F8F114E9A5C10DFB7FEDDE8E1617084056FE98C2141C42DC921ABB0

Function 06C3B4B9 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 084945d4af1b4d212487eabf0441318e69e0734462a7059f4fddc1f261730b1e
Instruction ID: 55d16cd9e8d9cdc532fd9acf6abc72425f53c02ebe127d7a9666c352e0993889
Opcode Fuzzy Hash: 084945d4af1b4d212487eabf0441318e69e0734462a7059f4fddc1f261730b1e
Instruction Fuzzy Hash: D0F09E703061506FC3001B39A44868E7FB9FFDBA00B04455EE00DD3582CA784C458B75

Function 06C391E8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7077b95b2dcef827f7f61752b6c16ccd3e3f747410c01825f4ab567bc065a1d9
Instruction ID: 69b12c99594b7fe2f5c6585af7c49ee6c895d25c9da1fed351c93cae66c76fcf
Opcode Fuzzy Hash: 7077b95b2dcef827f7f61752b6c16ccd3e3f747410c01825f4ab567bc065a1d9
Instruction Fuzzy Hash: 2BF08C317006144B9794DBA9E680A66F7EADF88224318C8AED90EC7740EA32FC028780

Function 06C3C3E0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6b04174cfee37e6c1a580f3801a7da074ba50dc80b4a47d635114b07f64704a
Instruction ID: 388a428a7adc5a2a36806623200a31b99f97403d462c1344fcecfdb753f37576
Opcode Fuzzy Hash: c6b04174cfee37e6c1a580f3801a7da074ba50dc80b4a47d635114b07f64704a
Instruction Fuzzy Hash: 15F0F63120A3E04FC7129739E8147DA3FF9DF92204B04095ED142C7652CB69AC45C7D6

Function 06C38341 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c52b33b884b95e674ea45702ad990196c4d927e08eb296ef5f84d3c58fd9b8c6
Instruction ID: b8905d86fcfd49c9ed8d5d1e2792b71e314da2f1c2bc08b0034fc429a733523b
Opcode Fuzzy Hash: c52b33b884b95e674ea45702ad990196c4d927e08eb296ef5f84d3c58fd9b8c6
Instruction Fuzzy Hash: 49F0A732B141295B8F50D9699C459BF7FB9EB89261748012AF914D3200EB30D90987A1

Function 06C3AF88 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b4c2ea21b6d7333a802c0dfdae8e604e7158ca1fe98aa549bc23ba30c7f2a3f
Instruction ID: 2a022649743e9b7e341f2a92e4d6cb3fd0787c31904bb1d39aac15b2027d2d15
Opcode Fuzzy Hash: 4b4c2ea21b6d7333a802c0dfdae8e604e7158ca1fe98aa549bc23ba30c7f2a3f
Instruction Fuzzy Hash: F0F0E2A230A1A15FC3161B74AC244AD3F75EDD694134844DBD086DB691CB6C8D46CBA5

Function 06C3B638 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81a6bc49ec3bf9f9d428f0c4ef5c8f0bbe035874b4ede072d01ead14455b068c
Instruction ID: 7203f998e020a695e4bb6faca3ec27cda7a2743a61af8228f56b996e0ec09be9
Opcode Fuzzy Hash: 81a6bc49ec3bf9f9d428f0c4ef5c8f0bbe035874b4ede072d01ead14455b068c
Instruction Fuzzy Hash: 33F0A4B4902249EFCB44EFF8E54499C7BB5FF94600F1045A9C406E7310DB385E84CB95

Function 06C354F8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e27acb8fe3deea79a7f756f37ec297bc0c53a5f9a8085aec85b4254824ff36c
Instruction ID: f1ee68edfd96e41e5e808dc42da5aaaafcda476c992590944e48c7cc8466186b
Opcode Fuzzy Hash: 1e27acb8fe3deea79a7f756f37ec297bc0c53a5f9a8085aec85b4254824ff36c
Instruction Fuzzy Hash: 8AF02431A007918FDBA4CEA2D50076BBBB2BF80314F88886CD04246918CB74F585CB40

Function 06C39294 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5deb537444ef04a2c694046358ea568897adc5958de9b2a3b19c4d627ec63b68
Instruction ID: 07f894411374c2e05fea81ecfda615a506016a4b98f244c573d8a901ac7c92f1
Opcode Fuzzy Hash: 5deb537444ef04a2c694046358ea568897adc5958de9b2a3b19c4d627ec63b68
Instruction Fuzzy Hash: 52F052B5E04250DFE750CFA0E8117AE7B70EB82300F0041CAD8408B3A0EBB89E40CB80

Function 06C3CF10 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 289d027235de1063a520005f06923c2ac39b54c39ee15dc5d52d45d7215088f3
Instruction ID: f4b9c1dd07138d359858e0573d11db1c1a0a5062a69120bbec30f8b272565cff
Opcode Fuzzy Hash: 289d027235de1063a520005f06923c2ac39b54c39ee15dc5d52d45d7215088f3
Instruction Fuzzy Hash: 47E022A62046604FE746EF28F8820CC7B61EAD9510701865AC048EB682DA384E4E83C6

Function 06C39238 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60e88ec4286f0f9cca2b8f0c425700f2151bf10358f6e87d75d8dc27088b8a44
Instruction ID: e3e29bcad2b85ddd8d524090d3fb94f340b9bc2ea574efce83aff8f2d02a900f
Opcode Fuzzy Hash: 60e88ec4286f0f9cca2b8f0c425700f2151bf10358f6e87d75d8dc27088b8a44
Instruction Fuzzy Hash: F5F08274F40204AFDB54DFB4E84179D7BB0EB85700F1081A8D90497350DB799D05CF80

Function 06C3B4C8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0124575949a4ab82d59ce0080f36e1692a5b21b8b2665f35c3b20847e6a388d7
Instruction ID: 620af4496954b65f2cb20ad91e4a3ffec368e481bb2feef5478ea3908678f0fa
Opcode Fuzzy Hash: 0124575949a4ab82d59ce0080f36e1692a5b21b8b2665f35c3b20847e6a388d7
Instruction Fuzzy Hash: C6E092B53021216BC3146E6AE848A9E7AEEFFCE651B80442DF10ED3681CF795C454BB9

Function 06C3C450 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ad35561873204f284944708e56e0bff381c90e379d8574224f8c7b82dd2bf65
Instruction ID: cbe782ef7017846028333d6bf6118d8cd18c364cdfd66d0b5d39a730331e1a84
Opcode Fuzzy Hash: 7ad35561873204f284944708e56e0bff381c90e379d8574224f8c7b82dd2bf65
Instruction Fuzzy Hash: 01F090B9501B018FD715DF26E508552BBF6FF88300700862EE44A83A10DB74A949CFC5

Function 06C3B7D0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5febac3cec912c15dedd2ef38d1ee7a5a210b209fc189451c6f20bf6a3b33490
Instruction ID: c26de67501176deda3408e06034b3d7bb3ad21d752c266d95f9aa9ec219ebca4
Opcode Fuzzy Hash: 5febac3cec912c15dedd2ef38d1ee7a5a210b209fc189451c6f20bf6a3b33490
Instruction Fuzzy Hash: E2F01C79D0820CBFCB41DFB4D9449CDBBB5EB54200F1042A6E809E3240E6346B458B81

Function 06C3C3F0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7f9662ceadc4a33bd9b4695b6ccddaa37f5300a4a4cce177b702d1554afc349
Instruction ID: 97a61d8c4b9f824a51b95b723551659e93462f76fc8460e0ba2eb80bb98a60e8
Opcode Fuzzy Hash: c7f9662ceadc4a33bd9b4695b6ccddaa37f5300a4a4cce177b702d1554afc349
Instruction Fuzzy Hash: C1E0E5302047904FC710EB2DE80879E7BF9EFD5604F04092ED14687A41CBB9AC418BD2

Function 06C3AF40 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ef69e327b4df0b4c78102169aabd141bc2a2f8a962a554368d4c1f41b16cfe7
Instruction ID: d6d82432644195dc6ede80f97b04278648dfe7b4f0ad644b8d6202e3c78b1256
Opcode Fuzzy Hash: 0ef69e327b4df0b4c78102169aabd141bc2a2f8a962a554368d4c1f41b16cfe7
Instruction Fuzzy Hash: E3E068B13161A15FC7071734A8180AD3F75EDC6912308409FD08ACB2C2CF2C4D46CBA5

Function 06C35698 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 507ea4fa869148a9d4c042beb5da474c3e4f38d41816fcf2ff0991b16a6f3f68
Instruction ID: 1e92311c999469edc242b86a27f524c897d424fbe86faa51773b922ca29e40d0
Opcode Fuzzy Hash: 507ea4fa869148a9d4c042beb5da474c3e4f38d41816fcf2ff0991b16a6f3f68
Instruction Fuzzy Hash: A1E0DFB220D3514FE3059664E80958B2BA8EB23320B458CBEE040CA092EB39C543CA56

Function 06C39248 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bec47ada4893a04a84ac78df6e859594895cc0738e4e59a5515aea1d6863c927
Instruction ID: d69fa812eb3b6693d168e50893d055957656bd581aaf404efd387df5da5aed8a
Opcode Fuzzy Hash: bec47ada4893a04a84ac78df6e859594895cc0738e4e59a5515aea1d6863c927
Instruction Fuzzy Hash: F0F03978F00308AFDB54EFA4E841B9EB7B0EB85700F1081A8D90497390EBB45D54CB80

Function 06C3E4BF Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2c212a3aa59e266f3f02c93c36e83c3713d5c0ba6fd156079a8843e3631a79a
Instruction ID: 8cd671d5f76b1d8ed1f730ebd94d444ce2705df571846f8753bd573aeecb330e
Opcode Fuzzy Hash: c2c212a3aa59e266f3f02c93c36e83c3713d5c0ba6fd156079a8843e3631a79a
Instruction Fuzzy Hash: 03E0DFB1E09248EFDB02CF64E9409AD3BB1EB82200B2045EBD808D72A0E6381F048792

Function 06C3E540 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c649c4a55d7140912de3f444e3e9ac34456b3d9c27a379a240250c1ca5266d1
Instruction ID: b344d44a6fc36865f3592174a508d182e61560f45f4d8c7e03dd4cde64c12b50
Opcode Fuzzy Hash: 7c649c4a55d7140912de3f444e3e9ac34456b3d9c27a379a240250c1ca5266d1
Instruction Fuzzy Hash: B2E092B6104B504FE7059B24F9515C97BA0FBD9204342495AC845A71E2C7689D498BC6

Function 06C3AF50 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67c6055448d4a69d1ceb723dbd07f8ce7aa9807a725a7dd0a014d975c0a54dff
Instruction ID: 5a000ee613c7bf319878015bbbed63a00f7de10ce7a5de242cdb571517410f5a
Opcode Fuzzy Hash: 67c6055448d4a69d1ceb723dbd07f8ce7aa9807a725a7dd0a014d975c0a54dff
Instruction Fuzzy Hash: BBD05B7130212967C7057769F4194AE77BAEEC5961344442EE50AC72C0CF7D6D418BD5

Function 06C3B7E0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9c22d426c5717de69af261809e30234c29592b91b94027e29f165f13664733b
Instruction ID: 46920bfa7b0b693fafb1ac9fe8d704d21969b1c3cdd33cf43f710ec15aaecde5
Opcode Fuzzy Hash: b9c22d426c5717de69af261809e30234c29592b91b94027e29f165f13664733b
Instruction Fuzzy Hash: 34E09A75D0420CEFCB40DFE4E5448DDBBB9EB48200F1082A6D809E3200EB346B55DF81

Function 06C3EBB8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0825700d6a437886a00bc29e29272e83caa23e647492e62bbaee4905bf2391c5
Instruction ID: f7e8b89fb004296094ba808c66730cd32bbeb2eab653058ee84e910040198ce2
Opcode Fuzzy Hash: 0825700d6a437886a00bc29e29272e83caa23e647492e62bbaee4905bf2391c5
Instruction Fuzzy Hash: E2E0123A1552509FC7429B55D980C943F75AF5A61530444C7E1458F572C232D825DB50

Function 06C391E3 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 951f59608d725212d0f29af5f1be37bb97ce65df0c421fb0f4a68a47f5cd416b
Instruction ID: 207688b8f301f3ea825fd0ad56f7441f8dd5bc0a217998c3713da4f413fa10b4
Opcode Fuzzy Hash: 951f59608d725212d0f29af5f1be37bb97ce65df0c421fb0f4a68a47f5cd416b
Instruction Fuzzy Hash: E3D05E312042285B9294E699D940AA2BBD9DB89214308846EE90DEB341EF62EC028794

Function 06C3E4D0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8cc02cc7220fde07ea07981b1bc58d757bfd1a30cfdda768384b59d1061b433
Instruction ID: 6a3b1b2a7df6a0a074ccbc3675973b992a4c8ddfc91efac4d649ab5c72c7a8bc
Opcode Fuzzy Hash: e8cc02cc7220fde07ea07981b1bc58d757bfd1a30cfdda768384b59d1061b433
Instruction Fuzzy Hash: 62D017B1A01208FB8B00EFA9EA0095DB7B9EB84204B1049A9D408E3240EA356E009B91

Function 06C3FBAB Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04cfebd22b1422a5018e4c790c0761d85662917f9640c49fba37fd6837a39d59
Instruction ID: 3e552ad04356590255f4020057b5cbc19327e5f503300b77bd56e63700569b6f
Opcode Fuzzy Hash: 04cfebd22b1422a5018e4c790c0761d85662917f9640c49fba37fd6837a39d59
Instruction Fuzzy Hash: 0BC012B27080200B0244AA6CB4401AC66E7DAEC6A7386443FE60EC7388CD788C424BC5

Function 06C33721 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4d3a073e3a7ff7dd9ac7fb35dea3e42e099842cb71e32c004d8d7ebd9acd3a
Instruction ID: 8098214df71b31d1238acacd5a944690f45c7ca3e040ed93e3a44d8c26eeea6b
Opcode Fuzzy Hash: fd4d3a073e3a7ff7dd9ac7fb35dea3e42e099842cb71e32c004d8d7ebd9acd3a
Instruction Fuzzy Hash: 88B012FBD0911057DF0962119C83FF6026797FD588F5F6118DBD0D5381DB18E4160079

Function 06C3FB64 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 767c3c2ea372ed8377f366270febb551ff038573933dae221ad0542b12147849
Instruction ID: 084c23c279061eb497cf8415d45703cd6ccfcfbc8d3d99cdcea2f384682b8677
Opcode Fuzzy Hash: 767c3c2ea372ed8377f366270febb551ff038573933dae221ad0542b12147849
Instruction Fuzzy Hash: 66A002427150345795D420CE78A99D7A30BC1944A6A60197BF73AC9908E101464303D5

Non-executed Functions

Function 06FF2E88 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120688336.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6ff0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f22f9c8d55a14c4eafcf97d7f4cbb2905bdd66bbd29e838fdf86a96579f2a46
Instruction ID: 6fc927c1525fe840710aa4a1eae4d683108b3f2dacfc97e60c25b7e4f5ad8b2d
Opcode Fuzzy Hash: 7f22f9c8d55a14c4eafcf97d7f4cbb2905bdd66bbd29e838fdf86a96579f2a46
Instruction Fuzzy Hash: EC61CE75E01218DFDB54DFA9C880ADDBBB2FF89700F64802AD505BB260DB34A946CF94

Function 06FF3158 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2120688336.0000000006FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6ff0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccc7288e791d03e33b6b33985008811b8ad1a392f72ec223a2fde656588e79d1
Instruction ID: 85ef712b569d37e5800cb844db3b2b93ed1d94e2ed15688263f0d06a5048d663
Opcode Fuzzy Hash: ccc7288e791d03e33b6b33985008811b8ad1a392f72ec223a2fde656588e79d1
Instruction Fuzzy Hash: CD014435E41308DFCB11CFA4D881AEDBBB1EF4A311F11929AE509AB262C6359D11CF90

Function 06C3E587 Relevance: 46.6, Strings: 37, Instructions: 390COMMON

Download Yara Rule

Strings

Di, xrefs: 06C3E8F0
Di, xrefs: 06C3E9E0
Di, xrefs: 06C3EA30
Di, xrefs: 06C3E990
Di, xrefs: 06C3EB04
Di, xrefs: 06C3E853
Di, xrefs: 06C3E87B
Di, xrefs: 06C3E940
Di, xrefs: 06C3E9B8
Di, xrefs: 06C3E8C8
Di, xrefs: 06C3E6F1
Di, xrefs: 06C3E638
Di, xrefs: 06C3E82B
Di, xrefs: 06C3E918
Di, xrefs: 06C3E73B
Di, xrefs: 06C3EA83
Di, xrefs: 06C3E8A3
Di, xrefs: 06C3EA58
Di, xrefs: 06C3E682
Di, xrefs: 06C3E7B3
Di, xrefs: 06C3E803
Di, xrefs: 06C3E6A7
Di, xrefs: 06C3EAAE
Di, xrefs: 06C3E763
Di, xrefs: 06C3E78B
Di, xrefs: 06C3EAD9
Di, xrefs: 06C3EA08
Di, xrefs: 06C3E716
Di, xrefs: 06C3E6CC
Di, xrefs: 06C3E5A4
Di, xrefs: 06C3E65D
Di, xrefs: 06C3E5C9
Di, xrefs: 06C3E613
Di, xrefs: 06C3EB2F
Di, xrefs: 06C3E5EE
Di, xrefs: 06C3E7DB
Di, xrefs: 06C3E968

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID: Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di
API String ID: 0-221844820
Opcode ID: b80f7f30e8e61b32fec793d498c4eac586b5208e50984bba3a6f708ed5a03767
Instruction ID: ee82c69522811fa4dd5be668bdf19269974e35f56f9b2c50bea6d692a2c1d7ad
Opcode Fuzzy Hash: b80f7f30e8e61b32fec793d498c4eac586b5208e50984bba3a6f708ed5a03767
Instruction Fuzzy Hash: 32D1B330700B01ABE605AEA19C51A7D666BFBE9B00B948C2CD1064F7E9DF79AC1643D7

Function 06C3E598 Relevance: 46.6, Strings: 37, Instructions: 383COMMON

Download Yara Rule

Strings

Di, xrefs: 06C3E8F0
Di, xrefs: 06C3E9E0
Di, xrefs: 06C3EA30
Di, xrefs: 06C3E990
Di, xrefs: 06C3EB04
Di, xrefs: 06C3E853
Di, xrefs: 06C3E87B
Di, xrefs: 06C3E940
Di, xrefs: 06C3E9B8
Di, xrefs: 06C3E8C8
Di, xrefs: 06C3E6F1
Di, xrefs: 06C3E638
Di, xrefs: 06C3E82B
Di, xrefs: 06C3E918
Di, xrefs: 06C3E73B
Di, xrefs: 06C3EA83
Di, xrefs: 06C3E8A3
Di, xrefs: 06C3EA58
Di, xrefs: 06C3E682
Di, xrefs: 06C3E7B3
Di, xrefs: 06C3E803
Di, xrefs: 06C3E6A7
Di, xrefs: 06C3EAAE
Di, xrefs: 06C3E763
Di, xrefs: 06C3E78B
Di, xrefs: 06C3EAD9
Di, xrefs: 06C3EA08
Di, xrefs: 06C3E716
Di, xrefs: 06C3E6CC
Di, xrefs: 06C3E5A4
Di, xrefs: 06C3E65D
Di, xrefs: 06C3E5C9
Di, xrefs: 06C3E613
Di, xrefs: 06C3EB2F
Di, xrefs: 06C3E5EE
Di, xrefs: 06C3E7DB
Di, xrefs: 06C3E968

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID: Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di
API String ID: 0-221844820
Opcode ID: f3b43d9a9e4d0782863e473450ecdccc6512b2e4960f88cd60c80ce4981dc093
Instruction ID: 36d7b1bbbe0e0f36051b8d785fd7374598444b4a9aec56e168cf91e6e12d725d
Opcode Fuzzy Hash: f3b43d9a9e4d0782863e473450ecdccc6512b2e4960f88cd60c80ce4981dc093
Instruction Fuzzy Hash: 1CD1A230740B01ABE605AEA19C51A7D626BBBE9B00B948C3CD1064F7E9DF79AC1643D7

Function 06C3CF57 Relevance: 16.4, Strings: 13, Instructions: 152COMMON

Download Yara Rule

Strings

Di, xrefs: 06C3CFE3
Di, xrefs: 06C3D077
Di, xrefs: 06C3CFBE
Di, xrefs: 06C3D052
Di, xrefs: 06C3CF99
Di, xrefs: 06C3D09C
Di, xrefs: 06C3D10B
Di, xrefs: 06C3CF74
Di, xrefs: 06C3D02D
Di, xrefs: 06C3D008
Di, xrefs: 06C3D0E6
Di, xrefs: 06C3D0C1
Di, xrefs: 06C3D130

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID: Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di
API String ID: 0-2743657870
Opcode ID: b01b2de3d8844919e38795e6b24a625c032c6b4832bd8229833d073f99f462fb
Instruction ID: d450eb7b260fa6268202012f33e3efeea83734580b0948abe9e349ee62c8e497
Opcode Fuzzy Hash: b01b2de3d8844919e38795e6b24a625c032c6b4832bd8229833d073f99f462fb
Instruction Fuzzy Hash: 5341DC31300B01ABE6066EA19C41A3D676AFBE9A00B904D3CD2064F6A9DF7DAD5543DB

Function 06C3CF68 Relevance: 16.4, Strings: 13, Instructions: 143COMMON

Download Yara Rule

Strings

Di, xrefs: 06C3CFE3
Di, xrefs: 06C3D077
Di, xrefs: 06C3CFBE
Di, xrefs: 06C3D052
Di, xrefs: 06C3CF99
Di, xrefs: 06C3D09C
Di, xrefs: 06C3D10B
Di, xrefs: 06C3CF74
Di, xrefs: 06C3D02D
Di, xrefs: 06C3D008
Di, xrefs: 06C3D0E6
Di, xrefs: 06C3D0C1
Di, xrefs: 06C3D130

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID: Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di
API String ID: 0-2743657870
Opcode ID: bd3acfcaeacb5a59604a2123149e515c602c32b6d6a2c9c41556f87d41d35d14
Instruction ID: 26fbea413709d69d03b18791f96c13c0378ea46a2f29b0c89ff8c4fcb5bb3c91
Opcode Fuzzy Hash: bd3acfcaeacb5a59604a2123149e515c602c32b6d6a2c9c41556f87d41d35d14
Instruction Fuzzy Hash: CE41AD30300B11ABE6056EA59C41B3D666AFFE9A00B904D3CD2064F6D9DF7DAD1543DB

Function 06C3D1A9 Relevance: 10.1, Strings: 8, Instructions: 104COMMON

Download Yara Rule

Strings

Di, xrefs: 06C3D27D
Di, xrefs: 06C3D20E
Di, xrefs: 06C3D1E9
Di, xrefs: 06C3D1C4
Di, xrefs: 06C3D2C7
Di, xrefs: 06C3D258
Di, xrefs: 06C3D233
Di, xrefs: 06C3D2A2

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID: Di$Di$Di$Di$Di$Di$Di$Di
API String ID: 0-427482554
Opcode ID: ed1c1d8da2697f1fc9550b8227fac79810106d563f0adb3bd576cb2e6a6f9647
Instruction ID: 9b0840bb5f4eea544447fd717cdadd612f66d3854f53ab3fd9ea250e5eb8f2bf
Opcode Fuzzy Hash: ed1c1d8da2697f1fc9550b8227fac79810106d563f0adb3bd576cb2e6a6f9647
Instruction Fuzzy Hash: 53312930700711ABE6065EA19C41B3D776AFFE9A00B90493DD20A4F6E5CF79AC5543D7

Function 06C3D1B8 Relevance: 10.1, Strings: 8, Instructions: 93COMMON

Download Yara Rule

Strings

Di, xrefs: 06C3D27D
Di, xrefs: 06C3D20E
Di, xrefs: 06C3D1E9
Di, xrefs: 06C3D1C4
Di, xrefs: 06C3D2C7
Di, xrefs: 06C3D258
Di, xrefs: 06C3D233
Di, xrefs: 06C3D2A2

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID: Di$Di$Di$Di$Di$Di$Di$Di
API String ID: 0-427482554
Opcode ID: 964d6acc6878832e4a54dc74f34dd033ff47877fa210005c9ac4260dacf35028
Instruction ID: cd760dee1c4d6888a6f01fed244f4ad401e4e213f8310df343c67feab6744115
Opcode Fuzzy Hash: 964d6acc6878832e4a54dc74f34dd033ff47877fa210005c9ac4260dacf35028
Instruction Fuzzy Hash: 1321CC30700711ABE605AEA59C41B3D666AFBE9A00B904D3CD10A4F7D9CF7DAC5543D7

Function 06C3CC40 Relevance: 8.8, Strings: 7, Instructions: 88COMMON

Download Yara Rule

Strings

Di, xrefs: 06C3CD52
Di, xrefs: 06C3CCAE
Di, xrefs: 06C3CC5C
Di, xrefs: 06C3CD00
Di, xrefs: 06C3CC85
Di, xrefs: 06C3CCD7
Di, xrefs: 06C3CD29

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID: Di$Di$Di$Di$Di$Di$Di
API String ID: 0-1084884928
Opcode ID: 040ff9af55c4a8406cd75411f6949b9cfe24edacc238a4d9f8088b6500af5c2d
Instruction ID: a0179a7c98fd70666a1485a94f1efd1748f6115a6c885889fca50a0bcbab575b
Opcode Fuzzy Hash: 040ff9af55c4a8406cd75411f6949b9cfe24edacc238a4d9f8088b6500af5c2d
Instruction Fuzzy Hash: 8931E4307017826BEB061FB19C4197D7B3AFBEA600740492CD1068F6B6CF789D9B8786

Function 06C3CC50 Relevance: 8.8, Strings: 7, Instructions: 83COMMON

Download Yara Rule

Strings

Di, xrefs: 06C3CD52
Di, xrefs: 06C3CCAE
Di, xrefs: 06C3CC5C
Di, xrefs: 06C3CD00
Di, xrefs: 06C3CC85
Di, xrefs: 06C3CCD7
Di, xrefs: 06C3CD29

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID: Di$Di$Di$Di$Di$Di$Di
API String ID: 0-1084884928
Opcode ID: 646f842844e9f8c214ab0b8f5ee2f4ad42e9d59a687d5b9fa989ccc5d087405c
Instruction ID: 7d5a1d02903c9a6a155abcd264b83add727da999e6427e3d8e8c7fe119d1a8c6
Opcode Fuzzy Hash: 646f842844e9f8c214ab0b8f5ee2f4ad42e9d59a687d5b9fa989ccc5d087405c
Instruction Fuzzy Hash: 7221C3307007426BEB062FA1DC4197D7B2AFBE9A00750492CD1068F7A5CF789D9B8796

Function 06C3D7F8 Relevance: 7.6, Strings: 6, Instructions: 82COMMON

Download Yara Rule

Strings

Di, xrefs: 06C3D85E
Di, xrefs: 06C3D8CD
Di, xrefs: 06C3D839
Di, xrefs: 06C3D883
Di, xrefs: 06C3D8A8
Di, xrefs: 06C3D814

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID: Di$Di$Di$Di$Di$Di
API String ID: 0-100505788
Opcode ID: 26120d64bba4eb946063d58f04648e7c847aad8867dd3773c5a3f9569b925a6b
Instruction ID: 31da33031c1ecaf9888fea268d110655cf8583ebe1ce49dadc94fabcea0ad988
Opcode Fuzzy Hash: 26120d64bba4eb946063d58f04648e7c847aad8867dd3773c5a3f9569b925a6b
Instruction Fuzzy Hash: 15212B307007016BE7065EA59C41A3C676AFBE5A00F90493DD1064F695CF796C1643E7

Function 06C3D808 Relevance: 7.6, Strings: 6, Instructions: 73COMMON

Download Yara Rule

Strings

Di, xrefs: 06C3D85E
Di, xrefs: 06C3D8CD
Di, xrefs: 06C3D839
Di, xrefs: 06C3D883
Di, xrefs: 06C3D8A8
Di, xrefs: 06C3D814

Memory Dump Source

Source File: 0000000D.00000002.2120067529.0000000006C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_6c30000_RegAsm.jbxd

Similarity

API ID:
String ID: Di$Di$Di$Di$Di$Di
API String ID: 0-100505788
Opcode ID: 0981394fd90528015b4ef9168d20194ad1ed5b154b1b31f347627acf2a747a4f
Instruction ID: d24963bf4225786f243b506de5851644612f216bb6f99d7fc774acf20e40cf28
Opcode Fuzzy Hash: 0981394fd90528015b4ef9168d20194ad1ed5b154b1b31f347627acf2a747a4f
Instruction Fuzzy Hash: AF11C930700B116BE6066EA59C41E3DA66BFBE9A00F908D3CD1064F698CF7AAD5543E7

Analysis Process: crypteda.exePID: 4920, Parent PID: 3528COMMON

Execution Graph

Execution Coverage:	25.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	22
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 0324255D Relevance: 44.0, APIs: 11, Strings: 14, Instructions: 282
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,032424CF,032424BF), ref: 032426CC
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 032426DF
Wow64GetThreadContext.KERNEL32(00000308,00000000), ref: 032426FD
ReadProcessMemory.KERNELBASE(00000304,?,03242513,00000004,00000000), ref: 03242721
VirtualAllocEx.KERNELBASE(00000304,?,?,00003000,00000040), ref: 0324274C
TerminateProcess.KERNELBASE(00000304,00000000), ref: 0324276B
WriteProcessMemory.KERNELBASE(00000304,00000000,?,?,00000000,?), ref: 032427A4
WriteProcessMemory.KERNELBASE(00000304,00400000,?,?,00000000,?,00000028), ref: 032427EF
WriteProcessMemory.KERNELBASE(00000304,?,?,00000004,00000000), ref: 0324282D
Wow64SetThreadContext.KERNEL32(00000308,03110000), ref: 03242869
ResumeThread.KERNELBASE(00000308), ref: 03242878

Strings

ResumeThread, xrefs: 03242699
CreateProcessA, xrefs: 03242611
Load, xrefs: 0324259B
TerminateProcess, xrefs: 0324275B
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 032426CB
GetThreadContext, xrefs: 03242637
WriteProcessMemory, xrefs: 03242670
ress, xrefs: 032425E7
aryA, xrefs: 032425A3
GetP, xrefs: 032425DF
ReadProcessMemory, xrefs: 0324264A
VirtualAllocEx, xrefs: 0324265D
SetThreadContext, xrefs: 03242683
VirtualAlloc, xrefs: 03242624

Memory Dump Source

Source File: 0000000F.00000002.1977738573.0000000003242000.00000040.00000800.00020000.00000000.sdmp, Offset: 03242000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3242000_crypteda.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResumeTerminate
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2440066154-1257834847
Opcode ID: 6ed679946abb4a161c9f75f6101290084365813039212a6bd0c7882d8dd446c2
Instruction ID: 97cff624b4c6095357fc4fbfb55e906a13ff9ad03652bd0d1a482556d977061d
Opcode Fuzzy Hash: 6ed679946abb4a161c9f75f6101290084365813039212a6bd0c7882d8dd446c2
Instruction Fuzzy Hash: C2B1F67660024AAFDB60CF69CC80BDA77A5FF88714F158564FA0CAB341D770FA518B94

Function 03091001 Relevance: 1.6, APIs: 1, Instructions: 62
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 03091082

Memory Dump Source

Source File: 0000000F.00000002.1977574951.0000000003090000.00000040.00000800.00020000.00000000.sdmp, Offset: 03090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3090000_crypteda.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 846f544d01f038a7c5bec572af54a3d56c1d40ea0bd3c30ab880efbb23c7f4f6
Instruction ID: c6dca474b0422707e3d4cdf71b3809e783216bcbe32b24a3d33a731d9af00ecf
Opcode Fuzzy Hash: 846f544d01f038a7c5bec572af54a3d56c1d40ea0bd3c30ab880efbb23c7f4f6
Instruction Fuzzy Hash: D82114719012599FDB10DFAAC884ADEFBB4FF48710F10851AE918A7200C7756910CBA4

Function 03091008 Relevance: 1.6, APIs: 1, Instructions: 58
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 03091082

Memory Dump Source

Source File: 0000000F.00000002.1977574951.0000000003090000.00000040.00000800.00020000.00000000.sdmp, Offset: 03090000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3090000_crypteda.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: e21d39adcb94a4e3182c3c022e20538a4b96be17cc1f014c257c86f752be29fe
Instruction ID: f7429be4feb2b9faf9b085d91661a6e016d0a2fe3559ecbbd30793034cfca8ff
Opcode Fuzzy Hash: e21d39adcb94a4e3182c3c022e20538a4b96be17cc1f014c257c86f752be29fe
Instruction Fuzzy Hash: B42115B1D012599BDB14DFAAC884BDEFBB4FF48710F10851AE918A7200C7795940CBE4

Analysis Process: RegAsm.exePID: 5500, Parent PID: 4920COMMON

Executed Functions

Function 0041FE9D Relevance: 13.8, APIs: 9, Instructions: 273
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041FB56: CreateFileW.KERNELBASE(?,00000000,?,0041FF46,?,?,00000000,?,0041FF46,?,0000000C), ref: 0041FB73

GetLastError.KERNEL32 ref: 0041FFB1
__dosmaperr.LIBCMT ref: 0041FFB8
GetFileType.KERNELBASE(00000000), ref: 0041FFC4
GetLastError.KERNEL32 ref: 0041FFCE
__dosmaperr.LIBCMT ref: 0041FFD7
CloseHandle.KERNEL32(00000000), ref: 0041FFF7
CloseHandle.KERNEL32(?), ref: 00420144
GetLastError.KERNEL32 ref: 00420176
__dosmaperr.LIBCMT ref: 0042017D

Memory Dump Source

Source File: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID:
API String ID: 4237864984-0
Opcode ID: 8a6ad238e456dfb5c6acf6d43a8fdbc71dc0bcedd465f29062b7f109bfad7472
Instruction ID: bfa7e2cc036e27e26c30110013f893a37d44138e153881355e96e1974d99462b
Opcode Fuzzy Hash: 8a6ad238e456dfb5c6acf6d43a8fdbc71dc0bcedd465f29062b7f109bfad7472
Instruction Fuzzy Hash: 6AA14832A041148FCF19EF68EC91BAE3BA0AB06314F14016EF801EB3D2C7799857DB59

Function 004038B0 Relevance: 12.7, APIs: 3, Strings: 4, Instructions: 401
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(shell32.dll), ref: 004038FA

Strings

shell32.dll, xrefs: 004038F5
.exe, xrefs: 004039D4, 004039E5, 00403C18, 00403C29
open, xrefs: 00403DF4, 00403E15
` H, xrefs: 0040392E

Memory Dump Source

Source File: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: .exe$` H$open$shell32.dll
API String ID: 1029625771-2834257608
Opcode ID: d4c97a5889b133242607335a8d42e56c099b9df17a057e4e584b721371644320
Instruction ID: 857efcede616dcd8c83fca5595c578517c5b7e2349eff73c2340159bc27b1389
Opcode Fuzzy Hash: d4c97a5889b133242607335a8d42e56c099b9df17a057e4e584b721371644320
Instruction Fuzzy Hash: F7E118312083408BE328DF28CD45B6FBBE5BF85305F144A2DF485AB2D2D779E5458B9A

Function 00411422 Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,0041141C,00000016,0040BD88,?,?,10A27F86,0040BD88,?), ref: 00411433
TerminateProcess.KERNEL32(00000000,?,0041141C,00000016,0040BD88,?,?,10A27F86,0040BD88,?), ref: 0041143A
ExitProcess.KERNEL32 ref: 0041144C

Memory Dump Source

Source File: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: fdc9db31659cbe28c415a8b0888f718e5b65b0592ff8268f2e9698ce38014a47
Instruction ID: 9f5cffd960a9e5e784bd49b974cdbcfa3e36e1e28e8dab912b0267a8a3414f4f
Opcode Fuzzy Hash: fdc9db31659cbe28c415a8b0888f718e5b65b0592ff8268f2e9698ce38014a47
Instruction Fuzzy Hash: 76D09E31100508AFCF117F61DC0DA993F2AAF44745B858025BA0556131CB3A9993EA5D

Function 00416D9F Relevance: 3.2, APIs: 2, Instructions: 191
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004164B2: GetConsoleOutputCP.KERNEL32(10A27F86,00000000,00000000,0040BDA8), ref: 00416515

WriteFile.KERNELBASE(FFBF5BE8,00000000,?,0040BC65,00000000,00000000,00000000,00000000,?,?,0040BC65,?,?,004328B8,00000010,0040BDA8), ref: 00416F08
GetLastError.KERNEL32(?,0040BC65,?,?,004328B8,00000010,0040BDA8,?,?,00000000,?), ref: 00416F12

Memory Dump Source

Source File: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: f464ed671a76038d08897ffb1fb948258ea98ac2c0acb72c9529f46f39d22c7a
Instruction ID: 2fa65d471856ac80343e11fa98bfc53c13d7c1330e77fa5001ed2fcda6fa269c
Opcode Fuzzy Hash: f464ed671a76038d08897ffb1fb948258ea98ac2c0acb72c9529f46f39d22c7a
Instruction Fuzzy Hash: 9F61D675D00249AFDF10DFA9C844AEF7FB9AF09308F16415AF800A7252D339D986CB69

Function 00414D4D Relevance: 3.1, APIs: 2, Instructions: 63
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,00414C34,00000000,CF830579,00432C48,0000000C,00414CF0,0040BCFB,?), ref: 00414DA3
GetLastError.KERNEL32(?,00414C34,00000000,CF830579,00432C48,0000000C,00414CF0,0040BCFB,?), ref: 00414DAD

Memory Dump Source

Source File: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ChangeCloseErrorFindLastNotification
String ID:
API String ID: 1687624791-0
Opcode ID: cf05b64a0bbd980239ba65db1c1c6f103e722fbee84b5f4660c8636332b429dd
Instruction ID: 85074f4f6ff141bd7efcce855698502eef5de44000b51f9bf88cca9df30e92f5
Opcode Fuzzy Hash: cf05b64a0bbd980239ba65db1c1c6f103e722fbee84b5f4660c8636332b429dd
Instruction Fuzzy Hash: 77114C326041105ACB206675BC857FE27459BD2738F25025FF908C72C2EB388CC1529D

Function 00403ED0 Relevance: 3.0, APIs: 2, Instructions: 22
synchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,004038B0,00000000,00000000,10A27F86), ref: 00403EF6
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00403EFF

Memory Dump Source

Source File: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateObjectSingleThreadWait
String ID:
API String ID: 1891408510-0
Opcode ID: 9419f3325bceeff1f49f4aa1ba74e54397c78aa36a806008d2e466c127b4d74a
Instruction ID: 586eb301f3ad505b2fb8a5e2c0845f04df15ed7da879dad1818cca3ffdf321d7
Opcode Fuzzy Hash: 9419f3325bceeff1f49f4aa1ba74e54397c78aa36a806008d2e466c127b4d74a
Instruction Fuzzy Hash: 7EE08675748300ABD720FF24DC07F1A3BE4BB48B01F914A39F595A62D0D6747404965E

Function 004143BC Relevance: 1.6, APIs: 1, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 672b8ef80a1082ffe797a66fe554d50d659c07feffc08aafbed84bfcd02d8428
Instruction ID: 2b8528776d8d16502f0b8a76a82d10506d50424a6c704f85483994a1d03f90d6
Opcode Fuzzy Hash: 672b8ef80a1082ffe797a66fe554d50d659c07feffc08aafbed84bfcd02d8428
Instruction Fuzzy Hash: 9D012D377001255FDF25CE6EEC40BDB3396EBC47243548536F914DB544DA34D8829759

Function 00413EE2 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__wsopen_s.LIBCMT ref: 00413F1C

Memory Dump Source

Source File: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: caa3c88317b3bbee83e5854bbea9c678844db8772e50a39c133be3f8c5400fb7
Instruction ID: ec9553a80a63d261aca480410fc230252e3ea256619d772961208cbce9478613
Opcode Fuzzy Hash: caa3c88317b3bbee83e5854bbea9c678844db8772e50a39c133be3f8c5400fb7
Instruction Fuzzy Hash: F6111871A0420AAFCF05DF58E9419DF7BF4EF48304F0440AAF805AB351D631DA15CBA8

Function 0041FB56 Relevance: 1.5, APIs: 1, Instructions: 15
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,00000000,?,0041FF46,?,?,00000000,?,0041FF46,?,0000000C), ref: 0041FB73

Memory Dump Source

Source File: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 32f1cee3c5876f16e38c750b1e34007635eee82df29fa4d42b06ff8a7cf34f14
Instruction ID: 28cfbda6749b70c9de2fbd9d245fef773b8951bf2dd70127050a9a6bf190398c
Opcode Fuzzy Hash: 32f1cee3c5876f16e38c750b1e34007635eee82df29fa4d42b06ff8a7cf34f14
Instruction Fuzzy Hash: 05D06C3210010DFBDF128F84DC06EDA3FAAFB4C714F018010FA5856021C732E832AB94

Non-executed Functions

Function 0041EB91 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(3FC00000,2000000B,0041EEAF,00000002,00000000,?,?,?,0041EEAF,?,00000000), ref: 0041EC2A
GetLocaleInfoW.KERNEL32(3FC00000,20001004,0041EEAF,00000002,00000000,?,?,?,0041EEAF,?,00000000), ref: 0041EC53
GetACP.KERNEL32(?,?,0041EEAF,?,00000000), ref: 0041EC68

Strings

ACP, xrefs: 0041EBAF
OCP, xrefs: 0041EBE5

Memory Dump Source

Source File: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: ae0517b9bda7198648f1cbed6e652a34a4e79f3510d6da964a24c0c18db862fc
Instruction ID: c85fc144d60ddc6525dae33cd09e0d060d1fedf04b2ffe12a12074c054b5e7b8
Opcode Fuzzy Hash: ae0517b9bda7198648f1cbed6e652a34a4e79f3510d6da964a24c0c18db862fc
Instruction Fuzzy Hash: 0D218E3A704104EADB38CF16CD05AD772A6AB54B54B5A8426ED0AD7304F73ADEC1C798

Function 0041ED66 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041512B: GetLastError.KERNEL32(?,00000008,004176AA), ref: 0041512F
Part of subcall function 0041512B: SetLastError.KERNEL32(00000000,00000001,00000006,000000FF), ref: 004151D1

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 0041EE72
IsValidCodePage.KERNEL32(00000000), ref: 0041EEBB
IsValidLocale.KERNEL32(?,00000001), ref: 0041EECA
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 0041EF12
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 0041EF31

Memory Dump Source

Source File: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: cb1f43e0842fc1b57530168fcb5aadb50c479eb7f68bca799765aa874482350f
Instruction ID: 6dcde63b9ee3f13586b647639649f64518bbb4cfa058cf0b9fa01e7f3d3dbd24
Opcode Fuzzy Hash: cb1f43e0842fc1b57530168fcb5aadb50c479eb7f68bca799765aa874482350f
Instruction Fuzzy Hash: 2951A075A00206ABDF20EFA6DC45AEB77B8BF04700F49452AED11E7290D7789981CB69

Function 0041E402 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041512B: GetLastError.KERNEL32(?,00000008,004176AA), ref: 0041512F
Part of subcall function 0041512B: SetLastError.KERNEL32(00000000,00000001,00000006,000000FF), ref: 004151D1

GetACP.KERNEL32(?,?,?,?,?,?,00411ED1,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0041E4C3
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00411ED1,?,?,?,00000055,?,-00000050,?,?), ref: 0041E4EE
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 0041E651

Strings

utf8, xrefs: 0041E5C0

Memory Dump Source

Source File: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8
API String ID: 607553120-905460609
Opcode ID: 1eb3fb8f5e23b37753c7c554b08859c7808b39e1099525de27aec97b4695ee5a
Instruction ID: e1a377e19c5f71cd44c11824ea9e35987c280acd53c56ff76f51ea565ef0af36
Opcode Fuzzy Hash: 1eb3fb8f5e23b37753c7c554b08859c7808b39e1099525de27aec97b4695ee5a
Instruction Fuzzy Hash: AB71F779A00201BADB24AB77CC46BEB73A9EF44718F14442BFD05D7281FA7CE9818659

Function 00415625 Relevance: 6.3, APIs: 4, Instructions: 337COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 004156B2

Memory Dump Source

Source File: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: d8f824a3a597dbe048be884bb3e91045552750dfa5ffe6b567c0d7537b351b3d
Instruction ID: a35172905f2c9e80df687ae2f548e4ff91b5a56ee58bfd6494556f9989062819
Opcode Fuzzy Hash: d8f824a3a597dbe048be884bb3e91045552750dfa5ffe6b567c0d7537b351b3d
Instruction Fuzzy Hash: 44B16A72E00655DFDB11DF68C8817EEBBA5EF85310F14416BE815AB381D238DD81CBA9

Function 00407AF1 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00407AFD
IsDebuggerPresent.KERNEL32 ref: 00407BC9
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00407BE9
UnhandledExceptionFilter.KERNEL32(?), ref: 00407BF3

Memory Dump Source

Source File: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: bdb8d4ffe5861b74027a400539b36d4e8f115b4355d90c864d7f04757154f5f6
Instruction ID: e6d40a2ad45d1a0383389914ec1c7b177219f7559a83785ff08c1c1c590c79bb
Opcode Fuzzy Hash: bdb8d4ffe5861b74027a400539b36d4e8f115b4355d90c864d7f04757154f5f6
Instruction Fuzzy Hash: 76314975D0521CDBDB21DFA0D989BCDBBB8BF08304F1040AAE40DAB290EB755A85CF49

Function 0041E815 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 0041512B: GetLastError.KERNEL32(?,00000008,004176AA), ref: 0041512F
Part of subcall function 0041512B: SetLastError.KERNEL32(00000000,00000001,00000006,000000FF), ref: 004151D1

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0041E869
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0041E8B3
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0041E979

Memory Dump Source

Source File: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: 70364720e12663236a414e2dcb1dce5353f717cfc86153b9853f2e5e3999c068
Instruction ID: 519a0177cb526aaaa458b2f6b8e716251f3c0a2969a148864a23d158d411bc59
Opcode Fuzzy Hash: 70364720e12663236a414e2dcb1dce5353f717cfc86153b9853f2e5e3999c068
Instruction Fuzzy Hash: 9B617B75A102079FEB289F26CD82BEA77A8FF44354F14417AED05C6681E738E981CB58

Function 0040DD68 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000001), ref: 0040DE60
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000001), ref: 0040DE6A
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000001), ref: 0040DE77

Memory Dump Source

Source File: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: c9299be453f233d1f34e7b439eda9d176e6efb048eb56d82e46d8d1a49e6a2a2
Instruction ID: d2f4f48b52c025ad6b33b38734eeeb510d7991f02fac7d06ce453438f3003fcc
Opcode Fuzzy Hash: c9299be453f233d1f34e7b439eda9d176e6efb048eb56d82e46d8d1a49e6a2a2
Instruction Fuzzy Hash: A731C574D012289BCB21DF65D98978DBBB4BF58310F5041EAE41CA7290E7749F858F49

Function 0041B6DA Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 240dabf42296fc0716cf1df3a365cfd0642dfbeb5de634df910a17514a9db46b
Instruction ID: a6190f5805de9a564eec38dffe1fad162b0df58d225cb52605cfe5cd4e5bec91
Opcode Fuzzy Hash: 240dabf42296fc0716cf1df3a365cfd0642dfbeb5de634df910a17514a9db46b
Instruction Fuzzy Hash: 8A41A2B5904219AFDB20DF69CC89AEEBBB8EF45304F1441DEE418D3201DB359E858F54

Function 0041EA68 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 0041512B: GetLastError.KERNEL32(?,00000008,004176AA), ref: 0041512F
Part of subcall function 0041512B: SetLastError.KERNEL32(00000000,00000001,00000006,000000FF), ref: 004151D1

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0041EABC

Memory Dump Source

Source File: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 9d790b3c45bb2bf0643d5e8ab68d8f402ebc04587a63254904ddd76dacdf4023
Instruction ID: 789565f62a9f3b81efb00754059a0722f9dd97d30215528fd29c40c366a42c5d
Opcode Fuzzy Hash: 9d790b3c45bb2bf0643d5e8ab68d8f402ebc04587a63254904ddd76dacdf4023
Instruction Fuzzy Hash: F1217136605206ABDB28DE26DC42AFB77A8EF44714B10407FFD06D6241EB79BD81CA58

Function 0041E6EF Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041512B: GetLastError.KERNEL32(?,00000008,004176AA), ref: 0041512F
Part of subcall function 0041512B: SetLastError.KERNEL32(00000000,00000001,00000006,000000FF), ref: 004151D1

EnumSystemLocalesW.KERNEL32(0041E815,00000001,00000000,?,-00000050,?,0041EE46,00000000,?,?,?,00000055,?), ref: 0041E761

Memory Dump Source

Source File: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: c41bd8c13944af45959f55b7b285689f368a5b2ee216d29e3bbf5953bd320f82
Instruction ID: 3355e78b0c1919935c13ae0f7f932fd25516bb8159513c05bc37ad2f76743b3e
Opcode Fuzzy Hash: c41bd8c13944af45959f55b7b285689f368a5b2ee216d29e3bbf5953bd320f82
Instruction Fuzzy Hash: 6911E93B6007019FEB189F3AD8916FAB791FF80358B19442EE99687740E7757983C744

Function 0041EC97 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 0041512B: GetLastError.KERNEL32(?,00000008,004176AA), ref: 0041512F
Part of subcall function 0041512B: SetLastError.KERNEL32(00000000,00000001,00000006,000000FF), ref: 004151D1

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0041EB12,00000000,00000000,?), ref: 0041ECC3

Memory Dump Source

Source File: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: f78a423274370276909a02de998c8e2fb19ace7283c045400ea6aabaf7fbf6a9
Instruction ID: a74d281951bb25d9d225ee6b49b477873636137a5a6801bc69a0b20bd4e45b62
Opcode Fuzzy Hash: f78a423274370276909a02de998c8e2fb19ace7283c045400ea6aabaf7fbf6a9
Instruction Fuzzy Hash: BCF0A93AA00126BFDB245A269C45BFB7764EB40754F15442AED07A3280EA78FE82C6D4

Function 0041E5FD Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 0041512B: GetLastError.KERNEL32(?,00000008,004176AA), ref: 0041512F
Part of subcall function 0041512B: SetLastError.KERNEL32(00000000,00000001,00000006,000000FF), ref: 004151D1

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 0041E651

Strings

utf8, xrefs: 0041E5C0

Memory Dump Source

Source File: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID: utf8
API String ID: 3736152602-905460609
Opcode ID: d3c02c1389eacca91a5e291a11e928c47885a93e678f07e32e4ca4d141b25baf
Instruction ID: c8b41ea417b063d59171f4d5afc3dd36f9caaff362045ecd69b67607d46fe07f
Opcode Fuzzy Hash: d3c02c1389eacca91a5e291a11e928c47885a93e678f07e32e4ca4d141b25baf
Instruction Fuzzy Hash: AFF0C836A10115ABC724AF35EC46FFA37E8EB88314F51057EFA02D7281DA7CAD458758

Function 0041E78A Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041512B: GetLastError.KERNEL32(?,00000008,004176AA), ref: 0041512F
Part of subcall function 0041512B: SetLastError.KERNEL32(00000000,00000001,00000006,000000FF), ref: 004151D1

EnumSystemLocalesW.KERNEL32(0041EA68,00000001,45F1B473,?,-00000050,?,0041EE0A,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 0041E7D4

Memory Dump Source

Source File: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 02464ed723b4c354a84e3378b332530d88ad943763cb876e16d480aee733ffc6
Instruction ID: 6c1b8be79df370ff527d3fdf83c27c448d8a6d1d4b53373dd59006919712f969
Opcode Fuzzy Hash: 02464ed723b4c354a84e3378b332530d88ad943763cb876e16d480aee733ffc6
Instruction Fuzzy Hash: 4AF0FC3A3003045FEB145F36DC816BABB95FF81758F15442EFD0647680D6755C82D714

Function 00414128 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0040E0B6: EnterCriticalSection.KERNEL32(?,?,00412ECC,00000000,00432B68,0000000C,00412E93,0000000C,?,004140B7,0000000C,?,004152C9,00000001,00000364,?), ref: 0040E0C5

EnumSystemLocalesW.KERNEL32(0041411B,00000001,00432BE8,0000000C,0041454A,00000000), ref: 00414160

Memory Dump Source

Source File: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: fc11d79f479730948cfa985309707b8b0dda7b619e314f4f66de2ebc116367d5
Instruction ID: bc8c9cdb39ea7b6907bdcd078d42f788ce3f3be240e1371db2048b296ab99c2e
Opcode Fuzzy Hash: fc11d79f479730948cfa985309707b8b0dda7b619e314f4f66de2ebc116367d5
Instruction Fuzzy Hash: FBF04F72A04204DFD710EF99E842B9C77B0FB84724F10412BF411EB2E1CBB959409B58

Function 0041E6A4 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041512B: GetLastError.KERNEL32(?,00000008,004176AA), ref: 0041512F
Part of subcall function 0041512B: SetLastError.KERNEL32(00000000,00000001,00000006,000000FF), ref: 004151D1

EnumSystemLocalesW.KERNEL32(0041E5FD,00000001,45F1B473,?,?,0041EE68,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0041E6DB

Memory Dump Source

Source File: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: a2ffc06d5736e119ec660f653c38e39955ecf1050f89d0cc871d51e530c5514b
Instruction ID: f4de27644733dcfc8870d4860b87f459398b730b02dc09fbb697d88a70ba3928
Opcode Fuzzy Hash: a2ffc06d5736e119ec660f653c38e39955ecf1050f89d0cc871d51e530c5514b
Instruction Fuzzy Hash: 2FF0EC3930024597CB149F36D8457AABF55EFC1714B97405AEE068B290C6759883C754

Function 0041464E Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00412A37,?,20001004,00000000,00000002,?,?,00412039), ref: 00414682

Memory Dump Source

Source File: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: a79f5b4871ba1c4f54388a69458767bdf475af3fdf68469de367ee09879fad86
Instruction ID: c8c0b9562f9231183dee5b7a6e52053c98a93abb6350c4165c74df5b9bb5bc08
Opcode Fuzzy Hash: a79f5b4871ba1c4f54388a69458767bdf475af3fdf68469de367ee09879fad86
Instruction Fuzzy Hash: D9E04831540118B7CF122F61DC04EEE7F15FF95751F064116FC0566161C7399961A69D

Function 00407C53 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00007C5F,0040727A), ref: 00407C58

Memory Dump Source

Source File: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 79dec9a97241ece6b8b7572846782a00b5d64aae3784071d2de835e605e51f4e
Instruction ID: 3c64f4b928e2e8a9299ff9da9a038668c79c2f648c86c238da55c8401a5bab25
Opcode Fuzzy Hash: 79dec9a97241ece6b8b7572846782a00b5d64aae3784071d2de835e605e51f4e
Instruction Fuzzy Hash:

Function 0041EFC8 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0041EFC8

Memory Dump Source

Source File: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 960917853a08cbcbaec74a3857df259023f2eba71cc87e2cdee0c8228e0b7f47
Instruction ID: d5d072ba9748c195f736b78e16f2f5f2af1f06de213b616d404cea10f9c51eb0
Opcode Fuzzy Hash: 960917853a08cbcbaec74a3857df259023f2eba71cc87e2cdee0c8228e0b7f47
Instruction Fuzzy Hash: 01A02230300280CF83808F32AE0CB0C3FF8AE082E0B0AC03AA000C80B0EF3080A0AF08

Function 00404B10 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00404B3C
std::_Lockit::_Lockit.LIBCPMT ref: 00404B59
std::_Lockit::~_Lockit.LIBCPMT ref: 00404B7D
std::_Lockit::~_Lockit.LIBCPMT ref: 00404BA8
std::_Lockit::_Lockit.LIBCPMT ref: 00404C1A
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00404C6F
__Getctype.LIBCPMT ref: 00404C86
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00404CC6
std::_Lockit::~_Lockit.LIBCPMT ref: 00404D68
std::_Facet_Register.LIBCPMT ref: 00404D6E

Strings

bad locale name, xrefs: 00404D88

Memory Dump Source

Source File: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_GetctypeLocinfo_ctorLocinfo_dtorRegister
String ID: bad locale name
API String ID: 103145292-1405518554
Opcode ID: 16ee915ab7cf0eeebb519dba0dd6371d05be51749d4f9f448169caa51adc919d
Instruction ID: 6e9f63e8d2ea1b6a4942e0921d9002d8c0fd89e6bfff9ad2541224c8a884b4bc
Opcode Fuzzy Hash: 16ee915ab7cf0eeebb519dba0dd6371d05be51749d4f9f448169caa51adc919d
Instruction Fuzzy Hash: D56191B19047408BE710DF65D981B5BB7E4AFD4304F05483EF989A7392E738E948CB5A

Function 0040A988 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 0040AAA7
___TypeMatch.LIBVCRUNTIME ref: 0040ABB5
_UnwindNestedFrames.LIBCMT ref: 0040AD07
CallUnexpected.LIBVCRUNTIME ref: 0040AD22

Strings

csm, xrefs: 0040AADE
csm, xrefs: 0040A9C5
hqB, xrefs: 0040AA9E
csm, xrefs: 0040AA32

Memory Dump Source

Source File: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm$hqB
API String ID: 2751267872-961717235
Opcode ID: 5312b3d91eab99b169114e3402d6476c4e494fcb55b904c8292e4fd39c2bab0a
Instruction ID: 60820d6e0ecca0eb9fd5676567882ca170ad0f0461b4efe27468591c46910b05
Opcode Fuzzy Hash: 5312b3d91eab99b169114e3402d6476c4e494fcb55b904c8292e4fd39c2bab0a
Instruction Fuzzy Hash: D1B177719003099FDF24DFA5C9809AFB7B5FF14304B15456AE8017B282D339EA61CF9A

Function 00422D30 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 147COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,0042484F), ref: 00422D49

Strings

acos, xrefs: 00422E7F
exp, xrefs: 00422DC8, 00422E2D
sqrt, xrefs: 00422E88
log, xrefs: 00422DA6, 00422DB5
pow, xrefs: 00422DE7, 00422E91, 00422EDE
asin, xrefs: 00422E76
log10, xrefs: 00422D8B, 00422D9A

Memory Dump Source

Source File: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: 7b307bdfa77ac4e727fad644a701e6850a4604595a9cd81a6cd06f0e8c4ceaf9
Instruction ID: c72ee430fc5992e789082aa674a62eb4bc159944c4a08777ca012a565c4a57b4
Opcode Fuzzy Hash: 7b307bdfa77ac4e727fad644a701e6850a4604595a9cd81a6cd06f0e8c4ceaf9
Instruction Fuzzy Hash: C2515F71B0062AEBCF108F59FA481AE7BB0FB05304FD24157D891A7264CBBD8925DB5E

Function 0040717D Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00407183
GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 00407191
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 004071A2
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 004071B3

Strings

GetTempPath2W, xrefs: 004071A8
GetCurrentPackageId, xrefs: 0040718B
GetSystemTimePreciseAsFileTime, xrefs: 00407197
kernel32.dll, xrefs: 0040717E

Memory Dump Source

Source File: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: GetCurrentPackageId$GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1247241052
Opcode ID: 12cc8ab004fe47f31fffcbf58e36badd15f6e56e2ad587471c9b10d870eb8305
Instruction ID: 3afd18a413fbafaec0d1884410ec314f69904bb85606d66d63126fe90f125993
Opcode Fuzzy Hash: 12cc8ab004fe47f31fffcbf58e36badd15f6e56e2ad587471c9b10d870eb8305
Instruction Fuzzy Hash: 3CE0EC71749671AB83209F70BC0EDAA3AA4EE0971139205B2BD15D2361D6BC44559B9C

Function 00424315 Relevance: 12.2, APIs: 8, Instructions: 248COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(010FCBE8,010FCBE8,?,7FFFFFFF,?,004245E5,010FCBE8,010FCBE8,?,010FCBE8,?,?,?,?,010FCBE8,?), ref: 004243BB
__alloca_probe_16.LIBCMT ref: 00424476
__alloca_probe_16.LIBCMT ref: 00424505
__freea.LIBCMT ref: 00424550
__freea.LIBCMT ref: 00424556
__freea.LIBCMT ref: 0042458C
__freea.LIBCMT ref: 00424592
__freea.LIBCMT ref: 004245A2

Memory Dump Source

Source File: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: faf4b7bb4f82d6e060df7418f04cdf54d9d5ced2acf79a653a27d1271983cb36
Instruction ID: 2268128186bf180321159b17a5804e3cf269d1f4a161c5de96289f76b50a9a64
Opcode Fuzzy Hash: faf4b7bb4f82d6e060df7418f04cdf54d9d5ced2acf79a653a27d1271983cb36
Instruction Fuzzy Hash: 55711872B00225ABDF20AF94AC41BAF77A5DFC9714FA4001BEA54A7381D73CDC818769

Function 004142F1 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,10A27F86,?,004143FE,004038D3,?,?,00000000), ref: 004143B2

Strings

api-ms-, xrefs: 00414348
ext-ms-, xrefs: 0041435C

Memory Dump Source

Source File: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 86759f0994eafd6f84a6647c0fdf9b4e30a2247b6dec6dce197b99e7f52573c2
Instruction ID: 29acd09180d048b520d34109221675969bd24e1d04ac4f63b004638bf800aa58
Opcode Fuzzy Hash: 86759f0994eafd6f84a6647c0fdf9b4e30a2247b6dec6dce197b99e7f52573c2
Instruction Fuzzy Hash: 9A210572B01218EBCB219B61EC45FDB3758AF81765F250222ED26A7380D738ED41C6D8

Function 00422220 Relevance: 9.3, APIs: 6, Instructions: 298COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 210f578ede6e8c57bcd3a2866613218aeec721f6e00fb4164bfe4fb791038aae
Instruction ID: 0fa8f66f13a9205f03f3c964acb7b0f3d35d0cf0561fe90a84cb6ac065f7fb8a
Opcode Fuzzy Hash: 210f578ede6e8c57bcd3a2866613218aeec721f6e00fb4164bfe4fb791038aae
Instruction Fuzzy Hash: 2FB1FA70B00265BFDB11DF59D980BAE7BB1BF85304F54815AE400AB392C7F99D42CB69

Function 0040A61A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0040A611,00408D4A,00407CA3), ref: 0040A628
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0040A636
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0040A64F
SetLastError.KERNEL32(00000000,0040A611,00408D4A,00407CA3), ref: 0040A6A1

Memory Dump Source

Source File: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: ea70f88f1a7dd67ad85e4a1eb3bc890aa5c44d2470a951be6c0d9591e2143091
Instruction ID: 17c3b720e5989fb0f4645250ee9d2db9be2b1969e3f2a356d50bd165ba2ebccc
Opcode Fuzzy Hash: ea70f88f1a7dd67ad85e4a1eb3bc890aa5c44d2470a951be6c0d9591e2143091
Instruction Fuzzy Hash: 4C01D2322083111EE62836B5BC456672678DB21378734023FF114B22E1EF7F1C11558D

Function 004114B8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,10A27F86,?,?,00000000,0042533E,000000FF,?,00411448,?,?,0041141C,00000016), ref: 004114ED
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004114FF
FreeLibrary.KERNEL32(00000000,?,00000000,0042533E,000000FF,?,00411448,?,?,0041141C,00000016), ref: 00411521

Strings

mscoree.dll, xrefs: 004114E6
CorExitProcess, xrefs: 004114F7

Memory Dump Source

Source File: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: da08a1f12de9d9fa0ab2bf8521bb4e597b9d9615b2022019d023aedce6e96a45
Instruction ID: 1c3cb0f38f93fbefe2a6f9ddff53ce04e6b84d498977bd807167e5d34d417036
Opcode Fuzzy Hash: da08a1f12de9d9fa0ab2bf8521bb4e597b9d9615b2022019d023aedce6e96a45
Instruction Fuzzy Hash: 3801A231B40625FFDB218F50DC09BBEBBB9FB44B15F400526E912A22A0DB789D00CA98

Function 00418EA1 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00418F28
__alloca_probe_16.LIBCMT ref: 00418FE9
__freea.LIBCMT ref: 00419050

Part of subcall function 00415416: HeapAlloc.KERNEL32(00000000,?,?,?,0040743B,?,?,004038D3,0000000C), ref: 00415448

__freea.LIBCMT ref: 00419065
__freea.LIBCMT ref: 00419075

Memory Dump Source

Source File: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: e87fd6e571ad0e28fa7a801ff3008c7610ce0f637704132bd005f8cf4c9e9da1
Instruction ID: 70ac7dc22d859429bcfaf21a5452dbaba508fd75fda8d3d1cad1bcbaee3c79d9
Opcode Fuzzy Hash: e87fd6e571ad0e28fa7a801ff3008c7610ce0f637704132bd005f8cf4c9e9da1
Instruction Fuzzy Hash: CE51C872600216AFEB249F65CC41EFB3AAAEF48754B15012EFD08D7250EB39DC918769

Function 00405A19 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00405A20
std::_Lockit::_Lockit.LIBCPMT ref: 00405A2A

Part of subcall function 00401980: std::_Lockit::_Lockit.LIBCPMT ref: 0040199C
Part of subcall function 00401980: std::_Lockit::~_Lockit.LIBCPMT ref: 004019B9

codecvt.LIBCPMT ref: 00405A64
std::_Facet_Register.LIBCPMT ref: 00405A7B
std::_Lockit::~_Lockit.LIBCPMT ref: 00405A9B

Memory Dump Source

Source File: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
String ID:
API String ID: 712880209-0
Opcode ID: 7fb8576a75b95fb445e58ecf22290f584e2f77657a518a4edd59b5f9bfd13557
Instruction ID: aa6d00897e01abd1bad4c0c36b67e0d55590054934450fdc9fe3478e464ff2ad
Opcode Fuzzy Hash: 7fb8576a75b95fb445e58ecf22290f584e2f77657a518a4edd59b5f9bfd13557
Instruction Fuzzy Hash: A001AD71A00A16CBCB05EB658881AAF7761EF84324F24052EF411BB3D2CF3C9E058F89

Function 00401F00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00401F9D

Part of subcall function 00408080: RaiseException.KERNEL32(E06D7363,00000001,00000003,00407F9B,?,?,?,?,00407F9B,0000000C,00432FA4,0000000C), ref: 004080E0

Strings

ios_base::badbit set, xrefs: 00401F37, 00401F62, 00401F80
ios_base::failbit set, xrefs: 00401E62, 00401F41
ios_base::eofbit set, xrefs: 00401F46

Memory Dump Source

Source File: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3109751735-1866435925
Opcode ID: 6416560fe7b3465a17b1f8f352e1428cd4f36e73f34119d908d19ba395871ba5
Instruction ID: d02687490f24597757631495c4e1f09aa39ba096523de16938e047820cfe1a48
Opcode Fuzzy Hash: 6416560fe7b3465a17b1f8f352e1428cd4f36e73f34119d908d19ba395871ba5
Instruction Fuzzy Hash: 7B1124B2910715ABC710DF58D801B96B3E8AF08310F14853FF954E7291F778A844CBA9

Function 0040B762 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000011,00000000,00000800,?,0040B713,00000000,00000001,0043568C,?,?,?,0040B8B6,00000004,InitializeCriticalSectionEx,00427C38,InitializeCriticalSectionEx), ref: 0040B76F
GetLastError.KERNEL32(?,0040B713,00000000,00000001,0043568C,?,?,?,0040B8B6,00000004,InitializeCriticalSectionEx,00427C38,InitializeCriticalSectionEx,00000000,?,0040B66D), ref: 0040B779
LoadLibraryExW.KERNEL32(00000011,00000000,00000000,?,00000011,0040A583), ref: 0040B7A1

Strings

api-ms-, xrefs: 0040B786

Memory Dump Source

Source File: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 22226141dfb546a2f16a4bc61347b62053759e468ff986d8c484c8ccf3c75455
Instruction ID: 6663bac76f2ed2691183a1b60790d81093b85d379b5950931f3594d96b826320
Opcode Fuzzy Hash: 22226141dfb546a2f16a4bc61347b62053759e468ff986d8c484c8ccf3c75455
Instruction Fuzzy Hash: 95E01A34384208BFEF605B61EC06F5A3E64AB80B85FA04031FA0DE91E1E779A96195CC

Function 004164B2 Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(10A27F86,00000000,00000000,0040BDA8), ref: 00416515

Part of subcall function 0041B07B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00419046,?,00000000,-00000008), ref: 0041B127

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00416770
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 004167B8
GetLastError.KERNEL32 ref: 0041685B

Memory Dump Source

Source File: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 9c03409dc5e3a637d6edbebb8196099dd852bb166edf4384a40f4e99c6182c37
Instruction ID: 23b960d84f86169114bff6dd91ebd8bfb000f40d43b919249b886c4f1d777fdd
Opcode Fuzzy Hash: 9c03409dc5e3a637d6edbebb8196099dd852bb166edf4384a40f4e99c6182c37
Instruction Fuzzy Hash: 57D17975E002589FCB11DFA8D880AEDBBB5FF48304F19452AE866E7341D734E882CB54

Function 0040A731 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 0040A7F8
___AdjustPointer.LIBCMT ref: 0040A81B
___AdjustPointer.LIBCMT ref: 0040A8B7

Memory Dump Source

Source File: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 651f461737145a99faeddf7e9cbc434de1019a0abfbd738a44b85bf0bb0bacfa
Instruction ID: 563ab20b51bfab9fbe5384d5980a8cd95d5d08f0ac2ebead566dcb8f0746e7f3
Opcode Fuzzy Hash: 651f461737145a99faeddf7e9cbc434de1019a0abfbd738a44b85bf0bb0bacfa
Instruction Fuzzy Hash: 8E51CF72A003069FEB29AF11C941B7A77B4EF04314F14853FE8056B2D1E739E862C79A

Function 0041B497 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 0041B07B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00419046,?,00000000,-00000008), ref: 0041B127

GetLastError.KERNEL32 ref: 0041B4FB
__dosmaperr.LIBCMT ref: 0041B502
GetLastError.KERNEL32(?,?,?,?), ref: 0041B53C
__dosmaperr.LIBCMT ref: 0041B543

Memory Dump Source

Source File: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 98539fc020fd00bd43affe0888965e6ed426553bce3dc314c44ab490fe6ade4c
Instruction ID: e5a019830a3c5c962b54c78c2afe39edf9115806d1ecbdc6188aeecc851efa14
Opcode Fuzzy Hash: 98539fc020fd00bd43affe0888965e6ed426553bce3dc314c44ab490fe6ade4c
Instruction Fuzzy Hash: 3E21B371600615BFDB20AF6688809ABB7A9FF04368710C52FF91997251D778EC9087E8

Function 00410892 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66e116e2024aada6cab71803717b56169a7abbe351efb3759331a0be8796517d
Instruction ID: 3ec36e4c3c4c4b3940ca693e254ce5ca1d14e98f6d28ba957a4fd44e2fb4f4c4
Opcode Fuzzy Hash: 66e116e2024aada6cab71803717b56169a7abbe351efb3759331a0be8796517d
Instruction Fuzzy Hash: E621D7B1210205AFEB20AF62CC609AB7768BF40368710452BF959D7252D7B8ECD087A8

Function 0041C42D Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0041C435

Part of subcall function 0041B07B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00419046,?,00000000,-00000008), ref: 0041B127

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041C46D
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041C48D

Memory Dump Source

Source File: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 4d096bac32b07df6f96bbfc29f435c2dddc1c3056e5e13fb52e26ce166ed4541
Instruction ID: 0fd12c7dda382d3999d10f706f970f90d8e04c4becb4264e138dc4c2bd032ff0
Opcode Fuzzy Hash: 4d096bac32b07df6f96bbfc29f435c2dddc1c3056e5e13fb52e26ce166ed4541
Instruction Fuzzy Hash: 4F11C4B6605515BFA72127B25CDACFF6D5CDE89398710402BF901D2102EA3CDD8295BD

Function 004241D9 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00421C32,00000000,00000001,00000000,0040BDA8,?,004168AF,0040BDA8,00000000,00000000), ref: 004241F0
GetLastError.KERNEL32(?,00421C32,00000000,00000001,00000000,0040BDA8,?,004168AF,0040BDA8,00000000,00000000,0040BDA8,0040BDA8,?,00416E6D,?), ref: 004241FC

Part of subcall function 004241C2: CloseHandle.KERNEL32(FFFFFFFE,0042420C,?,00421C32,00000000,00000001,00000000,0040BDA8,?,004168AF,0040BDA8,00000000,00000000,0040BDA8,0040BDA8), ref: 004241D2

___initconout.LIBCMT ref: 0042420C

Part of subcall function 00424184: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,004241B3,00421C1F,0040BDA8,?,004168AF,0040BDA8,00000000,00000000,0040BDA8), ref: 00424197

WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,?,00421C32,00000000,00000001,00000000,0040BDA8,?,004168AF,0040BDA8,00000000,00000000,0040BDA8), ref: 00424221

Memory Dump Source

Source File: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: ca09305258c16a54d0dcba451752d25af7c96ee1953d8ec0ee725fe34d53713b
Instruction ID: daf606a8d683033c96f790e5cebbb7c3d718dd05ed61dfd599687816ed725ea8
Opcode Fuzzy Hash: ca09305258c16a54d0dcba451752d25af7c96ee1953d8ec0ee725fe34d53713b
Instruction Fuzzy Hash: E4F03736700124BBCF226F95FC0899A3F26FF453B1F454565FE1995130CA319870AB98

Function 0041029D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0041032D

Strings

pow, xrefs: 00410305, 00410322

Memory Dump Source

Source File: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: c0cf26b477ce003e2ec9021a6fbfbc89d90c79d8eb5fc1b2203591be7fd8a1bc
Instruction ID: fc6d2ca4dc19ba0b715d37a90518746425c4eaa4db822c587b4b2213400e0bc5
Opcode Fuzzy Hash: c0cf26b477ce003e2ec9021a6fbfbc89d90c79d8eb5fc1b2203591be7fd8a1bc
Instruction Fuzzy Hash: 6F519F71A0A60587CB157714DA413EB3B90AB00711F644D6BE8A1463E9EB7D8CF2DA8F

Function 00401E50 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00401F9D

Part of subcall function 00408080: RaiseException.KERNEL32(E06D7363,00000001,00000003,00407F9B,?,?,?,?,00407F9B,0000000C,00432FA4,0000000C), ref: 004080E0

Strings

ios_base::badbit set, xrefs: 00401F37, 00401F62, 00401F80
ios_base::failbit set, xrefs: 00401E62

Memory Dump Source

Source File: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 3109751735-1240500531
Opcode ID: 50fcd3a1a371244ec7a0f3f24a710ecb3351835c0196af839c5ad707446f783d
Instruction ID: 4f5bf0a45fc4208832a8654eef8c337e9c06d50c54c87a988f481c954303cb93
Opcode Fuzzy Hash: 50fcd3a1a371244ec7a0f3f24a710ecb3351835c0196af839c5ad707446f783d
Instruction Fuzzy Hash: 7F4147B1504305AFC304DF29C841A9BF7E8EF89310F14862FF994A76A1E778E945CB99

Function 0040A420 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 0040A45F
__IsNonwritableInCurrentImage.LIBCMT ref: 0040A513

Strings

csm, xrefs: 0040A4FD

Memory Dump Source

Source File: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: ca5a29bd391d885cd4634227e419514380eff920c463d90092caad24f93c2f58
Instruction ID: 18bede24dd224cfa91d1e00103c3baabbd685d05025061fa587fd2bb58ff80c9
Opcode Fuzzy Hash: ca5a29bd391d885cd4634227e419514380eff920c463d90092caad24f93c2f58
Instruction Fuzzy Hash: 8041D934A002189BCF10DF69C885A9E7BB0FF44318F14817BE8146B3D2D779A921CB9A

Function 0040AD2D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 0040AD52

Strings

RCC, xrefs: 0040AD6C
MOC, xrefs: 0040AD64

Memory Dump Source

Source File: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 5b710ab2a9f474c2cc4afd51bace25907f511bb75432380764933eab186ad071
Instruction ID: 578a82eb6ed92837561ac62ae5e682fef8a2830442736a5cd94d75dd4d38702e
Opcode Fuzzy Hash: 5b710ab2a9f474c2cc4afd51bace25907f511bb75432380764933eab186ad071
Instruction Fuzzy Hash: 2F417D71900209AFCF16DF94CD81AEEBBB5FF48304F19406AF9047B291D3399960DB95

Function 00407413 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00407D98
___raise_securityfailure.LIBCMT ref: 00407E80

Strings

@SC, xrefs: 00407E7B

Memory Dump Source

Source File: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: @SC
API String ID: 3761405300-4053289583
Opcode ID: 42319827a0e0b74c587616dcc60c70791287d7417a5014e862dc5be5bea1f8a0
Instruction ID: c5c0fd815b2f08e14ceb602fe243d88e4d65426d2e31bcd62793ea7bd9420f3f
Opcode Fuzzy Hash: 42319827a0e0b74c587616dcc60c70791287d7417a5014e862dc5be5bea1f8a0
Instruction Fuzzy Hash: 972104B4640A009BD328CF15FD857983BF4BB68359FA0643AE9088B3B0D3B46484CF1E

Function 00407E93 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00407E9E
___raise_securityfailure.LIBCMT ref: 00407F5B

Strings

@SC, xrefs: 00407F56

Memory Dump Source

Source File: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: @SC
API String ID: 3761405300-4053289583
Opcode ID: ee42222a1a21f84a104741ef492a216a118de1db3b1281724e16a62be68f0859
Instruction ID: 2125179719012bf3b699bacd38cc00c528494cfbc9043f550ba33f2ea8b81d37
Opcode Fuzzy Hash: ee42222a1a21f84a104741ef492a216a118de1db3b1281724e16a62be68f0859
Instruction Fuzzy Hash: DC11E3B4651A04DBC318CF15F8817883BB4BB28346B50B03AE8088B371E3B4A5958F5E

Function 00401870 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00401875
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 004018BA

Part of subcall function 0040589A: _Yarn.LIBCPMT ref: 004058B9
Part of subcall function 0040589A: _Yarn.LIBCPMT ref: 004058DD

Strings

bad locale name, xrefs: 004018C8

Memory Dump Source

Source File: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 1908188788-1405518554
Opcode ID: 72551ae77e736be2171b1fcc8d603e91bdd62b17c33b334120392a8c0c99013b
Instruction ID: fbb5483a5c0b3d6c860fa312477ba2c73c4b5eacc305877fe335d4945849315c
Opcode Fuzzy Hash: 72551ae77e736be2171b1fcc8d603e91bdd62b17c33b334120392a8c0c99013b
Instruction Fuzzy Hash: D8F01261505B508ED370DF368404743BEE0AF25714F048E2ED4C9D7A91D379E508CBA9

Function 00405AAE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00405AB5

Strings

pdB, xrefs: 00405AF1
1]@, xrefs: 00405ADB

Memory Dump Source

Source File: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog3
String ID: 1]@$pdB
API String ID: 431132790-2574904542
Opcode ID: 73ce1e61eeabf46a09a1e5cf8c5bfbef05ff3b583e132448a225ea9f7212eaca
Instruction ID: 123d69972286fd69fb551aecc998dcfff066a917831aeb16d417dea724d1ca27
Opcode Fuzzy Hash: 73ce1e61eeabf46a09a1e5cf8c5bfbef05ff3b583e132448a225ea9f7212eaca
Instruction Fuzzy Hash: 1B01D6B4A00715CFC761DF28C540A5ABBF0FF08318B51896EE48ADB751D776AA40CF48

Function 004012D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 004012D5

Part of subcall function 004055CE: std::invalid_argument::invalid_argument.LIBCONCRT ref: 004055DA

___std_exception_copy.LIBVCRUNTIME ref: 004012FC

Strings

string too long, xrefs: 004012D0

Memory Dump Source

Source File: 00000011.00000002.1984060520.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Xinvalid_argument___std_exception_copystd::_std::invalid_argument::invalid_argument
String ID: string too long
API String ID: 1846318660-2556327735
Opcode ID: 26fc9a0f88cba3b3d08977187bf2055019bce32afe2b0aefe6f2504baa2ffc18
Instruction ID: 272e35dc6304a19a67255a0f261e943e5561bca0c73071cc2d95ade12bed5fb2
Opcode Fuzzy Hash: 26fc9a0f88cba3b3d08977187bf2055019bce32afe2b0aefe6f2504baa2ffc18
Instruction Fuzzy Hash: DEE0C2B2A343119BD200AF94AC01986B6D99F55314712CA2FF444F3200F3B8A8808768

Analysis Process: muDv2ygaMe.exePID: 6200, Parent PID: 5500COMMON

Executed Functions

Function 00A9EB3A Relevance: 6.1, APIs: 4, Instructions: 131
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00A9EBBE
GetCurrentThread.KERNEL32 ref: 00A9EBFB
GetCurrentProcess.KERNEL32 ref: 00A9EC38
GetCurrentThreadId.KERNEL32 ref: 00A9EC91

Memory Dump Source

Source File: 00000012.00000002.2002403210.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a90000_muDv2ygaMe.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 5d7bde29c69ba42b081eadd74f5dbd58eda80c479684166864d0d9561cbce936
Instruction ID: 9343a218b0e8d477f9f6ff9fe2d7c38f90c0142b3ba1d0bcc501fb97ee982c85
Opcode Fuzzy Hash: 5d7bde29c69ba42b081eadd74f5dbd58eda80c479684166864d0d9561cbce936
Instruction Fuzzy Hash: F25155B09007098FEB14DFAAD548BDEBBF1EB88314F20C459E419A7251D778A944CF65

Function 00A9EB40 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00A9EBBE
GetCurrentThread.KERNEL32 ref: 00A9EBFB
GetCurrentProcess.KERNEL32 ref: 00A9EC38
GetCurrentThreadId.KERNEL32 ref: 00A9EC91

Memory Dump Source

Source File: 00000012.00000002.2002403210.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a90000_muDv2ygaMe.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 7f95ea908992161dcbb0ea5ac9017c1eed1e7111a560662a1cde73e4fa05e149
Instruction ID: 60433142e7010d4dfab8d340f26696c0902866bcbc9cd2045fa8c0fa0dc4ca1f
Opcode Fuzzy Hash: 7f95ea908992161dcbb0ea5ac9017c1eed1e7111a560662a1cde73e4fa05e149
Instruction Fuzzy Hash: 925154B0A007098FEB14DFAAD548BEEBBF1EB88314F208459E409A7351D778A944CF65

Function 00A9C8A0 Relevance: 1.7, APIs: 1, Instructions: 205
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00A9CB06

Memory Dump Source

Source File: 00000012.00000002.2002403210.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a90000_muDv2ygaMe.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 33b309e03287a2c7e415015fd72a2da302dd4121580b1f5ede2cd876ce570558
Instruction ID: f02f560a06e9756ca7db1ff9c9925a302a75979cb7a9b7e214be57bd6d455023
Opcode Fuzzy Hash: 33b309e03287a2c7e415015fd72a2da302dd4121580b1f5ede2cd876ce570558
Instruction Fuzzy Hash: 97816870A00B059FDB24DF6AD44579ABBF5FF88310F00892ED48ADBA40EB75E945CB90

Function 00A9456C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00A95A49

Memory Dump Source

Source File: 00000012.00000002.2002403210.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a90000_muDv2ygaMe.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: dc842d2233814004863d10a261e1530693f5b339eabc054fd5304dc21341af03
Instruction ID: d55a2de1d55dc820426541127967f3d933d6eea857a684d155ec06bf49430b3a
Opcode Fuzzy Hash: dc842d2233814004863d10a261e1530693f5b339eabc054fd5304dc21341af03
Instruction Fuzzy Hash: 7B41D270D0071CCBDB24CFAAC888B9EBBF5BF49704F60816AD408AB251DBB56945CF90

Function 00A9598C Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00A95A49

Memory Dump Source

Source File: 00000012.00000002.2002403210.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a90000_muDv2ygaMe.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 2de3ef7d9332f0e47d3efe032d627dd3b44687faf67f45f361234f48776eeba0
Instruction ID: 9d91280c9979e9862957de167ce26708fcbcf9aa60cf1803a69296bcc9aafb06
Opcode Fuzzy Hash: 2de3ef7d9332f0e47d3efe032d627dd3b44687faf67f45f361234f48776eeba0
Instruction Fuzzy Hash: 8F41E070D00718CBDB24DFAAC8887DEBBF5BF49304F64856AD408AB251DB756946CF90

Function 08471048 Relevance: 1.6, APIs: 1, Instructions: 81
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageW.USER32(?,?,?,?), ref: 084710FD

Memory Dump Source

Source File: 00000012.00000002.2012129062.0000000008470000.00000040.00000800.00020000.00000000.sdmp, Offset: 08470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_8470000_muDv2ygaMe.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: f53862f7c32e16f9a37d82635d6a4364b60dbc87d9c30d442dabc9a58e0d5391
Instruction ID: f36a330c8693ab6b9ed8223e9a1c79f65788539e57f5d68fe104e8d05bd50ddc
Opcode Fuzzy Hash: f53862f7c32e16f9a37d82635d6a4364b60dbc87d9c30d442dabc9a58e0d5391
Instruction Fuzzy Hash: 0B217AB19003489FDB14DFAAD489BDEBBF8FB48720F10845AE419A7351C775A945CFA0

Function 08471B09 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassInfoW.USER32(?,00000000), ref: 08471B8C

Memory Dump Source

Source File: 00000012.00000002.2012129062.0000000008470000.00000040.00000800.00020000.00000000.sdmp, Offset: 08470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_8470000_muDv2ygaMe.jbxd

Similarity

API ID: ClassInfo
String ID:
API String ID: 3534257612-0
Opcode ID: adb8c3177b4f74d83780af4188b7ebdb51a7797c9303a64799e7c47cfd4b43e9
Instruction ID: b820dfbc61259bb3a45c0802c0457a8eff0bc437345c8601d87a7172a4e1b961
Opcode Fuzzy Hash: adb8c3177b4f74d83780af4188b7ebdb51a7797c9303a64799e7c47cfd4b43e9
Instruction Fuzzy Hash: 762107B2D017099FDB14CF9AD884ADEFBF9EB58310F14842ED919A3340E3789905CB64

Function 00A9ED80 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A9EE0F

Memory Dump Source

Source File: 00000012.00000002.2002403210.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a90000_muDv2ygaMe.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 7bb5309280d01acbe0d1ea5b89632cbfd7391f821c2deb7d1275e11bae514ed9
Instruction ID: 1f7dfa1a65a9ae911e7c2c2a739d9fc1cec03920fd8448e74988ba663a7d4c6f
Opcode Fuzzy Hash: 7bb5309280d01acbe0d1ea5b89632cbfd7391f821c2deb7d1275e11bae514ed9
Instruction Fuzzy Hash: 7621E3B5900649AFDB10CFAAD984ADEFFF5EB48320F14801AE918A7350D378A954CF61

Function 00A9ED88 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00A9EE0F

Memory Dump Source

Source File: 00000012.00000002.2002403210.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a90000_muDv2ygaMe.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 27568c746a32bedd6a349f3e067ee6bfe25c10d5080208e02a114fdaa674ea60
Instruction ID: 860c536923771862c731555784095a110aba2325f1eb6b31aa304d9890e73fda
Opcode Fuzzy Hash: 27568c746a32bedd6a349f3e067ee6bfe25c10d5080208e02a114fdaa674ea60
Instruction Fuzzy Hash: 5F21D5B5900348AFDB10CFAAD984ADEFBF9FB48310F14841AE918A7350D378A954CF65

Function 08471B10 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassInfoW.USER32(?,00000000), ref: 08471B8C

Memory Dump Source

Source File: 00000012.00000002.2012129062.0000000008470000.00000040.00000800.00020000.00000000.sdmp, Offset: 08470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_8470000_muDv2ygaMe.jbxd

Similarity

API ID: ClassInfo
String ID:
API String ID: 3534257612-0
Opcode ID: 9e580c5be18a407e3f2bdf4379fd024a56d41ca83235eca906221d8020146b02
Instruction ID: 5a8ec17a464cec864b945772c17383c36f5b050371a672208cd21be6dabe4cdb
Opcode Fuzzy Hash: 9e580c5be18a407e3f2bdf4379fd024a56d41ca83235eca906221d8020146b02
Instruction Fuzzy Hash: CC21E4B5D017099FDB14CF9AD884ADEFBF9EB48320F14802ED919A3340D378A944CB65

Function 00A9C578 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00A9CB81,00000800,00000000,00000000), ref: 00A9CD92

Memory Dump Source

Source File: 00000012.00000002.2002403210.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a90000_muDv2ygaMe.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 72a1da059c2b7fa554ceb7a16b83c75f789d872e70e3ad5ab55f73595edf2ad2
Instruction ID: 7b8edb456b99e22b0c96251f8c185c1edd9279fa604fc6fc9ab6d45aabba4d0d
Opcode Fuzzy Hash: 72a1da059c2b7fa554ceb7a16b83c75f789d872e70e3ad5ab55f73595edf2ad2
Instruction Fuzzy Hash: 241126B69007489FDB10CF9AD848BDEFBF5EF48720F10842AD919A7210C379A945CFA4

Function 00A9CD20 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00A9CB81,00000800,00000000,00000000), ref: 00A9CD92

Memory Dump Source

Source File: 00000012.00000002.2002403210.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a90000_muDv2ygaMe.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 19fc00a7b5ab5fdf70a232285fc85eb8717f77028c7f58cb75329bf257918550
Instruction ID: 9f8cc5de7928b6be25b84cd415624997619ea83d40bf5c48771d56cce2f2184f
Opcode Fuzzy Hash: 19fc00a7b5ab5fdf70a232285fc85eb8717f77028c7f58cb75329bf257918550
Instruction Fuzzy Hash: EC1114B69006498FDB10CF9AD444BDEFBF5EB48720F10842AD419A7210D379A945CFA4

Function 0847DD22 Relevance: 1.6, APIs: 1, Instructions: 51
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleWindow.KERNELBASE ref: 0847DD87

Memory Dump Source

Source File: 00000012.00000002.2012129062.0000000008470000.00000040.00000800.00020000.00000000.sdmp, Offset: 08470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_8470000_muDv2ygaMe.jbxd

Similarity

API ID: ConsoleWindow
String ID:
API String ID: 2863861424-0
Opcode ID: f04d040cf1c3c94c9d503f83c3105b4f02518020c60e507b10ba2bc036589b3c
Instruction ID: 4701731f494eacd6f8fb355542d15b7dfd1ad9fc74f7ceaaa004eac08d67de6d
Opcode Fuzzy Hash: f04d040cf1c3c94c9d503f83c3105b4f02518020c60e507b10ba2bc036589b3c
Instruction Fuzzy Hash: 2A112571D007488FDB20DFAAD8497DEBBF5EF48624F14882AC459A7240CB79A545CFA0

Function 0847DD28 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleWindow.KERNELBASE ref: 0847DD87

Memory Dump Source

Source File: 00000012.00000002.2012129062.0000000008470000.00000040.00000800.00020000.00000000.sdmp, Offset: 08470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_8470000_muDv2ygaMe.jbxd

Similarity

API ID: ConsoleWindow
String ID:
API String ID: 2863861424-0
Opcode ID: 71cea76f1eecdfc650ae9afcdd7a838732752652658032d40fa45de97f484869
Instruction ID: a9afc3684ede9c2ea78f5be66765723d2924d12ed247425c51a0b5218cc1f1dc
Opcode Fuzzy Hash: 71cea76f1eecdfc650ae9afcdd7a838732752652658032d40fa45de97f484869
Instruction Fuzzy Hash: 39112571D007488BDB20DFAAC4487DEBBF5EF48624F14842AC419A7240CB79A544CFA4

Function 00A9CAA0 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00A9CB06

Memory Dump Source

Source File: 00000012.00000002.2002403210.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_a90000_muDv2ygaMe.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 5b2687c904963bdc84dd5e8c93c12e31c3e31218d579cc08a5b4d6e0d5f6a1eb
Instruction ID: d413d40c97d78c7d2be3b38414eb702477cb244c46550263e9f28e50bcf68dad
Opcode Fuzzy Hash: 5b2687c904963bdc84dd5e8c93c12e31c3e31218d579cc08a5b4d6e0d5f6a1eb
Instruction Fuzzy Hash: CD11E0B5D007498FDB10CF9AD444BDEFBF5EB88324F10841AD829A7610C379A545CFA5

Function 0097D4D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2001679144.000000000097D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0097D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_97d000_muDv2ygaMe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3460e90ae909ba1c2cac93c3674c6b41c69e3bc736ff90efb029bd45d2067c19
Instruction ID: cd4cc509cdd4e6dff4a868db8bc040420adf0718d410e09712df16da466cc817
Opcode Fuzzy Hash: 3460e90ae909ba1c2cac93c3674c6b41c69e3bc736ff90efb029bd45d2067c19
Instruction Fuzzy Hash: AE21F1B2500304DFDB04DF10D9C0B16BB75FF98328F24C569E8090B25AC33AD856CAA2

Function 0098D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2001851107.000000000098D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_98d000_muDv2ygaMe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eb36db79a1979589de3746873c5aa1a3116fea86755e2cb982d7c4776baf918
Instruction ID: d380fc975208cfb19909f2497c5934788b96a79282a6cbb2b10a3c06eca02f7d
Opcode Fuzzy Hash: 1eb36db79a1979589de3746873c5aa1a3116fea86755e2cb982d7c4776baf918
Instruction Fuzzy Hash: DA21D071604344EFDB14EF10D984B26BB65FB84314F20C969D84A4B396C33AD847CB62

Function 0098D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2001851107.000000000098D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_98d000_muDv2ygaMe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97e4b246eba257ca375e3a0846fcae0d57a92e8ee9e4f237a0adf7520c4d5c14
Instruction ID: 1e420c7a1ab8346ea502eacbd2feee67535a0a48a7dc3da117e12d4d92b0ee1f
Opcode Fuzzy Hash: 97e4b246eba257ca375e3a0846fcae0d57a92e8ee9e4f237a0adf7520c4d5c14
Instruction Fuzzy Hash: 4521D0B1504304AFDB05EF50D9C0F26BBA5FB84314F20CA69E8594B392C33AD846CB61

Function 0098D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2001851107.000000000098D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_98d000_muDv2ygaMe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8dd96a952f55d8a7a369790c8fa541d892b064776d5a34c20a87489c3a565f8
Instruction ID: 2c79a19d6f8c395a9d30c83368d45ef122facb0a574ee020a9c39b9052c509e9
Opcode Fuzzy Hash: a8dd96a952f55d8a7a369790c8fa541d892b064776d5a34c20a87489c3a565f8
Instruction Fuzzy Hash: B1218E755093808FCB02DF20D994715BF71EB46314F28C5EAD8898B6A7C33A980ACB62

Function 0097D4D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2001679144.000000000097D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0097D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_97d000_muDv2ygaMe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9902afee9e3b44ff2e822c933ca4f9850614e81a5517644e66c67081f9efd2f
Instruction ID: 5d8242ea8d630564c71c97ed45557d320e4dfe4c4c4a6f243d4ac85bbc1708d3
Opcode Fuzzy Hash: d9902afee9e3b44ff2e822c933ca4f9850614e81a5517644e66c67081f9efd2f
Instruction Fuzzy Hash: 8811E676504240CFCB15CF10D5C4B16BF72FF94328F24C6A9E8090B65AC33AD856CBA1

Function 0098D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2001851107.000000000098D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0098D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_98d000_muDv2ygaMe.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd2c54e641c636489e18f71c5e932094e1140b5f592d34fffac0146327057262
Instruction ID: dffd0776752fdc7a2e506c55c969764ebf25a9aa0942205cbb7110a399264dac
Opcode Fuzzy Hash: dd2c54e641c636489e18f71c5e932094e1140b5f592d34fffac0146327057262
Instruction Fuzzy Hash: A611BB75504280DFDB01DF10C5C4B15BBA2FB84314F24C6A9D8494B796C33AD84ACB61

Analysis Process: ER1CZAgbcY.exePID: 2548, Parent PID: 5500COMMON

Executed Functions

Function 062B3838 Relevance: 1.0, Instructions: 1015
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000014.00000002.2148818830.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62b0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d40cc16a42fff67a39148729d75757f039ee9a8e59c77e949b8b972366a7af4
Instruction ID: 94118f9171cf9c2e7672839e92527bddf1b4a12498468c113d077db72010f5d8
Opcode Fuzzy Hash: 8d40cc16a42fff67a39148729d75757f039ee9a8e59c77e949b8b972366a7af4
Instruction Fuzzy Hash: 30824C34B102159FCB44DF68C994EAEBBF6EF89700F148099E606DB3A6CA71DD41CB61

Function 062C3F50 Relevance: .5, Instructions: 524COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a5bcb4d9c6af92b012bcf87d1f3ba00bea7fa3182a2090e2b9e1c8588ac4d67
Instruction ID: b201cb46494cd9127bfeb1c94ba4292fc234b16b6b2379ae23d682bb519c0dea
Opcode Fuzzy Hash: 3a5bcb4d9c6af92b012bcf87d1f3ba00bea7fa3182a2090e2b9e1c8588ac4d67
Instruction Fuzzy Hash: D5127F34B106158FDB54DF68C894AAEBBF6BF88710B2481ADE805EB361DB71DC41CB90

Function 062C67D0 Relevance: .4, Instructions: 413COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a392abdfbb810944384906f811fbd57c772763de064dba4093945606f5a70144
Instruction ID: a1f570b79aa025195a641ffc592a49645bc66de3704d181f1c6b4489a2035457
Opcode Fuzzy Hash: a392abdfbb810944384906f811fbd57c772763de064dba4093945606f5a70144
Instruction Fuzzy Hash: 41F19131A102099FDB15DF68D884B9EBBF2FF88310F148669E405EB2A1DB35ED45CB91

Function 062CA3B7 Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a17133e12102a234246cb9f986c32687189db9048debf3109053b2509f94ef1c
Instruction ID: 523236974cf20c38e02f6706fac1ca15ed481d5a5eabbe1f31717a7bf4c3b718
Opcode Fuzzy Hash: a17133e12102a234246cb9f986c32687189db9048debf3109053b2509f94ef1c
Instruction Fuzzy Hash: 19D1F434D00218CFCB54EFB4D854AADBBB2FF8A301F1095ADD54AAB294DB359986CF11

Function 062CA3E8 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ab050a4907d6849a15d6132f46a143e2f44faaa451680e47624dc37e42fdc23
Instruction ID: 1b1325758e0674ccc6619cffb3aa32832add8040ef1fc8ae0d0e2b30bf61d189
Opcode Fuzzy Hash: 4ab050a4907d6849a15d6132f46a143e2f44faaa451680e47624dc37e42fdc23
Instruction Fuzzy Hash: D1D1D334E00218CFCB58EFB4D854A9DBBB2FF8A301F109669D51AAB294DB355985CF11

Function 062B0597 Relevance: 1.7, Strings: 1, Instructions: 462
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

lPj, xrefs: 062B059C

Memory Dump Source

Source File: 00000014.00000002.2148818830.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62b0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID: lPj
API String ID: 0-2102322720
Opcode ID: 5649d0f068fc6b90856d41c48a806a7fc62182365af0e975e97883fbeb689dce
Instruction ID: 7e65a13e89d51a4bbf4566d4cb60bdbae419dacff6acb414f9c8d76b175b8943
Opcode Fuzzy Hash: 5649d0f068fc6b90856d41c48a806a7fc62182365af0e975e97883fbeb689dce
Instruction Fuzzy Hash: 5B02AC30B10711CFDB55AB64D854B6E76B2FFC5B04F009918E902AF391CBB9ED458B92

Function 0102AE30 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0102B086

Memory Dump Source

Source File: 00000014.00000002.2133262354.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1020000_ER1CZAgbcY.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ecedfe9f933784cd4aaf98b81c4dbc51c6a8e46c067abe92570e53f415f0d351
Instruction ID: 000a7ade31dc8b7a37a668e9dae681619bd5c66341b640db67ea9e1e2151cbc5
Opcode Fuzzy Hash: ecedfe9f933784cd4aaf98b81c4dbc51c6a8e46c067abe92570e53f415f0d351
Instruction Fuzzy Hash: CD7138B0A00B15CFDB64DF69D441B5ABBF5BF88700F00896DD48A87A40DB79E846CB91

Function 01024248 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 010259F1

Memory Dump Source

Source File: 00000014.00000002.2133262354.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1020000_ER1CZAgbcY.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: fbe7269e6063d685915c383bb278a3f7065fb0bc936d3eaa18195254382ae362
Instruction ID: cd1adb0996536424adafedac2ca8a2b56c374aa5933e91233ac9e8db2f97c2b2
Opcode Fuzzy Hash: fbe7269e6063d685915c383bb278a3f7065fb0bc936d3eaa18195254382ae362
Instruction Fuzzy Hash: 4641B0B0D00728CBDB24DFA9D884BDEBBB5BF49704F24806AD408AB251DB756946CF94

Function 01025935 Relevance: 1.6, APIs: 1, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 010259F1

Memory Dump Source

Source File: 00000014.00000002.2133262354.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1020000_ER1CZAgbcY.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 6346ad86c5dc4d23175c7b8614dee880c9ea9b1664660e96326dd165e7af9d5e
Instruction ID: 7156cbab93dab46f965236b7447d305cc1532b9055b89e11f4ad0a833883f641
Opcode Fuzzy Hash: 6346ad86c5dc4d23175c7b8614dee880c9ea9b1664660e96326dd165e7af9d5e
Instruction Fuzzy Hash: D841BFB0D00728CFDB24CFA9D884BDEBBB5BF49704F24806AD448AB251DB756946CF90

Function 0102A858 Relevance: 1.6, APIs: 1, Instructions: 85
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0102B101,00000800,00000000,00000000), ref: 0102B312

Memory Dump Source

Source File: 00000014.00000002.2133262354.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1020000_ER1CZAgbcY.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 701c9eadf5c05c42a9ad171b4714f0948a73be3c46996c72309d3ec30982416e
Instruction ID: 73f50c009b8929f1b5eab3498a2e58283c5d92c8d94a372d8860b3cad14742a4
Opcode Fuzzy Hash: 701c9eadf5c05c42a9ad171b4714f0948a73be3c46996c72309d3ec30982416e
Instruction Fuzzy Hash: 1D31BCB6805398CFEB15CFAAD844BEEBFF4EB89310F04805AD594A7611C3789505CFA5

Function 0102C9A0 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0102D2C6,?,?,?,?,?), ref: 0102D387

Memory Dump Source

Source File: 00000014.00000002.2133262354.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1020000_ER1CZAgbcY.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 382b441cfe26595e3e03261dcf64529b8f73a6c2cae2226b3dcf69a12ac8c1f0
Instruction ID: c35cc08349a329b2df639d42d69c29f9a11f90955987ee82b2e5ddc0c8a12e72
Opcode Fuzzy Hash: 382b441cfe26595e3e03261dcf64529b8f73a6c2cae2226b3dcf69a12ac8c1f0
Instruction Fuzzy Hash: D721E6B5900358DFDB10CF9AD884ADEFBF9EB48710F14841AE958A7310D378A950CFA4

Function 0102D2F9 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0102D2C6,?,?,?,?,?), ref: 0102D387

Memory Dump Source

Source File: 00000014.00000002.2133262354.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1020000_ER1CZAgbcY.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 2560eac3ab455d72f1e48f1ad1d16e6f30a3359d9d89df60bfebdaae8a8541da
Instruction ID: 1bae06d42695101b41842942cd42499c9d41a90ae85f3083c8596b8fca878d8b
Opcode Fuzzy Hash: 2560eac3ab455d72f1e48f1ad1d16e6f30a3359d9d89df60bfebdaae8a8541da
Instruction Fuzzy Hash: BE21E6B5D00258DFDB10CF9AD985ADEBBF5EB48310F14841AE918A3310C378A950CF60

Function 062C59D8 Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 062C5C29

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: fa3e5419944126b4ca33539b1a791b1405fd254b26aa2824fb92172caded84cc
Instruction ID: 8a6aa6a1d69147aa679ba15a23bd73af89e628016b6db26f397474d2a5877357
Opcode Fuzzy Hash: fa3e5419944126b4ca33539b1a791b1405fd254b26aa2824fb92172caded84cc
Instruction Fuzzy Hash: 44C15B35610606CFC724CF19C88096ABBF2FF88320B55CA5DD85A9B6A1DB30FD56CB90

Function 0102A870 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0102B101,00000800,00000000,00000000), ref: 0102B312

Memory Dump Source

Source File: 00000014.00000002.2133262354.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1020000_ER1CZAgbcY.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c6123630d89e73ddc2a474f81623e50c07cdcb16f16f0f5a5c08b95dcb2ba569
Instruction ID: a1cae20ef4fd0cc3b88106d534040fa5cc057db02015b158a7f5a627d73708aa
Opcode Fuzzy Hash: c6123630d89e73ddc2a474f81623e50c07cdcb16f16f0f5a5c08b95dcb2ba569
Instruction Fuzzy Hash: 471114B6C003499FDB14CF9AD844BDEFBF9EB88710F14842AD959A7200C379A545CFA4

Function 0102B2A0 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0102B101,00000800,00000000,00000000), ref: 0102B312

Memory Dump Source

Source File: 00000014.00000002.2133262354.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1020000_ER1CZAgbcY.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 030ea0a7c1b20357a28ee0a32aaaed515d0f71097cd6f4961e451a57291d80f0
Instruction ID: 04863a2849b446aabe410fc055c57f410956a396993464498db207b833a5a99e
Opcode Fuzzy Hash: 030ea0a7c1b20357a28ee0a32aaaed515d0f71097cd6f4961e451a57291d80f0
Instruction Fuzzy Hash: 471129B6C003499FDB14CF9AD444BDEFBF5EB48710F14841AD959A7200C379A545CFA4

Function 0102B020 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0102B086

Memory Dump Source

Source File: 00000014.00000002.2133262354.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_1020000_ER1CZAgbcY.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 79f7171a3719acc555948b1dd041c9809989c6d31cdf39111b0cf7aaf3004ffe
Instruction ID: 4daeede61569af04de4d29d604e82ac46904f6560f1ff3edcf5fd301b098e5c5
Opcode Fuzzy Hash: 79f7171a3719acc555948b1dd041c9809989c6d31cdf39111b0cf7aaf3004ffe
Instruction Fuzzy Hash: 1B110FB5C007498FDB24CF9AC844ADEFBF9AB88620F14841AD568A7210C379A545CFA5

Function 062B1BA0 Relevance: 1.4, Instructions: 1444
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000014.00000002.2148818830.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62b0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69133abcf71e8e7b4ea362400c79f4097eee6154a717094c9c814a19f316e2c4
Instruction ID: a4cd12b6fc737b3be9848b22782a592bab50eb4ab7baec097318d4bbeca2c346
Opcode Fuzzy Hash: 69133abcf71e8e7b4ea362400c79f4097eee6154a717094c9c814a19f316e2c4
Instruction Fuzzy Hash: F9C23D30B10218DFDB55DF64CD54BAEB7B6EF88700F108099EA06AB3A1DB719E85CB51

Function 062B00D8 Relevance: .7, Instructions: 676
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000014.00000002.2148818830.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62b0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b82fdd1f411fe1b8986abadc308b3592be58a6c0725bb2d86160ae4971ccedb
Instruction ID: b5e20797f3a2644cd243d075d6e6b6e5745426b76dfcd0803c925086251e389c
Opcode Fuzzy Hash: 9b82fdd1f411fe1b8986abadc308b3592be58a6c0725bb2d86160ae4971ccedb
Instruction Fuzzy Hash: 5142AC307107158FDB69AF68D850A6E76B2FFC5B04B405A1CD503AF390CBB9EE458B92

Function 062B0D80 Relevance: .6, Instructions: 614COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148818830.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62b0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1740af33dfb0d9966239bf5b2f271e8e6b3327b8452b8983c7729b7c4c31957
Instruction ID: a98486760761e493c62a047d4b8cc1c054dfbb188960850796e7202095acf16c
Opcode Fuzzy Hash: b1740af33dfb0d9966239bf5b2f271e8e6b3327b8452b8983c7729b7c4c31957
Instruction Fuzzy Hash: 3222F430B202458FDB55DB68C858AAE7BF6FF89700B14945AED06DB3A2CB70DC51CB91

Function 062C48B8 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21fdf019b1060e8b154512c89abcc18fdf83475c8d8de5a2c265178f631d552d
Instruction ID: 70117ccdb0dd87aebd9f96927a69528a396e0d5fb217663e2b0152631fcb6adb
Opcode Fuzzy Hash: 21fdf019b1060e8b154512c89abcc18fdf83475c8d8de5a2c265178f631d552d
Instruction Fuzzy Hash: 7F325B35B106018FDB54EF29C894A6ABBF6FF89710B1585ADE806CB362DB30EC45CB51

Function 062B060F Relevance: .5, Instructions: 477COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148818830.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62b0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6032e9709b6a1e3cf5fef2be327c15d97e3634ac03cca8deb90273265ef9dfa1
Instruction ID: 3a28bd9c17842f10c849d61e7f342bfaf674622698f5270c285168ecc4c2f65c
Opcode Fuzzy Hash: 6032e9709b6a1e3cf5fef2be327c15d97e3634ac03cca8deb90273265ef9dfa1
Instruction Fuzzy Hash: 37028C30B20711CFDB55AB64D954B6E76B2FF89B04F009418E902AF391CBB9ED45CB92

Function 062B1584 Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148818830.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62b0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91df27751968210140bba74dbd0faf325635c4029267ef7c3f6e04fc59ce4eee
Instruction ID: 2f998eb0ccb96928835446f047a82a3d172da16fecc4807945ce0eb6523426a0
Opcode Fuzzy Hash: 91df27751968210140bba74dbd0faf325635c4029267ef7c3f6e04fc59ce4eee
Instruction Fuzzy Hash: 61C11434B102029FEB559B68C868B6A77F6FF89700F109459D9028B391DFB5DC51CBA1

Function 062B00B8 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148818830.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62b0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a008665249ebc27794ef364e9dc3ddc6ab5bae14a24b7c180653cc6b6b750a7
Instruction ID: d582f5977b633ecf2c436b5558401707387099084e3de657c1bdac231975cfb1
Opcode Fuzzy Hash: 8a008665249ebc27794ef364e9dc3ddc6ab5bae14a24b7c180653cc6b6b750a7
Instruction Fuzzy Hash: 46C1A134B20201DFEB46EB64C958B6E7BB6FF89700F149059E902AB3A1CBB5DD41CB51

Function 062B067A Relevance: .3, Instructions: 329COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148818830.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62b0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6388b71e156cfb0e6e8809e7b2632ab62f35a5db53d529d2e5d14631d3f57fd
Instruction ID: 7058448b51c677288354ea32be5ee83dc7c9701b8192064c0c9f85c357dd86c2
Opcode Fuzzy Hash: b6388b71e156cfb0e6e8809e7b2632ab62f35a5db53d529d2e5d14631d3f57fd
Instruction Fuzzy Hash: EDC19E34B20201DFEB45EB64C958B6E76B6FF89B04F109055EA02AF3A1CBB5DD81CB51

Function 062B06FF Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148818830.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62b0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18c9d059427a313b104fb2b3f6d53dc3ceeb47e771620777a0cf3c21eae3149a
Instruction ID: ecb6898e46fced8cf56694325a0b3a788e165a299e9be6366ff17c32f095f08b
Opcode Fuzzy Hash: 18c9d059427a313b104fb2b3f6d53dc3ceeb47e771620777a0cf3c21eae3149a
Instruction Fuzzy Hash: D8B1B134B20201DFEB45EB64C948B6E76B6FF89B04F109055EA029F3A1CBB5DD41CB51

Function 062C48A8 Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02c70ad5c2253602572007be6cec7864700e4effeae340bb3a5ef1289860af92
Instruction ID: f9bba1453251b15f63f1beb3177805ba312ee1a37eaa492765d66757760751d8
Opcode Fuzzy Hash: 02c70ad5c2253602572007be6cec7864700e4effeae340bb3a5ef1289860af92
Instruction Fuzzy Hash: F3B16A34B106058FCB54EF29D894A6EBBF6BF88714B1545ADE806DB362DB30ED05CB50

Function 062C3F3F Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 491fe508cccc87b0a375b739c35e7eb7ee4c4de38ba62880a0724c5fa0f8cb16
Instruction ID: 2f6c661c62dd472d179ae7debfd23ab94b2584dc2a914e74aeb23499ab3d1e25
Opcode Fuzzy Hash: 491fe508cccc87b0a375b739c35e7eb7ee4c4de38ba62880a0724c5fa0f8cb16
Instruction Fuzzy Hash: CB614C30F106168FCB54DF69C890AAEBBF6BF88610B14826DD905EB365DB71DC01CBA1

Function 062C7D58 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f72a84fe94df9389270b34996cfe8592fa19c10d01b5b5b80d088e577ba643af
Instruction ID: 6af30733a3db94583dbfaeaab82422ebc0af2dd572ff178be6a62a0117055902
Opcode Fuzzy Hash: f72a84fe94df9389270b34996cfe8592fa19c10d01b5b5b80d088e577ba643af
Instruction Fuzzy Hash: 26512771E10259DFDB54CFA9D880BDEBBF6AF88710F14862AD815AB244DB749841CF90

Function 062B2FC8 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148818830.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62b0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa8fb4cb686045152b0757196e647f6e4e55fe646385c787686a4435e331ee2e
Instruction ID: 824512a38beb01df2c30f42d025fd1ee1e6fd342a2b9be30ceda31ca2d1a1891
Opcode Fuzzy Hash: aa8fb4cb686045152b0757196e647f6e4e55fe646385c787686a4435e331ee2e
Instruction Fuzzy Hash: CF511735B202199FCB54CF69C894A9EBBF6FF88710B158069ED09AB361DB71EC05CB50

Function 062B34D8 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148818830.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62b0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5f75f5ef061e7b23ea9bdbcc5601e78e4a10f950ddba4c0d9859cc16ba1fb8e
Instruction ID: 54c241ce9b3fda6449ab3963ae66b8e1b64a0e2fc168ea0538ff1618513a5526
Opcode Fuzzy Hash: a5f75f5ef061e7b23ea9bdbcc5601e78e4a10f950ddba4c0d9859cc16ba1fb8e
Instruction Fuzzy Hash: 5D514835B206199FCB44DF69C88499EBBF2FF89710B118069E905AB361DB71EC45CB60

Function 062C7D4C Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a69a31a59e596e03a31ddadd36256939e1115db70f876c3292070b2c1151b135
Instruction ID: 6572398051d8227db0a49446193d51e7868445b133e85fc0a14618b872b93c49
Opcode Fuzzy Hash: a69a31a59e596e03a31ddadd36256939e1115db70f876c3292070b2c1151b135
Instruction Fuzzy Hash: DD5156B2D10259CFDB54CFA9D881BDEBBF5AF48710F14862AD805AB280DB749841CF90

Function 062C6E90 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07ad96368dd26249bd5c19eeb5a029fbb9a31459ec1a001c87592d71025f957f
Instruction ID: 4582e7e0f5f28547981f775c7bb316cac90665f7f6621db4964eb29898db018a
Opcode Fuzzy Hash: 07ad96368dd26249bd5c19eeb5a029fbb9a31459ec1a001c87592d71025f957f
Instruction Fuzzy Hash: E5513B75505F848FC726CF6EC880997BFF4BF99200B04896EE5DA87B62D274E904CB61

Function 062C59C8 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab697af1abba3f1196a1485e3a435708bba8db8de706ea9ca12f2f48336ca3b8
Instruction ID: f0e9cfd1c98bd95d7431ea3dcdb8201c82af5efe3fbf36dac153ac53dbb3288a
Opcode Fuzzy Hash: ab697af1abba3f1196a1485e3a435708bba8db8de706ea9ca12f2f48336ca3b8
Instruction Fuzzy Hash: 85415E35A10606CFCB14CF59C880A6ABBF2FF88320B15CA59E959AB361D730F911CB94

Function 062C3DE0 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61af6012aeb14eda5ae2ebcbefc43841205d26982b64062388c83b65927e01d
Instruction ID: 22adb45e4eaa03b22d82c9f93a8f4dbf8f463db04c1a8225c42b21f837e6ad05
Opcode Fuzzy Hash: c61af6012aeb14eda5ae2ebcbefc43841205d26982b64062388c83b65927e01d
Instruction Fuzzy Hash: 5931C4327006108FC729A768E854AAE7BE6EFC666071489BED809CB751CE35DC47C7A1

Function 062C5579 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67fcdcdd4a9fd49406160d857468a86c91386dbcbc7f612aa87415824f69a538
Instruction ID: 0c0840ea53c20f2b3489816d0c274cd7df7df81f657b2f559fc0fc1faed691c8
Opcode Fuzzy Hash: 67fcdcdd4a9fd49406160d857468a86c91386dbcbc7f612aa87415824f69a538
Instruction Fuzzy Hash: FC315535B116019FCB05DF34D888AAEBBB2FF89310B1085A9E906DB365DB31ED05CB90

Function 062CC0AF Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 961bbdda3869df7c919c641224d81b9a70775eb77039d1f31b00a88246b84948
Instruction ID: 07f4ade5ea15047845b0d0f69656a52314f902f0859752283d4b82d540a0d890
Opcode Fuzzy Hash: 961bbdda3869df7c919c641224d81b9a70775eb77039d1f31b00a88246b84948
Instruction Fuzzy Hash: 7531E22251A3C04FD353AF3C9C61AE63FB5EE87624B080A8BD4C2C6163D76C980DC796

Function 062C84D8 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 346bb1b8216762419eb7a542ede7de57595aaa9de7ecf81f9025ade0806d6ea0
Instruction ID: a65d8f11514359487c45af9b878204b09901c984309b2395b12ee734b7f23d0f
Opcode Fuzzy Hash: 346bb1b8216762419eb7a542ede7de57595aaa9de7ecf81f9025ade0806d6ea0
Instruction Fuzzy Hash: 89319F31B002158BDF08ABB9A85466E36E7EBC8211750843ED50ADB380DF35DD0587E9

Function 062C5588 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26c8c30dac2ea1a49f6e5d810830fc51eff5a94c204de20b125298216bbf8e59
Instruction ID: 9b7f95a4ba9f474116cbde35386527333b8131872b0b11c198122cde794835b0
Opcode Fuzzy Hash: 26c8c30dac2ea1a49f6e5d810830fc51eff5a94c204de20b125298216bbf8e59
Instruction Fuzzy Hash: 8F316735B116119FCB19DF34D888AAEBFB6BF89310B1085A9E906CB355DB31ED05CB90

Function 062C87A0 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8620e59c52c2ee3cb20d24adf050c04947d9c99de69c20afeebc372379c86a4
Instruction ID: 21d341c6248721589d9232a9d07f1e456f7f607b5a5d471828cb9662e57bc93b
Opcode Fuzzy Hash: e8620e59c52c2ee3cb20d24adf050c04947d9c99de69c20afeebc372379c86a4
Instruction Fuzzy Hash: 8F410271D1124C9FDB54CFAAD840ADEFFF6AF88310F14812AE815A7250DB79A945CF90

Function 062C84C8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 086d754dce45d53faaa6d762f6660df53a419ad5a2adf8538850ab4d7dca0cac
Instruction ID: 038bd6559be5840fd3a02313a088a33642d2049deaeec4bb374a011716275ff3
Opcode Fuzzy Hash: 086d754dce45d53faaa6d762f6660df53a419ad5a2adf8538850ab4d7dca0cac
Instruction Fuzzy Hash: 722191317002158BDB09AB78A86467E3AE7AFC8201750443ED507DB3C4DF34DD4587A5

Function 062B105C Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148818830.00000000062B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62b0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c868cd63f0b6d0a86e3a066c8ce8e8a32a0947aaebf3ca82af332e83f8b2b8b
Instruction ID: 8971771e1d9f863089b019dde16fb223fbbc7cfb41f8380148489085e43b45ee
Opcode Fuzzy Hash: 1c868cd63f0b6d0a86e3a066c8ce8e8a32a0947aaebf3ca82af332e83f8b2b8b
Instruction Fuzzy Hash: 072127307242459FCB45DB689C549AEBBF6FFC5310718956AE815CB2A2CB30CD24C7A1

Function 062C8795 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7bd349b688f8e1e9dbea6eaee2d615bae0fda71a841ed7aa98bc8a579efa74a
Instruction ID: 2704234bb4929937fed037ee48c1beee9520b8355ec452a6ce9ab301b94f9edd
Opcode Fuzzy Hash: d7bd349b688f8e1e9dbea6eaee2d615bae0fda71a841ed7aa98bc8a579efa74a
Instruction Fuzzy Hash: 123102B1D112489BDB14CFAAD944ADEBFF6AF48310F14822AD815AB290DB789945CF90

Function 062C8A98 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02329d5456ad42fc48c0497c1632fe1e5db8073989582d0e958a917673bfd874
Instruction ID: 745b80c6bc6f5c5b642406ae75ce0db6479e9492d2986c7fee3a13854bc734e4
Opcode Fuzzy Hash: 02329d5456ad42fc48c0497c1632fe1e5db8073989582d0e958a917673bfd874
Instruction Fuzzy Hash: 0431F4B1D11258DFDB54CFA9D894BDEBBF5AF48320F14812AE809A7240C778A945CB90

Function 00FCD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2132602930.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_fcd000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b64719ad126c087f72b2a4bed4c7a1fbafddc23f87106dcc4a82f01f3b8a316
Instruction ID: 2d7fa1681fa68e275ecd54cde6de5fe55e82c554d88f4e4cc3cc54fc173f238e
Opcode Fuzzy Hash: 6b64719ad126c087f72b2a4bed4c7a1fbafddc23f87106dcc4a82f01f3b8a316
Instruction Fuzzy Hash: DA2106B2500345DFDB08DF10DAC1F1ABB65FB94324F20C17DDA090B256C33AE856EAA2

Function 00FDD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2132735935.0000000000FDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_fdd000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 246dd4e432493a08e9d098c1084d20cc7fb4480abea6af0b9f1ef0b933be838c
Instruction ID: 60069c4280e9158799b674126b98954bad89927438dca7ee8a4f3014888d28b8
Opcode Fuzzy Hash: 246dd4e432493a08e9d098c1084d20cc7fb4480abea6af0b9f1ef0b933be838c
Instruction Fuzzy Hash: 9521F571504344DFDB14DF14D9C8B16BB66FBC4324F28C56AD84A4B35AC33AD847DA62

Function 062C8A8C Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 345c36f0774cb6e8026504b14c97cd7d7bd685d59d3a1578328c9ae445a90d8b
Instruction ID: 6a1d8ea9ca5c58230ef19b2f31d102563e934001c5159604d8673e0e3d2cb4c0
Opcode Fuzzy Hash: 345c36f0774cb6e8026504b14c97cd7d7bd685d59d3a1578328c9ae445a90d8b
Instruction Fuzzy Hash: F42113B1D102489FDB14CFA9C894BDEBBF9AF08310F14812AE409EB240D778A945CBA4

Function 00FDD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2132735935.0000000000FDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_fdd000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58a6469556b13a8682f95259ee825f3d6d84767ab23690fa5df10dbd56e21686
Instruction ID: 123246980200cabd5b91443e5df30b6e9eec0a0139c99c6f0e630ed5ffd71fb3
Opcode Fuzzy Hash: 58a6469556b13a8682f95259ee825f3d6d84767ab23690fa5df10dbd56e21686
Instruction Fuzzy Hash: B72183755093808FC712CF24D594715BF72EB46314F28C5EBD8498B6A7C33A980ADB62

Function 062CBC5F Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e269cef70f693dcfd7650220e0b80087e179bb14e28c89008516186a48c925b3
Instruction ID: a4e12ee759cb9118a1190c2ac02f268edad9f1a13645e98401d4655510b74c3a
Opcode Fuzzy Hash: e269cef70f693dcfd7650220e0b80087e179bb14e28c89008516186a48c925b3
Instruction Fuzzy Hash: FC1102312002058FC289A778EC51D7E37B7FECA244754892DE502CB650DEB8AD4A8793

Function 062C8C58 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c95325a555a4c078dfa3908d957a1f38fbdc9457df9ac4144e2a32812581add
Instruction ID: 84ed59f37d016f20cd0166637510fd894ebd753b7a93b48a2039f3f37ae81b16
Opcode Fuzzy Hash: 0c95325a555a4c078dfa3908d957a1f38fbdc9457df9ac4144e2a32812581add
Instruction Fuzzy Hash: 4721D374E15218DFCB48DFA9E8846DDBBF1BF89310F10912AE805B3350DB785905CB54

Function 00FCD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2132602930.0000000000FCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_fcd000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9902afee9e3b44ff2e822c933ca4f9850614e81a5517644e66c67081f9efd2f
Instruction ID: bcc19aa21302df2bd4f42465265b7205a549bdc9fe05a236e4be3412823bb2aa
Opcode Fuzzy Hash: d9902afee9e3b44ff2e822c933ca4f9850614e81a5517644e66c67081f9efd2f
Instruction Fuzzy Hash: D9110672804240DFCB05CF00D6C4B1ABF71FB94324F24C2ADD9090B656C33AD456DBA1

Function 062C8350 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 735a4550e60dd835db4ea2e35d0547b2c19136ade82122746b1e4b9ff421bfa6
Instruction ID: 00edc1e8b4a9c29b30e169a9bd53bc65cae6551aa9044816895a9b5bb5f4ca08
Opcode Fuzzy Hash: 735a4550e60dd835db4ea2e35d0547b2c19136ade82122746b1e4b9ff421bfa6
Instruction Fuzzy Hash: E401B171B102199FDF14DAA9AC45AAFBBBAEBC4261B14803BE504D3240DB34990597A1

Function 062CC499 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b6af14bbf2d43117c6d497b88514261b5131dd085e2f420120e64f27a15b836
Instruction ID: d0514df46e774035a77320f93242011c5030ff09afd7d7c5b2eb41280267e3c0
Opcode Fuzzy Hash: 4b6af14bbf2d43117c6d497b88514261b5131dd085e2f420120e64f27a15b836
Instruction Fuzzy Hash: F211C2302047444FD3259F24E81566E3BB2EFC9321B10CA2DD14B8B641DBB4980A8B91

Function 062CBC70 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f525968b8a02d2c5943e53fd914cf3e43063348c302710a95f3120f4d5f702ce
Instruction ID: 449e01dcc7a3fffcc083ac118a25e49dbde33010cdf0ccd5e16ac1f4e1a7cd9a
Opcode Fuzzy Hash: f525968b8a02d2c5943e53fd914cf3e43063348c302710a95f3120f4d5f702ce
Instruction Fuzzy Hash: AB01B5312002054BC688A778ED55E2E37A7FEC8294354882CE107CB600DFF8BD5E9793

Function 062CE8B0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c56de3cb3abc329daff383d84b3e9be9cb1f876e8a54b41fe72e5c2f6c83e49
Instruction ID: f55c957cf15ff5f2cdff291b8a972a3914748026eb56385d9f5e4890ec4085a5
Opcode Fuzzy Hash: 3c56de3cb3abc329daff383d84b3e9be9cb1f876e8a54b41fe72e5c2f6c83e49
Instruction Fuzzy Hash: 7601F2346083089FCB059F74D8148693FBAEF8A210B1485EEE944CB262EA32CC01DB81

Function 062CC4A8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e38abc9d0dcd71495c33da9c3d4588039196f123737ddc171d6f6c7a3b07df8
Instruction ID: 8afe54a503f17fd8d1bfa440690351e09675d32475b1d823477fbc70403ebe2a
Opcode Fuzzy Hash: 9e38abc9d0dcd71495c33da9c3d4588039196f123737ddc171d6f6c7a3b07df8
Instruction Fuzzy Hash: 980180302007048BD328AF64E815A6E7BE7FFC8755B50CA2DD1478B744CFB4A90A8B91

Function 062C5508 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f481fcaa4bd057abde405e775b3c16a59fb74ce61511fa205396311fe1afeb9
Instruction ID: 62f09ba92841f68ba8be807aa118561d5b87525e52cd5155ac445d25504534f7
Opcode Fuzzy Hash: 5f481fcaa4bd057abde405e775b3c16a59fb74ce61511fa205396311fe1afeb9
Instruction Fuzzy Hash: 2501F430A31703CFDBA89A35E804A27B7F7BF84265714893DE80696614DFB5F494CB80

Function 062CB358 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8cc83495e3f19c68ad324ba8ec10969f2efade8a00c324ed640a79a49248725
Instruction ID: 559d488c0ee4bd9508317731b7c60b29ca155c92ee5aedeac7fc23a26022ba58
Opcode Fuzzy Hash: e8cc83495e3f19c68ad324ba8ec10969f2efade8a00c324ed640a79a49248725
Instruction Fuzzy Hash: E601B130A05249EFCB45EFB8E84659C7FB2BF49200B5485A9E906EB221EB705E48CB11

Function 062C8F42 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f93ca94cfe5158b6736abf4d7a11597f5d246dbc8dd8d4811429dc22eb4cda04
Instruction ID: 04ea3769ff214d2ebf83ea1be75fc7fce301694b0fbbc01cbdd8db3adc1d6572
Opcode Fuzzy Hash: f93ca94cfe5158b6736abf4d7a11597f5d246dbc8dd8d4811429dc22eb4cda04
Instruction Fuzzy Hash: E90122B4D6420ADFCB40DFA8D9457AEBBB0AB09300F5081AAE810B3340D7781A80DB94

Function 062CC170 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c8ebe3fa4ea0fd7f11d50622c3271d9d66fde7e9f58cd757458692fcc40ae51
Instruction ID: de855036098edaa7d5ba257d70f5ac1b87bf95c6ac8551f2b6ac0d3ee997411a
Opcode Fuzzy Hash: 9c8ebe3fa4ea0fd7f11d50622c3271d9d66fde7e9f58cd757458692fcc40ae51
Instruction Fuzzy Hash: C101D631505B018FD3159F25E808165BBF7FF89310700C62FE48AC6621DB70A94ECF84

Function 062C8F50 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 025a8ecd18d0d07452463bf2539adeaaefba8ff2e5982fa5b4360309ccc9e3a9
Instruction ID: d0eecf4693e900c85be0a0f06b7885468da346faf24f328a8cc6151f5c9612e1
Opcode Fuzzy Hash: 025a8ecd18d0d07452463bf2539adeaaefba8ff2e5982fa5b4360309ccc9e3a9
Instruction Fuzzy Hash: DE0112B4D1420AEFCB44DFA9D9446AEBFF1BB49301F5081AAE814B3350E7780A40CF90

Function 062C3EC8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3a66f5698114216725afb2cce65229c8e06324acc1d150487b58bc480b10591
Instruction ID: b3c01009a27f0a9ece0fd2f5906773cd1cc6ec5ce746774bac36ab6c98ba7a6f
Opcode Fuzzy Hash: b3a66f5698114216725afb2cce65229c8e06324acc1d150487b58bc480b10591
Instruction Fuzzy Hash: D4F06D313006118BC618E769EC9196E73EBFBC9650314892DE40A9B391EF64EE4693A2

Function 062CADE9 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 421212ad6708f50bbe38fefac5c4e34aa50dfe030ff2fded46562aca31e1d4de
Instruction ID: cd55d2a0b1847f4880cfb674bcfb134de30d135cd792028a0ab8681529f40a47
Opcode Fuzzy Hash: 421212ad6708f50bbe38fefac5c4e34aa50dfe030ff2fded46562aca31e1d4de
Instruction Fuzzy Hash: 2EF0E9312052515FC3602B69BC58AAABFEAFFCA755B04456EE14AC3243CA75180587A5

Function 062C67C0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03146b94e023a20677572e50a6973938ec307492938ba3535f017ab9ab8b7ccf
Instruction ID: 393811a87fe75a7acb3026ebe08bf44a42bfab21c0d132a33a662aecb5f46ea9
Opcode Fuzzy Hash: 03146b94e023a20677572e50a6973938ec307492938ba3535f017ab9ab8b7ccf
Instruction Fuzzy Hash: D8F0F032B647005FCB208A28AC05F923FE4AB82B64F04836AF610CF1E2C7A1E808C340

Function 062C6EA0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a02a3a21496e6c01aaf7c3564d565247e55ee356517f59c228a02b4297766487
Instruction ID: a1fd04f820f7fcf5ff23bfc7844ae710ff4bd56917398e7a6f47a6b571abfa21
Opcode Fuzzy Hash: a02a3a21496e6c01aaf7c3564d565247e55ee356517f59c228a02b4297766487
Instruction Fuzzy Hash: 26F037772041E83F8B514EDA5C50DFB7FEDDA8E261B08416AFED8D2141C42DC921ABB0

Function 062CACB8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6403d9d88ea0b4745430c17adba79c9bd9c8c8ce7e794a979217a7f6c489523
Instruction ID: ddb48af98ee3b3ec62cdf365693050b32e7735031fef2548c6f2491c18b0fe39
Opcode Fuzzy Hash: f6403d9d88ea0b4745430c17adba79c9bd9c8c8ce7e794a979217a7f6c489523
Instruction Fuzzy Hash: 54F059722092A45FC3121B746C144BD3FB6E9C679134409DFD582C7252DB584A02D7D2

Function 062C8FC0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54937a2c3070394e29b7272ce054024211210aba9a86fa63e41fc9ab5b2bc34a
Instruction ID: 8842cc1809109e06eca2bdad357a9cc6b65f26d293dd67b745784ba3f4c293f8
Opcode Fuzzy Hash: 54937a2c3070394e29b7272ce054024211210aba9a86fa63e41fc9ab5b2bc34a
Instruction Fuzzy Hash: 8CF0A9B0C28159DFDB40CFA0C8155ADBFB0EB1A311F4082CAEC02E7361E6788A41CB40

Function 062CB368 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f682ac1a7c4d563c1573ec28bf19eb6cec4abafa1e5112e310b5d3d045cfd1d1
Instruction ID: 0c25dc0f611bba77f8f6c34aeea13badb9e364c44b042598e713294a64061dd0
Opcode Fuzzy Hash: f682ac1a7c4d563c1573ec28bf19eb6cec4abafa1e5112e310b5d3d045cfd1d1
Instruction Fuzzy Hash: 3EF03C30A01209EFCB04EFB8E94699C7BB6BF88300F5485A9D806EB311EF705E48DB51

Function 062C8340 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79e91040edb2e4c2944d313d835a505278136c4b44dbc8f43808bed120573604
Instruction ID: f3cbcff91ae2cd937e3cc00c8bf704628fb53ed6b2f9060c83f55b9c7a746b36
Opcode Fuzzy Hash: 79e91040edb2e4c2944d313d835a505278136c4b44dbc8f43808bed120573604
Instruction Fuzzy Hash: 52F0E932B2411A5BCF049A69AC449EF7FA9EF84221F08403BE904D3100EB3094049361

Function 062C54F8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff35b62f086017c01bac536080014cd1a639fffab8d1cfef7bb25010f7853009
Instruction ID: 81e315af328dd053975b623fab8a8fef3507d7a03ed2f96be09c2b5c092f3904
Opcode Fuzzy Hash: ff35b62f086017c01bac536080014cd1a639fffab8d1cfef7bb25010f7853009
Instruction Fuzzy Hash: 33F05931520B42CFDBA4CE61D90076BBBF2BF80364F08CA6DD84242A65CBB4F484CB40

Function 062CADF8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38a642a12abcf98b7eff0fd7cd0bc00633bf3128eff2f1398f07df3ecc291469
Instruction ID: 393acfa6fd39d333adcbe788909a1ca29ac433716033117f5f33a2cfa32b4dbb
Opcode Fuzzy Hash: 38a642a12abcf98b7eff0fd7cd0bc00633bf3128eff2f1398f07df3ecc291469
Instruction Fuzzy Hash: D2E092312001116BC3546E9AB849E9E7AEBEFC9795F00842CF20EC3242CBB6680547A6

Function 062CC180 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a12149dd5877126d6351070a82a1f0e03d96aec11e17f82abd76b1a5f8e6334
Instruction ID: 6f7e4648357bc2180ca15d44980b46b9f20fdfe6bab7f346a34de8883a67c734
Opcode Fuzzy Hash: 7a12149dd5877126d6351070a82a1f0e03d96aec11e17f82abd76b1a5f8e6334
Instruction Fuzzy Hash: D4F06D34500B058FD715DF26E408516BBFAFB8C310700C62AE44B86A10DBB0A909CF84

Function 062CCE88 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e18ac91dc7ce0c0ff90946d918baf48ce3869109e9a3262973b85ff847ae035
Instruction ID: 4c550ab6558ae15cf6bd1ec756762ceb77f3a4058d1d6ac03e86a6759cdf5b6a
Opcode Fuzzy Hash: 9e18ac91dc7ce0c0ff90946d918baf48ce3869109e9a3262973b85ff847ae035
Instruction Fuzzy Hash: 6AF0E571A183919FE786A724FC46AC93BA09F97B30B01558DDC0ACF615E7348804CB42

Function 062CCC38 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc6797dccc4c52c923cbbd7b8088c6cc8ea5ce0b691d57941e70c367b8c7288b
Instruction ID: 94cb0b48049d13d30473136e1d78fa18b51b7c5130712ca9214cf86ab2ccae4d
Opcode Fuzzy Hash: fc6797dccc4c52c923cbbd7b8088c6cc8ea5ce0b691d57941e70c367b8c7288b
Instruction Fuzzy Hash: 90E09B3221D2404FDB42EB38BC405D97B51DBD5B30B109659D40ACB645F63449458B93

Function 062CAC70 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b4296535e010bd605894ecb787adbfefb03c389ae99fa44e93c8f118aca25a5
Instruction ID: 55a09f2f608ba234eba4ab5e35ba425f54b9ceaa2d599df121920e600061cabc
Opcode Fuzzy Hash: 2b4296535e010bd605894ecb787adbfefb03c389ae99fa44e93c8f118aca25a5
Instruction Fuzzy Hash: 28E022312083B05BC7126778A81886EBBABEAC2691304096FEA86C3241EB64590193D2

Function 062CB500 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fe150a362327da7e0d0d04c33bf538d2e85f65cbcd17462283c094cd8cb1c8f
Instruction ID: 4f5211917c3aee040559a5a8d2116e58059d7777ba3e19c778adce9aad4a5dad
Opcode Fuzzy Hash: 6fe150a362327da7e0d0d04c33bf538d2e85f65cbcd17462283c094cd8cb1c8f
Instruction Fuzzy Hash: 65F03975D0020CBFCB41DFB4D9498CDBFB9EB48340F1082AAE805E3240EA305B59CB80

Function 062CC120 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17289d4a82f86c143ec06063e6786b38e6582422fd444e0b83eb5f681b13d9da
Instruction ID: 1b3d406917016cf36261824f526cfc471ebdd4f0e3d6515960eba902e8486ae8
Opcode Fuzzy Hash: 17289d4a82f86c143ec06063e6786b38e6582422fd444e0b83eb5f681b13d9da
Instruction Fuzzy Hash: 63E065312047914FC715A72DE809B9F7BEAEFC5654F04492DE246CB741CBB5A8058B92

Function 062C5698 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c98d5e4bdd4ffa5a7f4293399f4f1f5ec0446418dcaa606a2fc43729a1f2ec3f
Instruction ID: 75fbedc39643cdb4bc253062dbbf4e56811a2e8bdfc74c1c0ef1543f9bef994f
Opcode Fuzzy Hash: c98d5e4bdd4ffa5a7f4293399f4f1f5ec0446418dcaa606a2fc43729a1f2ec3f
Instruction Fuzzy Hash: 98E092B310C3019FD3559B20E8558977BA4EB95321B15886EE480C7141E732E842C7A9

Function 062CE1FF Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 413ce0ca5093237e4d4aedec52efb63e113c1207f190dbc330a585cb7f0ad7b0
Instruction ID: fc7a174b4e4e85aa23b749a134db388b2d921b1e5ec43ff427918c0fba1b7837
Opcode Fuzzy Hash: 413ce0ca5093237e4d4aedec52efb63e113c1207f190dbc330a585cb7f0ad7b0
Instruction Fuzzy Hash: B0E0DF71E49204EFCB01DFA4AC419AE7BB1ABCA210B2085DAE809DB251E6744F188792

Function 062CE280 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b61d7af4e33e09c4e842519eb646c57e7a4e01d2c2e28670ac14e59b1629a12
Instruction ID: 00fa0526cd968458427e6726c1470b45e3eb8f93a6cdca3255d49605c510e6db
Opcode Fuzzy Hash: 1b61d7af4e33e09c4e842519eb646c57e7a4e01d2c2e28670ac14e59b1629a12
Instruction Fuzzy Hash: A3E02232924A018FE322EB00FD06A9473E1BBC9B24B025558C8438F6A9D7B469098FC2

Function 062CAC80 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceab153523e612ea1c0a26b8fe74b3703f99293f81aa1ec9434ef2e0c6d1b3b8
Instruction ID: 20c12b8b37e93073c9b2bf8d997884fede97b832dd53ec5fc18b70220eb3a5bc
Opcode Fuzzy Hash: ceab153523e612ea1c0a26b8fe74b3703f99293f81aa1ec9434ef2e0c6d1b3b8
Instruction Fuzzy Hash: E5D05B313001355787052769F8188AE77AFEBC57A1300452DE607C3340DF655D0157D6

Function 062CE8F8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e526de8765d7d16ae069b0d302222b5635dc8a6a8dc1daaf9e4472ff756e269b
Instruction ID: 49f39b9c5aa224fdfd66c0c874adf3d7919c6cfad9576fcf8a7dd2c564def977
Opcode Fuzzy Hash: e526de8765d7d16ae069b0d302222b5635dc8a6a8dc1daaf9e4472ff756e269b
Instruction Fuzzy Hash: 54E0EC391242489FC7829F54D8448587FB5BF5A610795808AF9948B173D6219C21EBA1

Function 062CB510 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d49562eba0c37be35f81dba97b739c342055d525a314936c25779d2b507ac3d7
Instruction ID: a5431cd37025c0916ff5d7f62559c12a814ae868f9d60389960eb4ada5c2ba94
Opcode Fuzzy Hash: d49562eba0c37be35f81dba97b739c342055d525a314936c25779d2b507ac3d7
Instruction Fuzzy Hash: 6DE07E75D0020CEFCB40EFA4E9458DDBBB9EB48200F1082AAD909E3200EA706B599B80

Function 062CE210 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e34b8929c9c62b8ba0b69584e484b782c833c819422a4aeb3d54a76e704a3f57
Instruction ID: 14f6b9a5e8a66d2bdb37bb6c4c03e075176255ea049eacbe504966ede2662cb4
Opcode Fuzzy Hash: e34b8929c9c62b8ba0b69584e484b782c833c819422a4aeb3d54a76e704a3f57
Instruction Fuzzy Hash: B2D01271A00208FB8B40DFA8E90195D77B9EB84214B1085E99409D7200EA715F149791

Function 062CF8EB Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 154d54374ca7a560e1035354559f2daec9dfcd05abc175c7b2740a110a21b91c
Instruction ID: 1fcc73684d05b83046d370fa34a91bd58882d3072fb34d0671ee75c8bd7ffbc6
Opcode Fuzzy Hash: 154d54374ca7a560e1035354559f2daec9dfcd05abc175c7b2740a110a21b91c
Instruction Fuzzy Hash: 48C08C337400200B1284BA6C742096D76D7D7CD2EB389803FE70EC3348CEB28C5A9392

Function 062C3721 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79664251442a8dc88b0b8caf1690015223a8f017df2532db2c9b818a0c02181c
Instruction ID: 764e3d6bfea9a190949d5001a5ddc9047287b096856262843a88e60827681768
Opcode Fuzzy Hash: 79664251442a8dc88b0b8caf1690015223a8f017df2532db2c9b818a0c02181c
Instruction Fuzzy Hash: C8B092332605001BEAA05140FC0FFF27A11D791751F154022FA02A9985DA92A11890BA

Function 062CDFD1 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec256da9121856f498efafa5059184491250cd21f1fe9fa6f6502fbfc121d695
Instruction ID: 30296cc188c1ddf8b0794e30d48ca169b9538313b2e4512b4eedf44067db0ed5
Opcode Fuzzy Hash: ec256da9121856f498efafa5059184491250cd21f1fe9fa6f6502fbfc121d695
Instruction Fuzzy Hash: E4C09B7196E7D05EEB421774890D9043E126F4B63471545CED655CF0B3C5614409C751

Non-executed Functions

Function 062CE2C7 Relevance: 46.6, Strings: 37, Instructions: 389COMMON

Download Yara Rule

Strings

Di, xrefs: 062CE3C2
Di, xrefs: 062CE32E
Di, xrefs: 062CE593
Di, xrefs: 062CE6D0
Di, xrefs: 062CE47B
Di, xrefs: 062CE844
Di, xrefs: 062CE608
Di, xrefs: 062CE353
Di, xrefs: 062CE720
Di, xrefs: 062CE5BB
Di, xrefs: 062CE798
Di, xrefs: 062CE40C
Di, xrefs: 062CE309
Di, xrefs: 062CE2E4
Di, xrefs: 062CE543
Di, xrefs: 062CE7EE
Di, xrefs: 062CE3E7
Di, xrefs: 062CE658
Di, xrefs: 062CE680
Di, xrefs: 062CE378
Di, xrefs: 062CE86F
Di, xrefs: 062CE4F3
Di, xrefs: 062CE431
Di, xrefs: 062CE819
Di, xrefs: 062CE6A8
Di, xrefs: 062CE4A3
Di, xrefs: 062CE6F8
Di, xrefs: 062CE456
Di, xrefs: 062CE5E3
Di, xrefs: 062CE770
Di, xrefs: 062CE51B
Di, xrefs: 062CE748
Di, xrefs: 062CE56B
Di, xrefs: 062CE39D
Di, xrefs: 062CE4CB
Di, xrefs: 062CE7C3
Di, xrefs: 062CE630

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID: Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di
API String ID: 0-221844820
Opcode ID: c3bc44a562a14ec1f197767c3a5ae957610d968f629882640eeb179943ed5c2c
Instruction ID: 3ebf6f73b82b7080eeebc9825280a7782b0fe337fd62870efb87add0b38db003
Opcode Fuzzy Hash: c3bc44a562a14ec1f197767c3a5ae957610d968f629882640eeb179943ed5c2c
Instruction Fuzzy Hash: EFD1D131340B02ABD20AABA4AD53E7CB25BBFC9700B50882C91060F7E8DF756D1653C7

Function 062CE2D8 Relevance: 46.6, Strings: 37, Instructions: 383COMMON

Download Yara Rule

Strings

Di, xrefs: 062CE3C2
Di, xrefs: 062CE32E
Di, xrefs: 062CE593
Di, xrefs: 062CE6D0
Di, xrefs: 062CE47B
Di, xrefs: 062CE844
Di, xrefs: 062CE608
Di, xrefs: 062CE353
Di, xrefs: 062CE720
Di, xrefs: 062CE5BB
Di, xrefs: 062CE798
Di, xrefs: 062CE40C
Di, xrefs: 062CE309
Di, xrefs: 062CE2E4
Di, xrefs: 062CE543
Di, xrefs: 062CE7EE
Di, xrefs: 062CE3E7
Di, xrefs: 062CE658
Di, xrefs: 062CE680
Di, xrefs: 062CE378
Di, xrefs: 062CE86F
Di, xrefs: 062CE4F3
Di, xrefs: 062CE431
Di, xrefs: 062CE819
Di, xrefs: 062CE6A8
Di, xrefs: 062CE4A3
Di, xrefs: 062CE6F8
Di, xrefs: 062CE456
Di, xrefs: 062CE5E3
Di, xrefs: 062CE770
Di, xrefs: 062CE51B
Di, xrefs: 062CE748
Di, xrefs: 062CE56B
Di, xrefs: 062CE39D
Di, xrefs: 062CE4CB
Di, xrefs: 062CE7C3
Di, xrefs: 062CE630

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID: Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di
API String ID: 0-221844820
Opcode ID: 20851809ad440f22d2093e6e9c36ed005b67b30915de9b62388d5b72efb6bdcc
Instruction ID: 550ee3671ffd7053506307a0403e60084df41f35d97cdb5efde806eb675b6d31
Opcode Fuzzy Hash: 20851809ad440f22d2093e6e9c36ed005b67b30915de9b62388d5b72efb6bdcc
Instruction Fuzzy Hash: E4D1BF31340B02ABD20AABA4AD53E7DB267BBC9700B50882C91160F7E8DF756D1653D7

Function 062CCC7F Relevance: 16.4, Strings: 13, Instructions: 153COMMON

Download Yara Rule

Strings

Di, xrefs: 062CCD9F
Di, xrefs: 062CCD0B
Di, xrefs: 062CCCE6
Di, xrefs: 062CCCC1
Di, xrefs: 062CCD30
Di, xrefs: 062CCE58
Di, xrefs: 062CCDC4
Di, xrefs: 062CCDE9
Di, xrefs: 062CCD7A
Di, xrefs: 062CCE33
Di, xrefs: 062CCE0E
Di, xrefs: 062CCC9C
Di, xrefs: 062CCD55

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID: Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di
API String ID: 0-2743657870
Opcode ID: 1f361d0d4d2bc27c6f54b9beebe4348b0f4162c284df2750c2711d34dd0b9926
Instruction ID: 6aa52d073c9173d381b94d2e7cec499bfc8a4d0455058be7552f9692d09f83f9
Opcode Fuzzy Hash: 1f361d0d4d2bc27c6f54b9beebe4348b0f4162c284df2750c2711d34dd0b9926
Instruction Fuzzy Hash: 1241D631340B02ABE205AFA4AD42F3D766ABBC5700B50893C920A4F6D9DF796D1647D7

Function 062CCC90 Relevance: 16.4, Strings: 13, Instructions: 143COMMON

Download Yara Rule

Strings

Di, xrefs: 062CCD9F
Di, xrefs: 062CCD0B
Di, xrefs: 062CCCE6
Di, xrefs: 062CCCC1
Di, xrefs: 062CCD30
Di, xrefs: 062CCE58
Di, xrefs: 062CCDC4
Di, xrefs: 062CCDE9
Di, xrefs: 062CCD7A
Di, xrefs: 062CCE33
Di, xrefs: 062CCE0E
Di, xrefs: 062CCC9C
Di, xrefs: 062CCD55

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID: Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di$Di
API String ID: 0-2743657870
Opcode ID: e67503f1ce8eb6d24efacfcfca1f3ed637ac25e45ff95c7d96b9f9fd5ad13e53
Instruction ID: 0a73209db7f597b9178d5b0ace2e5d619c7a1d90542d06e13b3f5296ac7a639e
Opcode Fuzzy Hash: e67503f1ce8eb6d24efacfcfca1f3ed637ac25e45ff95c7d96b9f9fd5ad13e53
Instruction Fuzzy Hash: AC41B431340B02ABE205BFA4AD43F3D766ABBC5700B50883C920A4F699CF7A6D1643D7

Function 062CCED1 Relevance: 10.1, Strings: 8, Instructions: 104COMMON

Download Yara Rule

Strings

Di, xrefs: 062CCEEC
Di, xrefs: 062CCF36
Di, xrefs: 062CCFEF
Di, xrefs: 062CCFCA
Di, xrefs: 062CCF5B
Di, xrefs: 062CCF80
Di, xrefs: 062CCFA5
Di, xrefs: 062CCF11

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID: Di$Di$Di$Di$Di$Di$Di$Di
API String ID: 0-427482554
Opcode ID: f8df4929f3ec10df332d6d1f3eb54c73eb85c30127e216bb07d6289fef38ea86
Instruction ID: f41f1a85e9468254bdde190cb6e1b504ce7668609a3b4f68d7b21c17aa410ea4
Opcode Fuzzy Hash: f8df4929f3ec10df332d6d1f3eb54c73eb85c30127e216bb07d6289fef38ea86
Instruction Fuzzy Hash: 4531E631340702ABE705AFA8AD43E3D766ABBC5700B50893CA20A4F6D9CF756D1543D7

Function 062CCEE0 Relevance: 10.1, Strings: 8, Instructions: 93COMMON

Download Yara Rule

Strings

Di, xrefs: 062CCEEC
Di, xrefs: 062CCF36
Di, xrefs: 062CCFEF
Di, xrefs: 062CCFCA
Di, xrefs: 062CCF5B
Di, xrefs: 062CCF80
Di, xrefs: 062CCFA5
Di, xrefs: 062CCF11

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID: Di$Di$Di$Di$Di$Di$Di$Di
API String ID: 0-427482554
Opcode ID: d40bda3bfec2682684254525b1f41ecda27b32b0be5c65b33bbe6c2b5f3a9285
Instruction ID: 3e3e733f98644ec7e292273f9511d816d11fc11c1f75df3607285190151aa277
Opcode Fuzzy Hash: d40bda3bfec2682684254525b1f41ecda27b32b0be5c65b33bbe6c2b5f3a9285
Instruction Fuzzy Hash: 16218631340B02ABE605AFA4AD42F3DB65ABBC5704B90893CA20A4F6D9CF756D1543D7

Function 062CC968 Relevance: 8.8, Strings: 7, Instructions: 90COMMON

Download Yara Rule

Strings

Di, xrefs: 062CC9D6
Di, xrefs: 062CC984
Di, xrefs: 062CCA28
Di, xrefs: 062CC9FF
Di, xrefs: 062CC9AD
Di, xrefs: 062CCA7A
Di, xrefs: 062CCA51

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID: Di$Di$Di$Di$Di$Di$Di
API String ID: 0-1084884928
Opcode ID: e85922b6818ff642536d73ce6619225da70700e0a90c16dda254190574ae2bbd
Instruction ID: 15381edea2deb816557bc278ed869ad6720b521dc0b950a69efa2a795589908e
Opcode Fuzzy Hash: e85922b6818ff642536d73ce6619225da70700e0a90c16dda254190574ae2bbd
Instruction Fuzzy Hash: 5E31D1313457826BEB062BA4AC42D7D7B26BBD6744700852CE1068F6A6CF745E5B8B82

Function 062CC978 Relevance: 8.8, Strings: 7, Instructions: 83COMMON

Download Yara Rule

Strings

Di, xrefs: 062CC9D6
Di, xrefs: 062CC984
Di, xrefs: 062CCA28
Di, xrefs: 062CC9FF
Di, xrefs: 062CC9AD
Di, xrefs: 062CCA7A
Di, xrefs: 062CCA51

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID: Di$Di$Di$Di$Di$Di$Di
API String ID: 0-1084884928
Opcode ID: 50980fd8fee517e84ac9eeb90b6a71d432670c4d944f59c71f3709d958b13eb7
Instruction ID: fe9ba796b74a7723d978a017919be22d89a0b0aaaa2e4d2db7c91958916592dd
Opcode Fuzzy Hash: 50980fd8fee517e84ac9eeb90b6a71d432670c4d944f59c71f3709d958b13eb7
Instruction Fuzzy Hash: 0721A031340642ABEB062BA4EC42D7E7B6ABBD5740710842CE1068F7A5CF745E5B8B87

Function 062CD538 Relevance: 7.6, Strings: 6, Instructions: 83COMMON

Download Yara Rule

Strings

Di, xrefs: 062CD5E8
Di, xrefs: 062CD554
Di, xrefs: 062CD5C3
Di, xrefs: 062CD60D
Di, xrefs: 062CD59E
Di, xrefs: 062CD579

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID: Di$Di$Di$Di$Di$Di
API String ID: 0-100505788
Opcode ID: a8533633ab53e8642ccd4cc93081758f83a5a66283b74e68740c421bcb9761cb
Instruction ID: b2ff41148dd466564b918660888386eae56c5d53dfdbf7d2dfff5c8c3dbcf287
Opcode Fuzzy Hash: a8533633ab53e8642ccd4cc93081758f83a5a66283b74e68740c421bcb9761cb
Instruction Fuzzy Hash: 8521D6313447026BE3066BA8AD42E3D775AFFD5608B50893CD1064F699CF766D1683D3

Function 062CD548 Relevance: 7.6, Strings: 6, Instructions: 73COMMON

Download Yara Rule

Strings

Di, xrefs: 062CD5E8
Di, xrefs: 062CD554
Di, xrefs: 062CD5C3
Di, xrefs: 062CD60D
Di, xrefs: 062CD59E
Di, xrefs: 062CD579

Memory Dump Source

Source File: 00000014.00000002.2148883471.00000000062C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 062C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_20_2_62c0000_ER1CZAgbcY.jbxd

Similarity

API ID:
String ID: Di$Di$Di$Di$Di$Di
API String ID: 0-100505788
Opcode ID: 41572cf642b8c25faf2bc4856e75c63c3aed9db6edc833ccc60225ee31386614
Instruction ID: cab12f35ac6d8cc59811b17cb16e51741d6f693362db1aa4c8931d34c3d84d66
Opcode Fuzzy Hash: 41572cf642b8c25faf2bc4856e75c63c3aed9db6edc833ccc60225ee31386614
Instruction Fuzzy Hash: B111C331340B02ABE205AFA9AD42E3DB65BBBC5B04B50893CA1064F698CF766D1543D3

Analysis Process: Nework.exePID: 5960, Parent PID: 3528COMMON

Executed Functions

Function 00CEAC50 Relevance: 29.2, APIs: 14, Strings: 2, Instructions: 1214
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

VUUU, xrefs: 00CEADF2
@3P, xrefs: 00CEB791

Memory Dump Source

Source File: 00000016.00000002.2011003083.0000000000CE1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000016.00000002.2010854117.0000000000CE0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011092054.0000000000D30000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011142464.0000000000D42000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011187307.0000000000D44000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011232487.0000000000D45000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011278856.0000000000D49000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_ce0000_Nework.jbxd

Yara matches

Similarity

API ID:
String ID: @3P$VUUU
API String ID: 0-3039269687
Opcode ID: 74005e81eb9f6d48d96652ab78dd532792cd6c96d9c7dacadbfc82dbbdaceefd
Instruction ID: 7b27b7d8db1b6048c4681c75ea3b396da3fe97e0932940703a5dbb0abbb1dfdb
Opcode Fuzzy Hash: 74005e81eb9f6d48d96652ab78dd532792cd6c96d9c7dacadbfc82dbbdaceefd
Instruction Fuzzy Hash: 92A2C271A002589FDB18CF25CC89BEEBBB5EF45304F508198F509A7291DB35AE85CFA1

Function 00CE7C40 Relevance: 7.9, APIs: 5, Instructions: 388
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(0000011C,B9106E22), ref: 00CE7CBA
GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00CE7D1B
GetProcAddress.KERNEL32(00000000), ref: 00CE7D22
GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00CE7DE3
GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00CE7DE7

Memory Dump Source

Source File: 00000016.00000002.2011003083.0000000000CE1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000016.00000002.2010854117.0000000000CE0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011092054.0000000000D30000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011142464.0000000000D42000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011187307.0000000000D44000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011232487.0000000000D45000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011278856.0000000000D49000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_ce0000_Nework.jbxd

Yara matches

Similarity

API ID: InfoSystem$AddressHandleModuleNativeProcVersion
String ID:
API String ID: 374719553-0
Opcode ID: b17eb079217d10d1130ad72614ddaae3d5e5e9fa798e166994f12a824a0a6287
Instruction ID: 8bc7c906d4ec9fe7dfd1138f2c658d7c4c1c9cde64493ff7e3aed6f0747e2019
Opcode Fuzzy Hash: b17eb079217d10d1130ad72614ddaae3d5e5e9fa798e166994f12a824a0a6287
Instruction Fuzzy Hash: C2D11C71E00248ABDF14BF29DC5B7AD7B71AB42714F904288E419A73C2DB354F459BE2

Function 00D1638B Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,00D1638A,?,?,?,?,?,00D173DE), ref: 00D163AD
TerminateProcess.KERNEL32(00000000,?,00D1638A,?,?,?,?,?,00D173DE), ref: 00D163B4
ExitProcess.KERNEL32 ref: 00D163C6

Memory Dump Source

Source File: 00000016.00000002.2011003083.0000000000CE1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000016.00000002.2010854117.0000000000CE0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011092054.0000000000D30000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011142464.0000000000D42000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011187307.0000000000D44000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011232487.0000000000D45000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011278856.0000000000D49000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_ce0000_Nework.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 2fc8e8e7e140d76a899bcd52c71275727ed84655f98262b49e58347dc72b0259
Instruction ID: 20b9fb0af162425192fa263d56e653b8313b31c562789c5fdc8ff4c5231371c3
Opcode Fuzzy Hash: 2fc8e8e7e140d76a899bcd52c71275727ed84655f98262b49e58347dc72b0259
Instruction Fuzzy Hash: 06E0B631000748BBCB116F54ED1D9993F69EB44742B084414F815C6631CF75DDD2DBB1

Function 00CE5B20 Relevance: 23.2, APIs: 8, Strings: 5, Instructions: 426
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

00000419, xrefs: 00CE5FA8
0000043f, xrefs: 00CE603B
00000422, xrefs: 00CE5FD9
Keyboard Layout\Preload, xrefs: 00CE5F64
00000423, xrefs: 00CE600A

Memory Dump Source

Source File: 00000016.00000002.2011003083.0000000000CE1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000016.00000002.2010854117.0000000000CE0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011092054.0000000000D30000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011142464.0000000000D42000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011187307.0000000000D44000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011232487.0000000000D45000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011278856.0000000000D49000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_ce0000_Nework.jbxd

Yara matches

Similarity

API ID:
String ID: 00000419$00000422$00000423$0000043f$Keyboard Layout\Preload
API String ID: 0-3963862150
Opcode ID: 8b926ea8bc6342429cb02be4d81398d5a1b41c760051ca2e99636c8382da5ffb
Instruction ID: 0e44176504ef41af4049f81351c28a6e91a0b80564c4078358c28afbec8357ba
Opcode Fuzzy Hash: 8b926ea8bc6342429cb02be4d81398d5a1b41c760051ca2e99636c8382da5ffb
Instruction Fuzzy Hash: C7F1CF7190025C9FEB24DF54CD85BEEBBB9EB44304F5042A8F519A72C1DB749A88CFA1

Function 00D218AC Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D21565: CreateFileW.KERNELBASE(00000000,00000000,?,00D21955,?,?,00000000,?,00D21955,00000000,0000000C), ref: 00D21582

GetLastError.KERNEL32 ref: 00D219C0
__dosmaperr.LIBCMT ref: 00D219C7
GetFileType.KERNELBASE(00000000), ref: 00D219D3
GetLastError.KERNEL32 ref: 00D219DD
__dosmaperr.LIBCMT ref: 00D219E6
CloseHandle.KERNEL32(00000000), ref: 00D21A06
CloseHandle.KERNEL32(00D1AA82), ref: 00D21B53
GetLastError.KERNEL32 ref: 00D21B85
__dosmaperr.LIBCMT ref: 00D21B8C

Strings

H, xrefs: 00D21B11

Memory Dump Source

Source File: 00000016.00000002.2011003083.0000000000CE1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000016.00000002.2010854117.0000000000CE0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011092054.0000000000D30000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011142464.0000000000D42000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011187307.0000000000D44000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011232487.0000000000D45000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011278856.0000000000D49000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_ce0000_Nework.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 330ce7f7156342509c2eb7f80ca2a987e945c71a8162d3681b76dc7885a6407b
Instruction ID: 0230725ae27f3aba57696286e1e993a1fc5ea7a33daa3e6f9b36682645fb45fe
Opcode Fuzzy Hash: 330ce7f7156342509c2eb7f80ca2a987e945c71a8162d3681b76dc7885a6407b
Instruction Fuzzy Hash: EDA14736A142549FCF199F68EC527AD3BB1EB27324F184149E812EB3A1DB358842CB71

Function 00CED5EC Relevance: 13.9, APIs: 9, Instructions: 446
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00CED763
CreateDirectoryA.KERNELBASE(00000000,00000000), ref: 00CED87F
send.WS2_32(?,?,00000004,00000000), ref: 00CEDA7E
send.WS2_32(?,?,00000008,00000000), ref: 00CEDABA

Memory Dump Source

Source File: 00000016.00000002.2011003083.0000000000CE1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000016.00000002.2010854117.0000000000CE0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011092054.0000000000D30000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011142464.0000000000D42000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011187307.0000000000D44000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011232487.0000000000D45000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011278856.0000000000D49000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_ce0000_Nework.jbxd

Yara matches

Similarity

API ID: send$CreateDirectoryFileModuleName
String ID:
API String ID: 2319890793-0
Opcode ID: f83f85029dfc3588b456a7e3a207217243aaae34f74498693728623d8a576f07
Instruction ID: 08068ba9778fd694d0802cea68419e5605f36652c3dbfa25d5c3a94c7c0bc315
Opcode Fuzzy Hash: f83f85029dfc3588b456a7e3a207217243aaae34f74498693728623d8a576f07
Instruction Fuzzy Hash: 54F10671E042589BDB24DB28CC497EDB775AF45310F1042D8E81EA72C2DB71AF84DBA2

Function 00CE74A0 Relevance: 12.9, APIs: 6, Strings: 1, Instructions: 625
sleepthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000064,B9106E22,?,00000000,00D28EE8,000000FF), ref: 00CE74DC
__Init_thread_footer.LIBCMT ref: 00CE7569

Part of subcall function 00CFCF27: RtlEnterCriticalSection.NTDLL(00D45720), ref: 00CFCF31
Part of subcall function 00CFCF27: RtlLeaveCriticalSection.NTDLL(00D45720), ref: 00CFCF64
Part of subcall function 00CFCF27: RtlWakeAllConditionVariable.NTDLL ref: 00CFCFDB

CreateThread.KERNEL32(00000000,00000000,00CE7340,00D48608,00000000,00000000), ref: 00CE75CE
Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00CE75D9

Part of subcall function 00CFCF71: RtlEnterCriticalSection.NTDLL(00D45720), ref: 00CFCF7C
Part of subcall function 00CFCF71: RtlLeaveCriticalSection.NTDLL(00D45720), ref: 00CFCFB9

Sleep.KERNEL32(000003E8), ref: 00CE7989

Strings

runas, xrefs: 00CE7213

Memory Dump Source

Source File: 00000016.00000002.2011003083.0000000000CE1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000016.00000002.2010854117.0000000000CE0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011092054.0000000000D30000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011142464.0000000000D42000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011187307.0000000000D44000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011232487.0000000000D45000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011278856.0000000000D49000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_ce0000_Nework.jbxd

Yara matches

Similarity

API ID: CriticalSection$Sleep$EnterLeave$ConditionCreateInit_thread_footerThreadVariableWake
String ID: runas
API String ID: 3366146113-4000483414
Opcode ID: 5c728a6f3b775efad818b242a7061fa5b889dc59f0cdacede9ed20ba54c1d2f4
Instruction ID: 34fe4fdc36f6cc28b37f80c646e1fe8edfc60c284ddde2253728493888e250f0
Opcode Fuzzy Hash: 5c728a6f3b775efad818b242a7061fa5b889dc59f0cdacede9ed20ba54c1d2f4
Instruction Fuzzy Hash: 26225971A04288AFDB08EF28DD86BAD7B66EF41314F50835CF4159B3C2DB359A45C7A2

Function 00CED91C Relevance: 6.2, APIs: 4, Instructions: 168
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000016.00000002.2011003083.0000000000CE1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000016.00000002.2010854117.0000000000CE0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011092054.0000000000D30000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011142464.0000000000D42000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011187307.0000000000D44000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011232487.0000000000D45000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011278856.0000000000D49000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_ce0000_Nework.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cfbd85a95f6ff52457c9656cc38459cb3a201420d058915cc8910d719e2523a
Instruction ID: 19ba4681f388d93e745416c67a201c13149396d02661f93d102e1b3e54e6e213
Opcode Fuzzy Hash: 1cfbd85a95f6ff52457c9656cc38459cb3a201420d058915cc8910d719e2523a
Instruction Fuzzy Hash: AC412872E001185FCB18CB79DC857AEB7B5EF45324F100669E92AE33D1EA30AE409B94

Function 00CEC206 Relevance: 3.5, APIs: 2, Instructions: 532
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CF7860: __Cnd_destroy_in_situ.LIBCPMT ref: 00CF7958
Part of subcall function 00CF7860: __Mtx_destroy_in_situ.LIBCPMT ref: 00CF7961

Sleep.KERNEL32(000003E8), ref: 00CEC659

Memory Dump Source

Source File: 00000016.00000002.2011003083.0000000000CE1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000016.00000002.2010854117.0000000000CE0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011092054.0000000000D30000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011142464.0000000000D42000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011187307.0000000000D44000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011232487.0000000000D45000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011278856.0000000000D49000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_ce0000_Nework.jbxd

Yara matches

Similarity

API ID: Cnd_destroy_in_situMtx_destroy_in_situSleep
String ID:
API String ID: 113500496-0
Opcode ID: e877127212f1644c0e3db9022eaa7c3458bda33aa382dde1410b03aede1e37a2
Instruction ID: b385bf96b495f5e1ea6aa4a082898f3250a398a2865237edfac64ca2e4948389
Opcode Fuzzy Hash: e877127212f1644c0e3db9022eaa7c3458bda33aa382dde1410b03aede1e37a2
Instruction Fuzzy Hash: 6112F271A002489FDF04DF69D9C5BEDBBB6EF48304F544218F815A7282DB35EA85CBA1

Function 00CF6B90 Relevance: 3.0, APIs: 2, Instructions: 23
sleepthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CEA830: Sleep.KERNELBASE(00000064), ref: 00CEA7D3
Part of subcall function 00CEA830: CreateMutexA.KERNELBASE(00000000,00000000,00D43224), ref: 00CEA7F1
Part of subcall function 00CEA830: GetLastError.KERNEL32 ref: 00CEA7F9
Part of subcall function 00CEA830: GetLastError.KERNEL32 ref: 00CEA80A

Part of subcall function 00CE5B20: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,80000001,0000043f,00000008,00000423,00000008,00000422,00000008,00000419,00000008), ref: 00CE608D

CreateThread.KERNEL32(00000000,00000000,00CF6AD0,00000000,00000000,00000000), ref: 00CF6B70
Sleep.KERNEL32(00007530), ref: 00CF6B85

Memory Dump Source

Source File: 00000016.00000002.2011003083.0000000000CE1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000016.00000002.2010854117.0000000000CE0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011092054.0000000000D30000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011142464.0000000000D42000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011187307.0000000000D44000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011232487.0000000000D45000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011278856.0000000000D49000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_ce0000_Nework.jbxd

Yara matches

Similarity

API ID: CreateErrorLastSleep$MutexOpenThread
String ID:
API String ID: 2377761554-0
Opcode ID: 8a07d7b1c341ced75fec4657761a715ed50068bfe459fbdb60c4bdfa3a7968a1
Instruction ID: 21a40fbb6a1e3f2e402a7e3555f456deb0e26c8239317f002129f53ff36a3185
Opcode Fuzzy Hash: 8a07d7b1c341ced75fec4657761a715ed50068bfe459fbdb60c4bdfa3a7968a1
Instruction Fuzzy Hash: 19E0C234A95308A7E26033F25C17F2979246F09B11F240150F35A6A2D29EE0300071BF

Function 00CECFA9 Relevance: 1.9, APIs: 1, Instructions: 386
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00CECFB7

Memory Dump Source

Source File: 00000016.00000002.2011003083.0000000000CE1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000016.00000002.2010854117.0000000000CE0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011092054.0000000000D30000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011142464.0000000000D42000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011187307.0000000000D44000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011232487.0000000000D45000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011278856.0000000000D49000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_ce0000_Nework.jbxd

Yara matches

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 9ea2e1bfe9ed43e508113e5e2be9c4a354c5558fd65271a3eac0faab33fc11f1
Instruction ID: 08f895fca7aa19119d329df9ad5c4bbe58b0908dcf4a598ffa9cb816a06b41f0
Opcode Fuzzy Hash: 9ea2e1bfe9ed43e508113e5e2be9c4a354c5558fd65271a3eac0faab33fc11f1
Instruction Fuzzy Hash: 21E11971A002989FEB19DB28CD457EDBB71AF45304F5442CCE4096B3C2DB769F858B92

Function 00CED520 Relevance: 1.7, APIs: 1, Instructions: 164
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000016.00000002.2011003083.0000000000CE1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000016.00000002.2010854117.0000000000CE0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011092054.0000000000D30000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011142464.0000000000D42000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011187307.0000000000D44000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011232487.0000000000D45000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011278856.0000000000D49000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_ce0000_Nework.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12fbbd2d64c0c5620942786fc763e54ec91960981cf7f2c22995b075a879f23b
Instruction ID: 3be12ef03c37ec27ca3e5a79196cbb938abb642fd6dae412a554787ec0873397
Opcode Fuzzy Hash: 12fbbd2d64c0c5620942786fc763e54ec91960981cf7f2c22995b075a879f23b
Instruction Fuzzy Hash: 4D51BC709042A89FEF25DB24CD89BEEBBB5AB05304F5041D8E44967282DB755FC8CF91

Function 00CEC740 Relevance: 1.6, APIs: 1, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000016.00000002.2011003083.0000000000CE1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000016.00000002.2010854117.0000000000CE0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011092054.0000000000D30000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011142464.0000000000D42000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011187307.0000000000D44000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011232487.0000000000D45000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011278856.0000000000D49000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_ce0000_Nework.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9833198f7dd574f671a504d199072bbf945b0ae195508cac6c28e49e2163e4db
Instruction ID: 20651456781440c92e109dec4fc681a4b36b6b584382e16a2268dfd3c1fbbb7c
Opcode Fuzzy Hash: 9833198f7dd574f671a504d199072bbf945b0ae195508cac6c28e49e2163e4db
Instruction Fuzzy Hash: D9318C31A1024CAFDB04CF68C985BEEBBB6FF48704F504619F815A7281D775AA84CB91

Function 00D1AA43 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__wsopen_s.LIBCMT ref: 00D1AA7D

Memory Dump Source

Source File: 00000016.00000002.2011003083.0000000000CE1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000016.00000002.2010854117.0000000000CE0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011092054.0000000000D30000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011142464.0000000000D42000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011187307.0000000000D44000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011232487.0000000000D45000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011278856.0000000000D49000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_ce0000_Nework.jbxd

Yara matches

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 4176dfe89a86bfee4dbfeb00c51115317c46dea543699ea0d9c9ba181586d75d
Instruction ID: a58c5d84769049b7631090a9a7f5b36649275a7e6dba7ff6ed5907cf14cc5dd1
Opcode Fuzzy Hash: 4176dfe89a86bfee4dbfeb00c51115317c46dea543699ea0d9c9ba181586d75d
Instruction Fuzzy Hash: AB111575A0420AAFCB05DF58E9419DA7BF4EF48304F054069F809EB251DA30EE15CB65

Function 00CEB010 Relevance: 1.6, APIs: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetUserNameA.ADVAPI32(?,?), ref: 00CEB05D

Memory Dump Source

Source File: 00000016.00000002.2011003083.0000000000CE1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000016.00000002.2010854117.0000000000CE0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011092054.0000000000D30000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011142464.0000000000D42000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011187307.0000000000D44000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011232487.0000000000D45000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011278856.0000000000D49000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_ce0000_Nework.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: ae6713afbecebff2567fdb0b82a54ce0574195aea7c5291c59b27dd03895b0b0
Instruction ID: 310f153c62f03e1ac1bb656ddd2d23ab38d891d6eda393346bcfec1723211667
Opcode Fuzzy Hash: ae6713afbecebff2567fdb0b82a54ce0574195aea7c5291c59b27dd03895b0b0
Instruction Fuzzy Hash: D6212CB191016C9FDB2ACF14CD65BEAB7B8FB19704F0042D9A506A3281D7745B88CFA1

Function 00D2181E Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00D21881

Memory Dump Source

Source File: 00000016.00000002.2011003083.0000000000CE1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000016.00000002.2010854117.0000000000CE0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011092054.0000000000D30000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011142464.0000000000D42000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011187307.0000000000D44000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011232487.0000000000D45000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011278856.0000000000D49000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_ce0000_Nework.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: ff89ec45d56ad598fc1cdac097a9ffa15eccbe9b6325dd4b30191e09ed1fe268
Instruction ID: 2bc9dc4514798ef401a2c9d22659c8b766e836fce5cea0df57eb22d6274bb945
Opcode Fuzzy Hash: ff89ec45d56ad598fc1cdac097a9ffa15eccbe9b6325dd4b30191e09ed1fe268
Instruction Fuzzy Hash: 61014F72C0016DBFCF02AFA89C019EEBFB5EF18314F144165F914E2191E631CA65DBA1

Function 00D21565 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00D21955,?,?,00000000,?,00D21955,00000000,0000000C), ref: 00D21582

Memory Dump Source

Source File: 00000016.00000002.2011003083.0000000000CE1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000016.00000002.2010854117.0000000000CE0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011092054.0000000000D30000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011142464.0000000000D42000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011187307.0000000000D44000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011232487.0000000000D45000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011278856.0000000000D49000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_ce0000_Nework.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 97f315829bea903843e589d70dda008afad94a6698fec31be34ce1fb0d492f6b
Instruction ID: 555fbea6ff945974d158e5c5b6190f91d469993a3c77e2cd474471eb84a2fea3
Opcode Fuzzy Hash: 97f315829bea903843e589d70dda008afad94a6698fec31be34ce1fb0d492f6b
Instruction Fuzzy Hash: 52D06C3201020DBBDF028F84DC06EDE3FAAFB48714F014110BE1896120C732E861AB94

Function 00CE8622 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?), ref: 00CE8629

Memory Dump Source

Source File: 00000016.00000002.2011003083.0000000000CE1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000016.00000002.2010854117.0000000000CE0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011092054.0000000000D30000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011142464.0000000000D42000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011187307.0000000000D44000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011232487.0000000000D45000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011278856.0000000000D49000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_ce0000_Nework.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 6054f378f8fb90dc2b8ae70ab9d19c78a6385af516d0024070d3cc90d12acbb7
Instruction ID: 82b1a0124008ea9634a784c183a753b6d38ee37a39c67ca5ccd8ed56d0e76f71
Opcode Fuzzy Hash: 6054f378f8fb90dc2b8ae70ab9d19c78a6385af516d0024070d3cc90d12acbb7
Instruction Fuzzy Hash: 11C08C300016800AEE1C0A396A98098330A99833E97D41BC8F1B99A1F1CB39580FD610

Function 00CE8620 Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?), ref: 00CE8629

Memory Dump Source

Source File: 00000016.00000002.2011003083.0000000000CE1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000016.00000002.2010854117.0000000000CE0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011092054.0000000000D30000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011142464.0000000000D42000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011187307.0000000000D44000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011232487.0000000000D45000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011278856.0000000000D49000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_ce0000_Nework.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 113b9a5af99cd3966dacd0c911ffe541fdd952730bf1ef8da0e1dce686858131
Instruction ID: 60bb4ba4fb5cb9517e8752d47c79834ae876f8f62ad57a31983997b230508ebc
Opcode Fuzzy Hash: 113b9a5af99cd3966dacd0c911ffe541fdd952730bf1ef8da0e1dce686858131
Instruction Fuzzy Hash: 2BC080300012404BD61C4B396A58054371599423593E00B8CF175961F1CB36C50BC710

Non-executed Functions

Function 00CFC5C8 Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 167libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00CFC5CE
GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00CFC5DC
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00CFC5ED
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00CFC5FE
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00CFC60F
GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00CFC620
GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 00CFC631
GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00CFC642
GetProcAddress.KERNEL32(00000000,CreateSemaphoreW), ref: 00CFC653
GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00CFC664
GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00CFC675
GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00CFC686
GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00CFC697
GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00CFC6A8
GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00CFC6B9
GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00CFC6CA
GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00CFC6DB
GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 00CFC6EC
GetProcAddress.KERNEL32(00000000,FreeLibraryWhenCallbackReturns), ref: 00CFC6FD
GetProcAddress.KERNEL32(00000000,GetCurrentProcessorNumber), ref: 00CFC70E
GetProcAddress.KERNEL32(00000000,CreateSymbolicLinkW), ref: 00CFC71F
GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 00CFC730
GetProcAddress.KERNEL32(00000000,GetTickCount64), ref: 00CFC741
GetProcAddress.KERNEL32(00000000,GetFileInformationByHandleEx), ref: 00CFC752
GetProcAddress.KERNEL32(00000000,SetFileInformationByHandle), ref: 00CFC763
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00CFC774
GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00CFC785
GetProcAddress.KERNEL32(00000000,WakeConditionVariable), ref: 00CFC796
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00CFC7A7
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00CFC7B8
GetProcAddress.KERNEL32(00000000,InitializeSRWLock), ref: 00CFC7C9
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00CFC7DA
GetProcAddress.KERNEL32(00000000,TryAcquireSRWLockExclusive), ref: 00CFC7EB
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00CFC7FC
GetProcAddress.KERNEL32(00000000,SleepConditionVariableSRW), ref: 00CFC80D
GetProcAddress.KERNEL32(00000000,CreateThreadpoolWork), ref: 00CFC81E
GetProcAddress.KERNEL32(00000000,SubmitThreadpoolWork), ref: 00CFC82F
GetProcAddress.KERNEL32(00000000,CloseThreadpoolWork), ref: 00CFC840
GetProcAddress.KERNEL32(00000000,CompareStringEx), ref: 00CFC851
GetProcAddress.KERNEL32(00000000,GetLocaleInfoEx), ref: 00CFC862
GetProcAddress.KERNEL32(00000000,LCMapStringEx), ref: 00CFC873

Strings

InitOnceExecuteOnce, xrefs: 00CFC626
WaitForThreadpoolTimerCallbacks, xrefs: 00CFC68C
SubmitThreadpoolWork, xrefs: 00CFC824
SetFileInformationByHandle, xrefs: 00CFC758
CreateSemaphoreW, xrefs: 00CFC648
FlsFree, xrefs: 00CFC5E2
GetTickCount64, xrefs: 00CFC736
CreateThreadpoolWork, xrefs: 00CFC813
GetLocaleInfoEx, xrefs: 00CFC857
FlsAlloc, xrefs: 00CFC5D6
FlsGetValue, xrefs: 00CFC5F3
GetCurrentPackageId, xrefs: 00CFC725
SleepConditionVariableCS, xrefs: 00CFC7AD
FreeLibraryWhenCallbackReturns, xrefs: 00CFC6F2
WakeAllConditionVariable, xrefs: 00CFC79C
GetSystemTimePreciseAsFileTime, xrefs: 00CFC769
InitializeSRWLock, xrefs: 00CFC7BE
CreateSymbolicLinkW, xrefs: 00CFC719
CompareStringEx, xrefs: 00CFC846
FlsSetValue, xrefs: 00CFC604
TryAcquireSRWLockExclusive, xrefs: 00CFC7E0
AcquireSRWLockExclusive, xrefs: 00CFC7CF
GetFileInformationByHandleEx, xrefs: 00CFC747
GetCurrentProcessorNumber, xrefs: 00CFC703
InitializeConditionVariable, xrefs: 00CFC77A
CreateSemaphoreExW, xrefs: 00CFC659
FlushProcessWriteBuffers, xrefs: 00CFC6E1
WakeConditionVariable, xrefs: 00CFC78B
SetThreadpoolTimer, xrefs: 00CFC67B
CreateThreadpoolWait, xrefs: 00CFC6AE
LCMapStringEx, xrefs: 00CFC868
CloseThreadpoolWait, xrefs: 00CFC6D0
CreateEventExW, xrefs: 00CFC637
CloseThreadpoolWork, xrefs: 00CFC835
InitializeCriticalSectionEx, xrefs: 00CFC615
CloseThreadpoolTimer, xrefs: 00CFC69D
ReleaseSRWLockExclusive, xrefs: 00CFC7F1
SetThreadpoolWait, xrefs: 00CFC6BF
CreateThreadpoolTimer, xrefs: 00CFC66A
kernel32.dll, xrefs: 00CFC5C9
SleepConditionVariableSRW, xrefs: 00CFC802

Memory Dump Source

Source File: 00000016.00000002.2011003083.0000000000CE1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000016.00000002.2010854117.0000000000CE0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011092054.0000000000D30000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011142464.0000000000D42000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011187307.0000000000D44000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011232487.0000000000D45000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011278856.0000000000D49000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_ce0000_Nework.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
API String ID: 667068680-295688737
Opcode ID: fa28ba9095bd7d8f34877585aa1ff28ba25066c84493ecc5cc13de31c6ad7128
Instruction ID: 9a047bcb96a72031cff61f5ecab1533ce158dac181b74d493b57608af886f75d
Opcode Fuzzy Hash: fa28ba9095bd7d8f34877585aa1ff28ba25066c84493ecc5cc13de31c6ad7128
Instruction Fuzzy Hash: D461457EA92722EFC7156FB4BC1EE8A3EBCEA0A7827418556B101D2766D7B44004CF74

Function 00D22307 Relevance: 7.9, APIs: 5, Instructions: 373timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00D22389
_free.LIBCMT ref: 00D223AD
_free.LIBCMT ref: 00D2253A
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00D36758), ref: 00D2254C
_free.LIBCMT ref: 00D22706

Memory Dump Source

Source File: 00000016.00000002.2011003083.0000000000CE1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000016.00000002.2010854117.0000000000CE0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011092054.0000000000D30000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011142464.0000000000D42000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011187307.0000000000D44000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011232487.0000000000D45000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011278856.0000000000D49000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_ce0000_Nework.jbxd

Yara matches

Similarity

API ID: _free$InformationTimeZone
String ID:
API String ID: 597776487-0
Opcode ID: 232b9d0171fe0adcbba5f8d2b1ba24db560c69a96aa55c44d5bdd5582c058b16
Instruction ID: 5bf7c4544a0846cd1315d8fbd47f01aba0ee62176c9a0446729f56a178a3e966
Opcode Fuzzy Hash: 232b9d0171fe0adcbba5f8d2b1ba24db560c69a96aa55c44d5bdd5582c058b16
Instruction Fuzzy Hash: 0BC13776A04225BFCB14AF28EC41ABA7BB8EF76318F184159F481D7241EB31DE428770

Function 00CE2400 Relevance: .0, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000016.00000002.2011003083.0000000000CE1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000016.00000002.2010854117.0000000000CE0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011092054.0000000000D30000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011142464.0000000000D42000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011187307.0000000000D44000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011232487.0000000000D45000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011278856.0000000000D49000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_ce0000_Nework.jbxd

Yara matches

Similarity

API ID: ExceptionRaise__alloca_probe_16
String ID:
API String ID: 1905912502-0
Opcode ID: 07b66114ef42d1e1ffe3235e6d3540dc1987b3f0e42a4529d679834fcecbb1a6
Instruction ID: de0b01ec15a3ee8db6e56d8841ca21a81ed3089631c6425c5d3708a96323387a
Opcode Fuzzy Hash: 07b66114ef42d1e1ffe3235e6d3540dc1987b3f0e42a4529d679834fcecbb1a6
Instruction Fuzzy Hash: DBD05E7550464CFBC711CF94CD41F9ABBECEB09B20F604A26F521D3780DB38AA049A60

Function 00D1252E Relevance: 22.7, APIs: 15, Instructions: 231COMMON

Download Yara Rule

APIs

Concurrency::details::WorkSearchContext::PreSearch.LIBCONCRT ref: 00D12540

Part of subcall function 00D1233E: Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 00D12361

Concurrency::details::SchedulerBase::PeriodicScan.LIBCONCRT ref: 00D12561
Concurrency::details::WorkSearchContext::CheckPriorityList.LIBCONCRT ref: 00D1256E
Concurrency::details::SchedulerBase::GetNextPriorityObject.LIBCMT ref: 00D125BC
Concurrency::details::SchedulerBase::AcquireQuickCacheSlot.LIBCMT ref: 00D12643
Concurrency::details::WorkSearchContext::QuickSearch.LIBCMT ref: 00D12656
Concurrency::details::WorkSearchContext::SearchCacheLocal_Runnables.LIBCONCRT ref: 00D126A3

Memory Dump Source

Source File: 00000016.00000002.2011003083.0000000000CE1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000016.00000002.2010854117.0000000000CE0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011092054.0000000000D30000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011142464.0000000000D42000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011187307.0000000000D44000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011232487.0000000000D45000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011278856.0000000000D49000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_ce0000_Nework.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Search$Work$Context::$Base::Scheduler$CachePriorityQuick$AcquireCheckItemItem::ListLocal_NextObjectPeriodicRunnablesScanSlot
String ID:
API String ID: 2530155754-0
Opcode ID: 1386adf3c8164a9b9faf08f9c68565c72216a8e6b0d9a10b3f8b9a9dd158caa5
Instruction ID: 2ee10ebff80d2f37b071ed9c580a0eb50e1c46e81cc6bfe4fbb5982da26f1318
Opcode Fuzzy Hash: 1386adf3c8164a9b9faf08f9c68565c72216a8e6b0d9a10b3f8b9a9dd158caa5
Instruction Fuzzy Hash: 6F816A34904249BBDF169F94E991BFE7B72AF55304F080098EC416B292CB329DB6DB71

Function 00D0433E Relevance: 21.2, APIs: 14, Instructions: 189timeregistryCOMMONLIBRARYCODE

Download Yara Rule

APIs

ListArray.LIBCONCRT ref: 00D04398

Part of subcall function 00D04179: RtlInitializeSListHead.NTDLL(?), ref: 00D04245
Part of subcall function 00D04179: RtlInitializeSListHead.NTDLL(?), ref: 00D0424F

ListArray.LIBCONCRT ref: 00D043CC
Hash.LIBCMT ref: 00D04435
Hash.LIBCMT ref: 00D04445
RtlInitializeSListHead.NTDLL(?), ref: 00D044DA
RtlInitializeSListHead.NTDLL(?), ref: 00D044E7
RtlInitializeSListHead.NTDLL(?), ref: 00D044F4
RtlInitializeSListHead.NTDLL(?), ref: 00D04501

Part of subcall function 00D09AA1: std::bad_exception::bad_exception.LIBCMT ref: 00D09AC3

RegisterWaitForSingleObject.KERNEL32(?,00000000,00D07875,?,000000FF,00000000), ref: 00D04589
Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 00D045AB
GetLastError.KERNEL32(00D052EB,?,?,00000000,?,?), ref: 00D045BD
Concurrency::details::platform::__CreateTimerQueueTimer.LIBCMT ref: 00D045DA

Part of subcall function 00CFFA0A: CreateTimerQueueTimer.KERNEL32(?,?,00000000,?,?,00D052EB,00000008,?,00D045DF,?,00000000,00D07866,?,7FFFFFFF,7FFFFFFF,00000000), ref: 00CFFA22

Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00D04604

Memory Dump Source

Source File: 00000016.00000002.2011003083.0000000000CE1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000016.00000002.2010854117.0000000000CE0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011092054.0000000000D30000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011142464.0000000000D42000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011187307.0000000000D44000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011232487.0000000000D45000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011278856.0000000000D49000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_ce0000_Nework.jbxd

Yara matches

Similarity

API ID: List$HeadInitialize$Timer$ArrayCreateHashQueueRegister$AsyncConcurrency::details::Concurrency::details::platform::__Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorLastLibraryLoadObjectSingleWaitstd::bad_exception::bad_exception
String ID:
API String ID: 2750799244-0
Opcode ID: fb89fc42860a63ad099f48feac503f956e13159254b67439bd72f5bcb45a4e0c
Instruction ID: b6e8343d0278e9a09f1e86c83d27a86e939266f497702d2857a135b47e8293f3
Opcode Fuzzy Hash: fb89fc42860a63ad099f48feac503f956e13159254b67439bd72f5bcb45a4e0c
Instruction Fuzzy Hash: C88129B0A11B56BBD748DF74C895BD9FBA8FF08700F10421AF52897281DBB4A564CBE1

Function 00D02692 Relevance: 19.7, APIs: 13, Instructions: 223COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::ResourceManager::RetrieveSystemVersionInformation.LIBCONCRT ref: 00D026A1

Part of subcall function 00D0398C: GetVersionExW.KERNEL32(?), ref: 00D039B0
Part of subcall function 00D0398C: Concurrency::details::WinRT::Initialize.LIBCONCRT ref: 00D03A4F

Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 00D026B5
Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 00D026D6
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 00D0273F
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 00D02773

Part of subcall function 00D0064D: Concurrency::details::ResourceManager::AffinityRestriction::ApplyAffinityLimits.LIBCMT ref: 00D0066D

Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 00D027F3

Part of subcall function 00D021BC: Concurrency::details::platform::__GetLogicalProcessorInformationEx.LIBCONCRT ref: 00D021D0

Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 00D0283B

Part of subcall function 00D00622: Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 00D0063E

Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 00D0284F
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 00D02860
Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 00D028AD
Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 00D028D2
Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 00D028DE

Memory Dump Source

Source File: 00000016.00000002.2011003083.0000000000CE1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000016.00000002.2010854117.0000000000CE0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011092054.0000000000D30000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011142464.0000000000D42000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011187307.0000000000D44000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011232487.0000000000D45000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011278856.0000000000D49000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_ce0000_Nework.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Manager::Resource$Affinity$Apply$Restrictions$Information$Topology$CaptureProcessRestriction::Version$CleanupConcurrency::details::platform::__FindGroupInitializeLimitsLogicalProcessorRetrieveSystem
String ID:
API String ID: 4140532746-0
Opcode ID: 9f08f22b92be8330fe59cf58c8c192c4e84196eb18fccbe60dfeed49613f58f8
Instruction ID: 064ae7bbf979eb886db56737e3205b2e4237e327f880ed0df73b15fbcc4ff4ec
Opcode Fuzzy Hash: 9f08f22b92be8330fe59cf58c8c192c4e84196eb18fccbe60dfeed49613f58f8
Instruction Fuzzy Hash: 0E81D539A026169FCB08DF69E8957BDB7B1FB99300B68412DD449E3785D730AD40CBB0

Function 00D127CD Relevance: 16.7, APIs: 11, Instructions: 222COMMON

Download Yara Rule

APIs

Concurrency::details::WorkSearchContext::PreSearch.LIBCONCRT ref: 00D127DF

Part of subcall function 00D1233E: Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 00D12361

Concurrency::details::SchedulerBase::PeriodicScan.LIBCONCRT ref: 00D12800
Concurrency::details::WorkSearchContext::CheckPriorityList.LIBCONCRT ref: 00D1280D
Concurrency::details::SchedulerBase::GetNextPriorityObject.LIBCMT ref: 00D1285B
Concurrency::details::WorkSearchContext::SearchCacheLocal_Unrealized.LIBCONCRT ref: 00D12903
Concurrency::details::WorkSearchContext::SearchCacheLocal_Realized.LIBCONCRT ref: 00D12935

Memory Dump Source

Source File: 00000016.00000002.2011003083.0000000000CE1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000016.00000002.2010854117.0000000000CE0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011092054.0000000000D30000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011142464.0000000000D42000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011187307.0000000000D44000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011232487.0000000000D45000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011278856.0000000000D49000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_ce0000_Nework.jbxd

Yara matches

Similarity

API ID: Concurrency::details::Search$Work$Context::$Base::CacheLocal_PriorityScheduler$CheckItemItem::ListNextObjectPeriodicRealizedScanUnrealized
String ID:
API String ID: 1256429809-0
Opcode ID: af04e2b9daafbfd22b8df65319204e88c800c6188cda7d4a9021fcd4e78f28ce
Instruction ID: ab45f85d9bfc7ff9dc308db1802e9b24579cbeccc9e0a37ef7d604b63e4afa5a
Opcode Fuzzy Hash: af04e2b9daafbfd22b8df65319204e88c800c6188cda7d4a9021fcd4e78f28ce
Instruction Fuzzy Hash: CE716A70904249BBDF159F58E981AFE7BB2EF45304F084099EC416B292CB32DDA5DB71

Function 00D0683A Relevance: 15.1, APIs: 10, Instructions: 144COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00D0687F
Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 00D068B1
List.LIBCONCRT ref: 00D068EC
Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 00D068FD
Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 00D06919
List.LIBCONCRT ref: 00D06954
Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 00D06965
Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00D06980
List.LIBCONCRT ref: 00D069BB
Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 00D069C8

Part of subcall function 00D05D3F: Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00D05D57
Part of subcall function 00D05D3F: Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00D05D69

Memory Dump Source

Source File: 00000016.00000002.2011003083.0000000000CE1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000016.00000002.2010854117.0000000000CE0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011092054.0000000000D30000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011142464.0000000000D42000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011187307.0000000000D44000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011232487.0000000000D45000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011278856.0000000000D49000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_ce0000_Nework.jbxd

Yara matches

Similarity

API ID: Concurrency::details::Scheduling$Find$GroupNode::ProcessorRing::ScheduleSegmentVirtual$ListNext$AcquireConcurrency::details::_Lock::_ReaderWriteWriter
String ID:
API String ID: 3403738998-0
Opcode ID: 2f7af67c50368df58dbc42c7a39e667be4f9f9c44dd16b3d404a49fb0bf2eeba
Instruction ID: 8bca2153a8753d4d3ddaa6648bb4641ce0efa79a528180b2c8d91e1f3825ee9f
Opcode Fuzzy Hash: 2f7af67c50368df58dbc42c7a39e667be4f9f9c44dd16b3d404a49fb0bf2eeba
Instruction Fuzzy Hash: 5A513E71A00209ABDB08DF64C595BEDB3A8FF48304F044069E959AB6C2DB30EE55CFA0

Function 00D1A349 Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00D1A35F

Part of subcall function 00D1ABE5: HeapFree.KERNEL32(00000000,00000000,?,00D1EEBD,?,00000000,?,?,?,00D1EEE4,?,00000007,?,?,00D1F2E6,?), ref: 00D1ABFB
Part of subcall function 00D1ABE5: GetLastError.KERNEL32(?,?,00D1EEBD,?,00000000,?,?,?,00D1EEE4,?,00000007,?,?,00D1F2E6,?,?), ref: 00D1AC0D

_free.LIBCMT ref: 00D1A36B
_free.LIBCMT ref: 00D1A376
_free.LIBCMT ref: 00D1A381
_free.LIBCMT ref: 00D1A38C
_free.LIBCMT ref: 00D1A397
_free.LIBCMT ref: 00D1A3A2
_free.LIBCMT ref: 00D1A3AD
_free.LIBCMT ref: 00D1A3B8
_free.LIBCMT ref: 00D1A3C6

Memory Dump Source

Source File: 00000016.00000002.2011003083.0000000000CE1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000016.00000002.2010854117.0000000000CE0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011092054.0000000000D30000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011142464.0000000000D42000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011187307.0000000000D44000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011232487.0000000000D45000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011278856.0000000000D49000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_ce0000_Nework.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 73e34c7fab7fccfc69410630b85a2edeba93efb4eb89fcadb6e0da3c5694e417
Instruction ID: 3c0a4c48f8a37cac21e90b7d6cd24843cc66925ffdfea34fd6007b90b6a6b74f
Opcode Fuzzy Hash: 73e34c7fab7fccfc69410630b85a2edeba93efb4eb89fcadb6e0da3c5694e417
Instruction Fuzzy Hash: A021877A945148BFCB41EFA8D981DDD7BB9EF08350F004165F5159B121EF31DA84CBA2

Function 00D107E5 Relevance: 13.6, APIs: 9, Instructions: 69threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00D107FB
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,00D05B0E,?), ref: 00D1080D
GetCurrentThread.KERNEL32 ref: 00D10815
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,00D05B0E,?), ref: 00D1081D
DuplicateHandle.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000002,?,?,?,?,?,?,00D05B0E,?), ref: 00D10836
Concurrency::details::RegisterAsyncWaitAndLoadLibrary.LIBCONCRT ref: 00D10857

Part of subcall function 00D00071: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 00D0008B

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00D05B0E,?), ref: 00D10869
GetLastError.KERNEL32(?,?,?,?,?,00D05B0E,?), ref: 00D10894
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00D108AA

Memory Dump Source

Source File: 00000016.00000002.2011003083.0000000000CE1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000016.00000002.2010854117.0000000000CE0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011092054.0000000000D30000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011142464.0000000000D42000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011187307.0000000000D44000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011232487.0000000000D45000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011278856.0000000000D49000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_ce0000_Nework.jbxd

Yara matches

Similarity

API ID: Current$Concurrency::details::ErrorLastLibraryLoadProcessThread$AsyncConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateHandleReferenceRegisterWait
String ID:
API String ID: 1293880212-0
Opcode ID: ee34cc18f06b5f89433a2b18839352f0463e5aeaf436c9baca7a1d12b21d9e17
Instruction ID: 9888e19d45493e060e47418ba9b5e3d0592eaf231abe7e557d5ddcb176f7935d
Opcode Fuzzy Hash: ee34cc18f06b5f89433a2b18839352f0463e5aeaf436c9baca7a1d12b21d9e17
Instruction Fuzzy Hash: 1911A275A04305BBD710BB74AD9AFDA3FA89F45700F080075F949D6291EEB0D8849BB1

Function 00D1E87E Relevance: 12.2, APIs: 8, Instructions: 203COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 00D1E8A8
_free.LIBCMT ref: 00D1E981
_free.LIBCMT ref: 00D1E9AE

Memory Dump Source

Source File: 00000016.00000002.2011003083.0000000000CE1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000016.00000002.2010854117.0000000000CE0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011092054.0000000000D30000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011142464.0000000000D42000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011187307.0000000000D44000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011232487.0000000000D45000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011278856.0000000000D49000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_ce0000_Nework.jbxd

Yara matches

Similarity

API ID: _free$___from_strstr_to_strchr
String ID:
API String ID: 3409252457-0
Opcode ID: b5da4a37c32fd3289d49ab9751f4fc10bc2dd93cf24f0378b464a6d06cc729d8
Instruction ID: 76c24f10d265b3b31585a5fa9fc7362d6ffb8435b4fdbeced00b733cf88fd719
Opcode Fuzzy Hash: b5da4a37c32fd3289d49ab9751f4fc10bc2dd93cf24f0378b464a6d06cc729d8
Instruction Fuzzy Hash: E6510876948341BFDB20AF79B881AED7BA4FF41310F184169FD6197282EE7189C18B71

Function 00D146A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00D146D7
___except_validate_context_record.LIBVCRUNTIME ref: 00D146DF
_ValidateLocalCookies.LIBCMT ref: 00D14768
__IsNonwritableInCurrentImage.LIBCMT ref: 00D14793
_ValidateLocalCookies.LIBCMT ref: 00D147E8

Strings

csm, xrefs: 00D1477D

Memory Dump Source

Source File: 00000016.00000002.2011003083.0000000000CE1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000016.00000002.2010854117.0000000000CE0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011092054.0000000000D30000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011142464.0000000000D42000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011187307.0000000000D44000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011232487.0000000000D45000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011278856.0000000000D49000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_ce0000_Nework.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 36bf8c75090eb8b5527ea1575522aaba9bffef070fd9c8d59e634461b5e81966
Instruction ID: c60ee4bee7a3ff6bd1b04ca221508583476877f9498c82f4789d5ec819093153
Opcode Fuzzy Hash: 36bf8c75090eb8b5527ea1575522aaba9bffef070fd9c8d59e634461b5e81966
Instruction Fuzzy Hash: 49419534A00208FBCF10DF68E885AEE7BB5EF46324F548155E8149B392DB759985CBF1

Function 00D0E60F Relevance: 10.6, APIs: 7, Instructions: 102COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::InternalContextBase::ReclaimVirtualProcessor.LIBCONCRT ref: 00D0E637

Part of subcall function 00D0E3A4: Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 00D0E3D7
Part of subcall function 00D0E3A4: Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 00D0E3F9

Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00D0E6B4
Concurrency::details::ScheduleGroupSegmentBase::ReleaseInternalContext.LIBCMT ref: 00D0E6C0
Concurrency::details::SchedulerBase::TriggerCommitSafePoints.LIBCMT ref: 00D0E6CF
Concurrency::details::SchedulerBase::VirtualProcessorActive.LIBCONCRT ref: 00D0E6D9
Concurrency::location::_Assign.LIBCMT ref: 00D0E70D
Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 00D0E715

Memory Dump Source

Source File: 00000016.00000002.2011003083.0000000000CE1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000016.00000002.2010854117.0000000000CE0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011092054.0000000000D30000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011142464.0000000000D42000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011187307.0000000000D44000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011232487.0000000000D45000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011278856.0000000000D49000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_ce0000_Nework.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::$Context$Virtual$DeactivateGroupInternalProcessorProcessor::ScheduleSchedulerSegment$ActiveAssignCommitConcurrency::location::_EventPointsReclaimReleaseRunnableSafeTraceTrigger
String ID:
API String ID: 1924466884-0
Opcode ID: 6f3b94e3289616cb56b6c4d011993fa847069946cce176d2be78399a2e159f4b
Instruction ID: 17cd1352d25315cbb17f8db5e5bc8cfa2febe86c452dc446eaded56ca1549580
Opcode Fuzzy Hash: 6f3b94e3289616cb56b6c4d011993fa847069946cce176d2be78399a2e159f4b
Instruction Fuzzy Hash: 51411835A00218DFCB15EF64C494BADBBB5FF48310F5884A9DD499B282DB30A941CBA1

Function 00D0E73D Relevance: 9.1, APIs: 6, Instructions: 117COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::location::_Assign.LIBCMT ref: 00D0E77E
Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 00D0E786
Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00D0E7B0
Concurrency::details::ScheduleGroupSegmentBase::ReleaseInternalContext.LIBCMT ref: 00D0E7B9
Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 00D0E83C
Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 00D0E844

Memory Dump Source

Source File: 00000016.00000002.2011003083.0000000000CE1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000016.00000002.2010854117.0000000000CE0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011092054.0000000000D30000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011142464.0000000000D42000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011187307.0000000000D44000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011232487.0000000000D45000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011278856.0000000000D49000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_ce0000_Nework.jbxd

Yara matches

Similarity

API ID: Concurrency::details::Context$Base::$GroupInternalScheduleSegment$AssignAvailableConcurrency::location::_DeferredEventMakeProcessor::ReleaseRunnableSchedulerTraceVirtual
String ID:
API String ID: 3929269971-0
Opcode ID: cd053b7a6090c999ab1e3e782c99b131ed143a5d2f7d12dfdf1af328e64a1cec
Instruction ID: 29072fb1a82d2a2a1aa833f90734610daa7ea3f172474eca2695fefe9e4e292b
Opcode Fuzzy Hash: cd053b7a6090c999ab1e3e782c99b131ed143a5d2f7d12dfdf1af328e64a1cec
Instruction Fuzzy Hash: 04414E35B00619AFCB09DF64C454B6DBBB6FF88310F048559E90AA73E1CB74AE01CBA1

Function 00D163CD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,00D163C2,?,?,00D1638A,?,?,?), ref: 00D163E2
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00D163F5
FreeLibrary.KERNEL32(00000000,?,?,00D163C2,?,?,00D1638A,?,?,?), ref: 00D16418

Strings

mscoree.dll, xrefs: 00D163DB
CorExitProcess, xrefs: 00D163ED

Memory Dump Source

Source File: 00000016.00000002.2011003083.0000000000CE1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000016.00000002.2010854117.0000000000CE0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011092054.0000000000D30000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011142464.0000000000D42000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011187307.0000000000D44000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011232487.0000000000D45000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011278856.0000000000D49000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_ce0000_Nework.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: a8b8f0705f3ab70d07c06edf70d909fb9e9eebbb5914cc7978f8a89d799273c5
Instruction ID: 51dad0d3075c4300f34c79d7434e837fb7d988332ea314e994e18590b4d1f17b
Opcode Fuzzy Hash: a8b8f0705f3ab70d07c06edf70d909fb9e9eebbb5914cc7978f8a89d799273c5
Instruction Fuzzy Hash: 67F05831A05318FBDB219B90ED1ABDEBE69AB00756F148060B804E12A0CB748E45DBB0

Function 00D26599 Relevance: 7.7, APIs: 5, Instructions: 244COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(011D0910,011D0910,?,7FFFFFFF,?,?,00D26855,011D0910,011D0910,?,011D0910,?,?,?,?,011D0910), ref: 00D2663C
__alloca_probe_16.LIBCMT ref: 00D266F2
__alloca_probe_16.LIBCMT ref: 00D26788
__freea.LIBCMT ref: 00D267F3
__freea.LIBCMT ref: 00D267FF

Memory Dump Source

Source File: 00000016.00000002.2011003083.0000000000CE1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000016.00000002.2010854117.0000000000CE0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011092054.0000000000D30000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011142464.0000000000D42000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011187307.0000000000D44000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011232487.0000000000D45000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011278856.0000000000D49000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_ce0000_Nework.jbxd

Yara matches

Similarity

API ID: __alloca_probe_16__freea$Info
String ID:
API String ID: 2330168043-0
Opcode ID: 3343732e49bd52e469889ec3abd2b3f0f94e6ae2600742d0f51b0caa75233ad0
Instruction ID: 4bbafbf506d2b8896b034737fc1daced94956ac7641ef198d1f5df994fdad5a6
Opcode Fuzzy Hash: 3343732e49bd52e469889ec3abd2b3f0f94e6ae2600742d0f51b0caa75233ad0
Instruction Fuzzy Hash: 5481A172D00369ABDF219F64EC81EEE7BB5DF6971CF180095E854A7281DB25CC408BB1

Function 00D08529 Relevance: 7.6, APIs: 5, Instructions: 88COMMON

Download Yara Rule

APIs

_SpinWait.LIBCONCRT ref: 00D0854E

Part of subcall function 00CFE930: _SpinWait.LIBCONCRT ref: 00CFE948

Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 00D08562
Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00D08594
List.LIBCMT ref: 00D08617
List.LIBCMT ref: 00D08626

Memory Dump Source

Source File: 00000016.00000002.2011003083.0000000000CE1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000016.00000002.2010854117.0000000000CE0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011092054.0000000000D30000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011142464.0000000000D42000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011187307.0000000000D44000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011232487.0000000000D45000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011278856.0000000000D49000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_ce0000_Nework.jbxd

Yara matches

Similarity

API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
String ID:
API String ID: 3281396844-0
Opcode ID: 3ea58fc9af1b744fb142251a67f537eceb8c4bd4ec3c186cedb282b8d7aaeb41
Instruction ID: 0180823c6b93ab6cb04ec733e2cccd307fa2e62afeb761469f29affa96fc0444
Opcode Fuzzy Hash: 3ea58fc9af1b744fb142251a67f537eceb8c4bd4ec3c186cedb282b8d7aaeb41
Instruction Fuzzy Hash: 5C315971D0561ADFCB14EFA4D9916EDBBB1BF04304F08006AD48977282CB31A904EBB5

Function 00D1C8E0 Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00D1C967

Memory Dump Source

Source File: 00000016.00000002.2011003083.0000000000CE1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000016.00000002.2010854117.0000000000CE0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011092054.0000000000D30000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011142464.0000000000D42000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011187307.0000000000D44000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011232487.0000000000D45000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011278856.0000000000D49000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_ce0000_Nework.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 252ff07006b2f6a787f521d242bcd70294969d1d0532ed7bd0a6630bee3fff95
Instruction ID: 4b406fc062d6475cc53fca48e40ab9cd355c054364770079bb3a3cd786254e14
Opcode Fuzzy Hash: 252ff07006b2f6a787f521d242bcd70294969d1d0532ed7bd0a6630bee3fff95
Instruction Fuzzy Hash: 3DB15A32954295AFDB11CF68E842BFEBBF5EF55300F18916AE845EB241DA348D81CB70

Function 00CE81F0 Relevance: 6.2, APIs: 4, Instructions: 155libraryloaderCOMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(0000011C,?,B9106E22), ref: 00CE8269
GetModuleHandleA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00CE82D0
GetProcAddress.KERNEL32(00000000), ref: 00CE82D7

Memory Dump Source

Source File: 00000016.00000002.2011003083.0000000000CE1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000016.00000002.2010854117.0000000000CE0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011092054.0000000000D30000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011142464.0000000000D42000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011187307.0000000000D44000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011232487.0000000000D45000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011278856.0000000000D49000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_ce0000_Nework.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProcVersion
String ID:
API String ID: 3310240892-0
Opcode ID: c18ec9ba31f33c9a55c5874e7a8f90a7d1663a0ee5025a07eaeb7bc36a340f82
Instruction ID: 7fdf2977f2615e92fa32b31e8ea850a5067095e684ed1057de3fb15d1f8e8b84
Opcode Fuzzy Hash: c18ec9ba31f33c9a55c5874e7a8f90a7d1663a0ee5025a07eaeb7bc36a340f82
Instruction Fuzzy Hash: 92514871D002489BDB14EF29DD49BEDBB75EB45710F5042A8E81DA73D1DF309E888BA1

Function 00D108F8 Relevance: 6.1, APIs: 4, Instructions: 80threadCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,00000000,?), ref: 00D10949
Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00D10931

Part of subcall function 00D08D8F: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 00D08DB0

Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00D109AC
SwitchToThread.KERNEL32(00000005,00000004,00000000,?,?,?,?,?,?,?,00D3F4A8), ref: 00D109B1

Memory Dump Source

Source File: 00000016.00000002.2011003083.0000000000CE1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000016.00000002.2010854117.0000000000CE0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011092054.0000000000D30000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011142464.0000000000D42000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011187307.0000000000D44000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011232487.0000000000D45000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011278856.0000000000D49000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_ce0000_Nework.jbxd

Yara matches

Similarity

API ID: Context$Event$Base::Concurrency::details::$Trace$SwitchThreadThrow
String ID:
API String ID: 2734100425-0
Opcode ID: 4a24709d7b7b352399767899af46d792d4f62f34d3b7ceb58a2d320a55a1c9c4
Instruction ID: 4aae87a422d15d4d5222eee425fc6ea258619767843992d18170f95b2f7a5080
Opcode Fuzzy Hash: 4a24709d7b7b352399767899af46d792d4f62f34d3b7ceb58a2d320a55a1c9c4
Instruction Fuzzy Hash: C521D775600214AFDB00FB58DC559AEBBACEF48720B080116FA15E32D2CF70AD418AB5

Function 00D1A461 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00D167AA,?,?,?,?,00D173DE,?), ref: 00D1A466
_free.LIBCMT ref: 00D1A4C3
_free.LIBCMT ref: 00D1A4F9
SetLastError.KERNEL32(00000000,00000006,000000FF,?,?,00D167AA,?,?,?,?,00D173DE,?), ref: 00D1A504

Memory Dump Source

Source File: 00000016.00000002.2011003083.0000000000CE1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000016.00000002.2010854117.0000000000CE0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011092054.0000000000D30000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011142464.0000000000D42000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011187307.0000000000D44000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011232487.0000000000D45000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011278856.0000000000D49000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_ce0000_Nework.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 7e3b923d0bff3adb9c2646867ec89ec08ff3372012114679b5faf6115cd509c6
Instruction ID: d34322444e84f932a55a99c585862ca1ec94d0e3b8b89337b48ce2595fc68407
Opcode Fuzzy Hash: 7e3b923d0bff3adb9c2646867ec89ec08ff3372012114679b5faf6115cd509c6
Instruction Fuzzy Hash: 4911C6363057003F9A1126FC7C89EBF265ADBD57707690225F618C62E1EE758C865132

Function 00D1A5B8 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00D17378,00CE2207), ref: 00D1A5BD
_free.LIBCMT ref: 00D1A61A
_free.LIBCMT ref: 00D1A650
SetLastError.KERNEL32(00000000,00000006,000000FF,?,00D17378,00CE2207), ref: 00D1A65B

Memory Dump Source

Source File: 00000016.00000002.2011003083.0000000000CE1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000016.00000002.2010854117.0000000000CE0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011092054.0000000000D30000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011142464.0000000000D42000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011187307.0000000000D44000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011232487.0000000000D45000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011278856.0000000000D49000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_ce0000_Nework.jbxd

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 3fd77018e5ff3062c6d2a35ac7b2a2d0e2e75d3e9b1271cf0561b7f0eeb3f629
Instruction ID: c7a87511c87ac0984b1997dabbd5113c0e2ea5856dba2e700fcd28a5f452c2cf
Opcode Fuzzy Hash: 3fd77018e5ff3062c6d2a35ac7b2a2d0e2e75d3e9b1271cf0561b7f0eeb3f629
Instruction Fuzzy Hash: 4911083224A7003FDA116BBC7C81EBF355AEBD57B1B680225F214C62E1EE718C854136

Function 00D268BF Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00CE8610,0000000F,00D3FB08,00000000,00CE8610,?,00D24FAA,00CE8610,00000001,00CE8610,00CE8610,?,00D1FE84,00000000,?,00CE8610), ref: 00D268D6
GetLastError.KERNEL32(?,00D24FAA,00CE8610,00000001,00CE8610,00CE8610,?,00D1FE84,00000000,?,00CE8610,00000000,00CE8610,?,00D203D8,00CE8610), ref: 00D268E2

Part of subcall function 00D268A8: CloseHandle.KERNEL32(FFFFFFFE,00D268F2,?,00D24FAA,00CE8610,00000001,00CE8610,00CE8610,?,00D1FE84,00000000,?,00CE8610,00000000,00CE8610), ref: 00D268B8

___initconout.LIBCMT ref: 00D268F2

Part of subcall function 00D2686A: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00D26899,00D24F97,00CE8610,?,00D1FE84,00000000,?,00CE8610,00000000), ref: 00D2687D

WriteConsoleW.KERNEL32(00CE8610,0000000F,00D3FB08,00000000,?,00D24FAA,00CE8610,00000001,00CE8610,00CE8610,?,00D1FE84,00000000,?,00CE8610,00000000), ref: 00D26907

Memory Dump Source

Source File: 00000016.00000002.2011003083.0000000000CE1000.00000020.00000001.01000000.00000013.sdmp, Offset: 00CE0000, based on PE: true

Associated: 00000016.00000002.2010854117.0000000000CE0000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011092054.0000000000D30000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011142464.0000000000D42000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011187307.0000000000D44000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011232487.0000000000D45000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 00000016.00000002.2011278856.0000000000D49000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_ce0000_Nework.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 0df9a7de37fc9164384930098b17b76f6436e3dc27720bc9e7e4322821f47f72
Instruction ID: a9cc913d1b5ff0f4ce418f92cef99888ecaa11f380a8d74b4d78fe780fc181a7
Opcode Fuzzy Hash: 0df9a7de37fc9164384930098b17b76f6436e3dc27720bc9e7e4322821f47f72
Instruction Fuzzy Hash: 64F0373A041328BBCF521FD5EC18A9A7F25FB55765F144011FE18C5230C631C9609FB0

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Threatname: LummaC

Threatname: Vidar

Threatname: Amadey

Threatname: Cryptbot

Threatname: RedLine

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\CAAAAFBK

C:\ProgramData\CAAAAFBKFIECAAKECGCAAKJECB

C:\ProgramData\CGIDAAAKJJDBGCBFCBGI

Windows Analysis Report
SecuriteInfo.com.Win32.TrojanX-gen.12944.32631.exe

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre