Edit tour

Windows Analysis Report
g082Q9DajU.exe

Overview

General Information

Sample name:	g082Q9DajU.exe renamed because original name is a hash value
Original sample name:	6e66aea8d0d6a8e404ccc60bb32a99f3.exe
Analysis ID:	1505447
MD5:	6e66aea8d0d6a8e404ccc60bb32a99f3
SHA1:	651a6272114a9ef6ed3039a5da41a1f0bfb03e9e
SHA256:	c1fbe1e578d32bf34b6c29b06d012f542aac34cdf3af35362e18ea8714716982
Tags:	exe
Infos:

Detection

PureCrypter, LummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Amadeys stealer DLL

Yara detected Clipboard Hijacker

Yara detected CryptOne packer

Yara detected Cryptbot

Yara detected Powershell download and execute

Yara detected PureLog Stealer

Yara detected RedLine Stealer

Yara detected Stealc

Yara detected Vidar stealer

Yara detected zgRAT

.NET source code contains potential unpacker

.NET source code contains very large array initializations

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Creates multiple autostart registry keys

Detected PureCrypter Trojan

Drops large PE files

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Injects a PE file into a foreign processes

Installs new ROOT certificates

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

PE file has a writeable .text section

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses process hollowing technique

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected Costura Assembly Loader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops certificate files (DER)

Enables debug privileges

Enables security privileges

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Suspicious Copy From or To System Directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara detected Keylogger Generic

Yara signature match

Classification

Process Tree

System is w10x64

g082Q9DajU.exe (PID: 7404 cmdline: "C:\Users\user\Desktop\g082Q9DajU.exe" MD5: 6E66AEA8D0D6A8E404CCC60BB32A99F3)

axplong.exe (PID: 7588 cmdline: "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe" MD5: 6E66AEA8D0D6A8E404CCC60BB32A99F3)

axplong.exe (PID: 7596 cmdline: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe MD5: 6E66AEA8D0D6A8E404CCC60BB32A99F3)

axplong.exe (PID: 7860 cmdline: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe MD5: 6E66AEA8D0D6A8E404CCC60BB32A99F3)

gold.exe (PID: 8120 cmdline: "C:\Users\user\AppData\Local\Temp\1000002001\gold.exe" MD5: 2D647CF43622ED10B6D733BB5F048FC3)

conhost.exe (PID: 8128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 8180 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

crypteda.exe (PID: 1260 cmdline: "C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe" MD5: 8E74497AFF3B9D2DDB7E7F819DFC69BA)

RegAsm.exe (PID: 1748 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

c4W13ZFj1P.exe (PID: 3992 cmdline: "C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe" MD5: 88367533C12315805C059E688E7CDFE9)

conhost.exe (PID: 3272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

vzVy6ZevhK.exe (PID: 4948 cmdline: "C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe" MD5: 30F46F4476CDC27691C7FDAD1C255037)

Nework.exe (PID: 7464 cmdline: "C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe" MD5: F5D7B79EE6B6DA6B50E536030BCC3B59)

Hkbsse.exe (PID: 1836 cmdline: "C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe" MD5: F5D7B79EE6B6DA6B50E536030BCC3B59)

stealc_default2.exe (PID: 7688 cmdline: "C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe" MD5: 7A02AA17200AEAC25A375F290A4B4C95)

S tup.exe (PID: 2288 cmdline: "C:\Users\user\AppData\Local\Temp\1000129001\S tup.exe" MD5: A2EAD3670D2D61E86C0F6D8DF5C4392A)

needmoney.exe (PID: 8104 cmdline: "C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe" MD5: 7E6A519688246FE1180F35FE0D25D370)

svchost015.exe (PID: 5408 cmdline: C:\Users\user\AppData\Local\Temp\svchost015.exe MD5: B826DD92D78EA2526E465A34324EBEEA)

Amadeus.exe (PID: 736 cmdline: "C:\Users\user\1000238002\Amadeus.exe" MD5: 36A627B26FAE167E6009B4950FF15805)

BitLockerToGo.exe (PID: 7088 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)

runtime.exe (PID: 5356 cmdline: "C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe" MD5: B73CF29C0EA647C353E4771F0697C41F)

AppLaunch.exe (PID: 7516 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" MD5: 89D41E1CF478A3D3C2C701A27A5692B2)

AppLaunch.exe (PID: 7568 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" MD5: 89D41E1CF478A3D3C2C701A27A5692B2)

Channel3.exe (PID: 7680 cmdline: "C:\Users\user\AppData\Local\Temp\1000296001\Channel3.exe" MD5: 931C65C2ABF6031D6520F1A48A0F5E34)

cmd.exe (PID: 7496 cmdline: "C:\Windows\System32\cmd.exe" /c copy "C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe" "C:\Users\user\Pictures\Lighter Tech\runtime.exe" && schtasks /Create /SC MINUTE /MO 1 /TN "runtime" /TR "C:\Users\user\Pictures\Lighter Tech\runtime.exe" /F MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 6712 cmdline: schtasks /Create /SC MINUTE /MO 1 /TN "runtime" /TR "C:\Users\user\Pictures\Lighter Tech\runtime.exe" /F MD5: 76CD6626DD8834BD4A42E6A565104DC2)

penis.exe (PID: 7488 cmdline: "C:\Users\user\AppData\Local\Temp\1000254001\penis.exe" MD5: 03CF06E01384018AC325DE8BC160B4B2)

conhost.exe (PID: 7632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

bundle.exe (PID: 7444 cmdline: "C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe" MD5: 30DAA686C1F31CC4833BD3D7283D8CDC)

5KNCHALAH.exe (PID: 7064 cmdline: "C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe" MD5: 3F99C2698FC247D19DD7F42223025252)

Hkbsse.exe (PID: 7624 cmdline: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe MD5: F5D7B79EE6B6DA6B50E536030BCC3B59)

runtime.exe (PID: 6548 cmdline: "C:\Users\user\Pictures\Lighter Tech\runtime.exe" MD5: B73CF29C0EA647C353E4771F0697C41F)

runtime.exe (PID: 7724 cmdline: "C:\Users\user\Pictures\Lighter Tech\runtime.exe" MD5: B73CF29C0EA647C353E4771F0697C41F)

AppLaunch.exe (PID: 7696 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" MD5: 89D41E1CF478A3D3C2C701A27A5692B2)

AppLaunch.exe (PID: 7700 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe" MD5: 89D41E1CF478A3D3C2C701A27A5692B2)

cmd.exe (PID: 8144 cmdline: "C:\Windows\System32\cmd.exe" /c copy "C:\Users\user\Pictures\Lighter Tech\runtime.exe" "C:\Users\user\Pictures\Lighter Tech\runtime.exe" && schtasks /Create /SC MINUTE /MO 1 /TN "runtime" /TR "C:\Users\user\Pictures\Lighter Tech\runtime.exe" /F MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Amadeus.exe (PID: 3468 cmdline: "C:\Users\user\1000238002\Amadeus.exe" MD5: 36A627B26FAE167E6009B4950FF15805)

BitLockerToGo.exe (PID: 2112 cmdline: "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe" MD5: A64BEAB5D4516BECA4C40B25DC0C1CD8)

Hkbsse.exe (PID: 5664 cmdline: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe MD5: F5D7B79EE6B6DA6B50E536030BCC3B59)

runtime.exe (PID: 3916 cmdline: "C:\Users\user\Pictures\Lighter Tech\runtime.exe" MD5: B73CF29C0EA647C353E4771F0697C41F)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
PureCrypter	According to zscaler, PureCrypter is a fully-featured loader being sold since at least March 2021The malware has been observed distributing a variety of remote access trojans and information stealersThe loader is a .NET executable obfuscated with SmartAssembly and makes use of compression, encryption and obfuscation to evade antivirus software productsPureCrypter features provide persistence, injection and defense mechanisms that are configurable in Googles Protocol Buffer message format	No Attribution	https://any.run/cybersecurity-blog/pure-malware-family-analysis/ https://blog.netlab.360.com/purecrypter-is-busy-pumping-out-various-malicious-malware-families/ https://blog.sekoia.io/mallox-ransomware-affiliate-leverages-purecrypter-in-microsoft-sql-exploitation-campaigns/ https://www.prodaft.com/m/reports/RIG___TLP_CLEAR-1.pdf https://www.zscaler.com/blogs/security-research/technical-analysis-purecrypter	https://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/ https://censys.com/a-beginners-guide-to-hunting-open-directories/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/ https://asec.ahnlab.com/en/59590/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
CryptBot	A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2.	No Attribution	https://any.run/cybersecurity-blog/cryptbot-infostealer-malware-analysis/ https://asec.ahnlab.com/en/24423/ https://asec.ahnlab.com/en/26052/ https://asec.ahnlab.com/en/31683/ https://asec.ahnlab.com/en/31802/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot

Malware Configuration

Threatname: StealC

{"C2 url": "http://91.202.233.158/e96ea2db21fa9a1b.php"}

Threatname: Vidar

{"C2 url": "http://91.202.233.158/e96ea2db21fa9a1b.php", "Botnet": "default"}

Threatname: Amadey

{"C2 url": "185.215.113.19/CoreOPT/index.php", "Version": "4.41", "Install Folder": "417fd29867", "Install File": "ednfoki.exe"}

Threatname: Cryptbot

{"C2 list": ["thirtv13ht.top", "analforeverlovyu.top", "+thirtv13ht.top"]}

Threatname: RedLine

{"C2 url": "95.179.250.45:26212", "Bot Id": "LiveTraffic", "Message": "Error! Disable antivirus and try again!", "Authorization Header": "143feb5082f9936e624c1e27545e7d19"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\penis[1].exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\penis[1].exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\penis[1].exe	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x58133:$s1: file:/// 0x5806b:$s2: {11111-22222-10009-11112} 0x580c3:$s3: {11111-22222-50001-00000} 0x54b95:$s4: get_Module 0x4e894:$s5: Reverse 0x4f696:$s6: BlockCopy 0x4e731:$s7: ReadByte 0x58145:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x45693:$s1: file:/// 0x455ef:$s2: {11111-22222-10009-11112} 0x45623:$s3: {11111-22222-50001-00000} 0x4264e:$s4: get_Module 0x3cd3c:$s5: Reverse 0x3da37:$s6: BlockCopy 0x3cd0a:$s7: ReadByte 0x456a5:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x58133:$s1: file:/// 0x5806b:$s2: {11111-22222-10009-11112} 0x580c3:$s3: {11111-22222-50001-00000} 0x54b95:$s4: get_Module 0x4e894:$s5: Reverse 0x4f696:$s6: BlockCopy 0x4e731:$s7: ReadByte 0x58145:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\bundle[1].exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\stealc_default2[1].exe	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\Nework[1].exe	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 12 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000012.00000002.1916812173.0000000000A91000.00000020.00000001.01000000.00000014.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000000D.00000000.1883338609.00000000006C2000.00000002.00000001.01000000.0000000E.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.1851600707.0000000003A05000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000013.00000002.1916345322.0000000000A91000.00000020.00000001.01000000.00000014.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000017.00000000.2107557693.0000000000401000.00000020.00000001.01000000.0000001B.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
0000000A.00000002.1884009401.0000000000479000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0000002D.00000002.3044385898.0000000000A91000.00000020.00000001.01000000.00000014.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000013.00000000.1914368612.0000000000A91000.00000020.00000001.01000000.00000014.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000001A.00000000.2160574126.0000000000312000.00000002.00000001.01000000.0000001E.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000017.00000002.2499846584.0000000000A7E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000018.00000002.2456285511.0000000001C00000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000018.00000002.2427689635.0000000001A80000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
0000002C.00000002.2785633624.0000000001F60000.00000004.00001000.00020000.00000000.sdmp	Msfpayloads_msf_9	Metasploit Payloads - file msf.war - contents	Florian Roth	0x0:$x1: 4d5a9000030000000
00000007.00000002.1997902146.0000000000421000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000012.00000000.1913790607.0000000000A91000.00000020.00000001.01000000.00000014.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000014.00000002.2122450244.00000000008AE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0000000F.00000002.1915860342.0000000000C21000.00000020.00000001.01000000.00000013.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000029.00000002.2328370796.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000000.1882466924.00000000002D2000.00000002.00000001.01000000.0000000D.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000003.00000003.1812249339.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000019.00000002.2258945383.0000000012E41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000001.00000002.1748418353.0000000000E11000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000024.00000002.3290631876.0000023D71340000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000003.1683484955.0000000004A20000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000002.00000002.1749444823.0000000000E11000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000002D.00000000.2403189499.0000000000A91000.00000020.00000001.01000000.00000014.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000002.00000003.1709099923.00000000055F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000014.00000002.2122450244.0000000000916000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000020.00000002.2500882491.00000000028EE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000003.1707837826.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000016.00000002.2122597398.0000000003139000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Crypt	Yara detected CryptOne packer	Joe Security
00000019.00000002.2319721857.000000001D580000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000017.00000002.2499846584.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000015.00000002.3079738326.0000000003F33000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security
00000020.00000000.2187298068.0000000000421000.00000002.00000001.01000000.00000020.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.1723667142.0000000000261000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000F.00000000.1905853574.0000000000C21000.00000020.00000001.01000000.00000013.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000016.00000002.2122597398.0000000002E30000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
00000016.00000002.2122597398.0000000002E30000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
0000000D.00000002.2029479826.0000000002C94000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000024.00000002.3071200614.0000023D58801000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000007.00000002.2002581116.0000000002BE4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: gold.exe PID: 8120	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 8180	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 8180	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 1748	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: c4W13ZFj1P.exe PID: 3992	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: vzVy6ZevhK.exe PID: 4948	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: vzVy6ZevhK.exe PID: 4948	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: stealc_default2.exe PID: 7688	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: stealc_default2.exe PID: 7688	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: stealc_default2.exe PID: 7688	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: stealc_default2.exe PID: 7688	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: S tup.exe PID: 2288	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security
Process Memory Space: S tup.exe PID: 2288	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: S tup.exe PID: 2288	JoeSecurity_Cryptbot	Yara detected Cryptbot	Joe Security
Process Memory Space: needmoney.exe PID: 8104	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: needmoney.exe PID: 8104	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: svchost015.exe PID: 5408	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: svchost015.exe PID: 5408	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: svchost015.exe PID: 5408	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: svchost015.exe PID: 5408	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: penis.exe PID: 7488	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: bundle.exe PID: 7444	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: bundle.exe PID: 7444	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: 5KNCHALAH.exe PID: 7064	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Channel3.exe PID: 7680	JoeSecurity_Cryptbot	Yara detected Cryptbot	Joe Security
Click to see the 67 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
41.2.AppLaunch.exe.400000.0.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
25.2.runtime.exe.12ebf87c.4.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
15.0.Nework.exe.c20000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
18.0.Hkbsse.exe.a90000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
32.0.bundle.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
25.2.runtime.exe.1d580324.7.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
26.0.penis.exe.310000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
26.0.penis.exe.310000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
26.0.penis.exe.310000.0.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x58133:$s1: file:/// 0x5806b:$s2: {11111-22222-10009-11112} 0x580c3:$s3: {11111-22222-50001-00000} 0x54b95:$s4: get_Module 0x4e894:$s5: Reverse 0x4f696:$s6: BlockCopy 0x4e731:$s7: ReadByte 0x58145:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
45.2.Hkbsse.exe.a90000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
5.2.gold.exe.3a05570.0.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
25.2.runtime.exe.1d580324.7.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
5.2.gold.exe.3a05570.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
41.2.AppLaunch.exe.400000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
25.2.runtime.exe.12ebf87c.4.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
19.0.Hkbsse.exe.a90000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
45.0.Hkbsse.exe.a90000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
25.2.runtime.exe.1d580000.8.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
7.2.RegAsm.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
18.2.Hkbsse.exe.a90000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
36.2.5KNCHALAH.exe.23d71340000.5.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
10.2.RegAsm.exe.400000.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
3.2.axplong.exe.e10000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
2.2.axplong.exe.e10000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
11.0.c4W13ZFj1P.exe.2d0000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
11.0.c4W13ZFj1P.exe.2d0000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
11.0.c4W13ZFj1P.exe.2d0000.0.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x45693:$s1: file:/// 0x455ef:$s2: {11111-22222-10009-11112} 0x45623:$s3: {11111-22222-50001-00000} 0x4264e:$s4: get_Module 0x3cd3c:$s5: Reverse 0x3da37:$s6: BlockCopy 0x3cd0a:$s7: ReadByte 0x456a5:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
10.2.RegAsm.exe.436060.2.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
10.2.RegAsm.exe.436060.2.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
10.2.RegAsm.exe.482060.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
10.2.RegAsm.exe.482060.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.RegAsm.exe.482060.0.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x43893:$s1: file:/// 0x437ef:$s2: {11111-22222-10009-11112} 0x43823:$s3: {11111-22222-50001-00000} 0x4084e:$s4: get_Module 0x3af3c:$s5: Reverse 0x3bc37:$s6: BlockCopy 0x3af0a:$s7: ReadByte 0x438a5:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
10.2.RegAsm.exe.482060.0.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
10.2.RegAsm.exe.482060.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.RegAsm.exe.482060.0.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x45693:$s1: file:/// 0x455ef:$s2: {11111-22222-10009-11112} 0x45623:$s3: {11111-22222-50001-00000} 0x4264e:$s4: get_Module 0x3cd3c:$s5: Reverse 0x3da37:$s6: BlockCopy 0x3cd0a:$s7: ReadByte 0x456a5:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
13.0.vzVy6ZevhK.exe.6c0000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
25.2.runtime.exe.12ebf558.3.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
15.2.Nework.exe.c20000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
1.2.axplong.exe.e10000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
19.2.Hkbsse.exe.a90000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
25.2.runtime.exe.12ebf558.3.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0.2.g082Q9DajU.exe.260000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
25.2.runtime.exe.12e41b20.5.raw.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
10.2.RegAsm.exe.400000.1.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
10.2.RegAsm.exe.400000.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
10.2.RegAsm.exe.400000.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
10.2.RegAsm.exe.400000.1.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0xc48f3:$s1: file:/// 0xc484f:$s2: {11111-22222-10009-11112} 0xc4883:$s3: {11111-22222-50001-00000} 0xc18ae:$s4: get_Module 0x52fe2:$s5: Reverse 0xbbf9c:$s5: Reverse 0xbcc97:$s6: BlockCopy 0xbbf6a:$s7: ReadByte 0xc4905:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
23.0.svchost015.exe.400000.0.unpack	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
23.0.svchost015.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Click to see the 44 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\1000238002\Amadeus.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe, ProcessId: 7860, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Amadeus.exe

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy "C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe" "C:\Users\user\Pictures\Lighter Tech\runtime.exe" && schtasks /Create /SC MINUTE /MO 1 /TN "runtime" /TR "C:\Users\user\Pictures\Lighter Tech\runtime.exe" /F, CommandLine: "C:\Windows\System32\cmd.exe" /c copy "C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe" "C:\Users\user\Pictures\Lighter Tech\runtime.exe" && schtasks /Create /SC MINUTE /MO 1 /TN "runtime" /TR "C:\Users\user\Pictures\Lighter Tech\runtime.exe" /F, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe, ParentProcessId: 5356, ParentProcessName: runtime.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy "C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe" "C:\Users\user\Pictures\Lighter Tech\runtime.exe" && schtasks /Create /SC MINUTE /MO 1 /TN "runtime" /TR "C:\Users\user\Pictures\Lighter Tech\runtime.exe" /F, ProcessId: 7496, ProcessName: cmd.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: g082Q9DajU.exe

Avira: detected

Found malware configuration

Source: 00000005.00000002.1851600707.0000000003A05000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: RedLine {"C2 url": "95.179.250.45:26212", "Bot Id": "LiveTraffic", "Message": "Error! Disable antivirus and try again!", "Authorization Header": "143feb5082f9936e624c1e27545e7d19"}
Source: 00000017.00000002.2499846584.0000000000A7E000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: StealC {"C2 url": "http://91.202.233.158/e96ea2db21fa9a1b.php"}
Source: 25.2.runtime.exe.12ebf87c.4.raw.unpack	Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.19/CoreOPT/index.php", "Version": "4.41", "Install Folder": "417fd29867", "Install File": "ednfoki.exe"}
Source: 22.2.needmoney.exe.310a4b9.0.raw.unpack	Malware Configuration Extractor: Vidar {"C2 url": "http://91.202.233.158/e96ea2db21fa9a1b.php", "Botnet": "default"}
Source: Channel3.exe.7680.38.memstrmin	Malware Configuration Extractor: Cryptbot {"C2 list": ["thirtv13ht.top", "analforeverlovyu.top", "+thirtv13ht.top"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\1000238002\Amadeus.exe	ReversingLabs: Detection: 62%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\5KNCHALAH[1].exe	ReversingLabs: Detection: 28%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Channel3[1].exe	ReversingLabs: Detection: 54%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\S?tup[1].exe	ReversingLabs: Detection: 48%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\gold[1].exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\Amadeus[1].exe	ReversingLabs: Detection: 62%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\Nework[1].exe	ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\bundle[1].exe	ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\runtime[1].exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\stealc_default2[1].exe	ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\crypteda[1].exe	ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\needmoney[1].exe	ReversingLabs: Detection: 58%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\penis[1].exe	ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	ReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	ReversingLabs: Detection: 100%
Source: C:\Users\user\AppData\Local\Temp\1000129001\S tup.exe	ReversingLabs: Detection: 48%
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	ReversingLabs: Detection: 58%
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe	ReversingLabs: Detection: 28%
Source: C:\Users\user\AppData\Local\Temp\1000296001\Channel3.exe	ReversingLabs: Detection: 54%
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	ReversingLabs: Detection: 76%

Multi AV Scanner detection for submitted file

Source: g082Q9DajU.exe	Virustotal: Detection: 52%			Perma Link
Source: g082Q9DajU.exe	ReversingLabs: Detection: 76%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\Amadeus[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\crypteda[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\5KNCHALAH[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\penis[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\needmoney[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\stealc_default2[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\Nework[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\1000238002\Amadeus.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: g082Q9DajU.exe

Joe Sandbox ML: detected

Source: g082Q9DajU.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: mozglue.pdbP source: stealc_default2.exe, 00000014.00000002.2155945319.000000006C1BD000.00000002.00000001.01000000.0000001A.sdmp, svchost015.exe, 00000017.00000002.2700385866.000000006957D000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: freebl3.pdb source: freebl3.dll.20.dr
Source:	Binary string: freebl3.pdbp source: freebl3.dll.20.dr
Source:	Binary string: nss3.pdb@ source: stealc_default2.exe, 00000014.00000002.2156279608.000000006C37F000.00000002.00000001.01000000.00000019.sdmp, svchost015.exe, 00000017.00000002.2723045527.000000006973F000.00000002.00000001.01000000.00000019.sdmp, nss3.dll.20.dr
Source:	Binary string: c:\rje\tg\3sgd\obj\Re\ease\gqa.pdb source: axplong.exe, 00000003.00000002.3050434559.0000000000A38000.00000004.00000020.00020000.00000000.sdmp, gold.exe.3.dr
Source:	Binary string: F:\IlluminatedControls\Simple-Calculator-master\obj\Release\Simple Calculator.pdb source: axplong.exe, 00000003.00000002.3050434559.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, runtime.exe, 00000019.00000000.2132138745.0000000000902000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: BitLockerToGo.pdb source: Amadeus.exe, 00000018.00000002.2427689635.0000000001980000.00000004.00001000.00020000.00000000.sdmp, Amadeus.exe, 0000002C.00000002.2785633624.0000000001D80000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: 5KNCHALAH.exe, 00000024.00000002.3307039374.0000023D714E0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: F:\IlluminatedControls\Simple-Calculator-master\obj\Release\Simple Calculator.pdbb source: axplong.exe, 00000003.00000002.3050434559.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, runtime.exe, 00000019.00000000.2132138745.0000000000902000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: 5KNCHALAH.exe, 00000024.00000002.3307039374.0000023D714E0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.20.dr
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: 5KNCHALAH.exe, 00000024.00000002.3069125421.0000023D58760000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: nss3.pdb source: stealc_default2.exe, 00000014.00000002.2156279608.000000006C37F000.00000002.00000001.01000000.00000019.sdmp, svchost015.exe, 00000017.00000002.2723045527.000000006973F000.00000002.00000001.01000000.00000019.sdmp, nss3.dll.20.dr
Source:	Binary string: mozglue.pdb source: stealc_default2.exe, 00000014.00000002.2155945319.000000006C1BD000.00000002.00000001.01000000.0000001A.sdmp, svchost015.exe, 00000017.00000002.2700385866.000000006957D000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: Amadeus.exe, 00000018.00000002.2427689635.0000000001980000.00000004.00001000.00020000.00000000.sdmp, Amadeus.exe, 0000002C.00000002.2785633624.0000000001D80000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: 5KNCHALAH.exe, 00000024.00000002.3069125421.0000023D58760000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: G.pdb source: axplong.exe, 00000003.00000002.3050434559.0000000000A49000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	File opened: C:\Users\user
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	File opened: C:\Users\user\Documents\desktop.ini
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	File opened: C:\Users\user\AppData
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	File opened: C:\Users\user\AppData\Local\Temp
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	File opened: C:\Users\user\Desktop\desktop.ini
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	File opened: C:\Users\user\AppData\Local

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 06539073h	7_2_06538E40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 0653E918h	7_2_0653E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 0653AD4Fh	7_2_0653A5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp 0653A54Dh	7_2_0653A278
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then inc dword ptr [ebp-20h]	7_2_06532E88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then inc dword ptr [ebp-20h]	7_2_06533158

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://91.202.233.158/e96ea2db21fa9a1b.php
Source: Malware configuration extractor	URLs: http://91.202.233.158/e96ea2db21fa9a1b.php
Source: Malware configuration extractor	IPs: 185.215.113.19
Source: Malware configuration extractor	URLs: thirtv13ht.top
Source: Malware configuration extractor	URLs: analforeverlovyu.top
Source: Malware configuration extractor	URLs: +thirtv13ht.top
Source: Malware configuration extractor	URLs: 95.179.250.45:26212

Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe

Code function: 15_2_00C2AC50 GetUserNameA,CoInitialize,GetLocalTime,CoInitialize,CreateFileA,InternetOpenA,InternetOpenUrlA,InternetReadFile,WriteFile,WriteFile,InternetReadFile,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,RemoveDirectoryA,

15_2_00C2AC50

Source: c4W13ZFj1P.exe, 0000000B.00000002.1906741069.000000000274A000.00000004.00000800.00020000.00000000.sdmp, penis.exe, 0000001A.00000002.2241610570.00000000027DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $^q3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\^q equals www.youtube.com (Youtube)
Source: c4W13ZFj1P.exe, 0000000B.00000002.1906741069.000000000274A000.00000004.00000800.00020000.00000000.sdmp, penis.exe, 0000001A.00000002.2241610570.00000000027DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: c4W13ZFj1P.exe, 0000000B.00000002.1906741069.000000000274A000.00000004.00000800.00020000.00000000.sdmp, penis.exe, 0000001A.00000002.2241610570.00000000027DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\^q equals www.youtube.com (Youtube)
Source: penis.exe, 0000001A.00000002.2241610570.00000000027DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb`,^q equals www.youtube.com (Youtube)
Source: c4W13ZFj1P.exe, 0000000B.00000002.1906741069.000000000274A000.00000004.00000800.00020000.00000000.sdmp, penis.exe, 0000001A.00000002.2241610570.00000000027DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `,^q#www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)

Source: AppLaunch.exe, 0000001D.00000002.3056256702.0000000004CE1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://103.130.147.211/Files/Channel3.exe
Source: Hkbsse.exe, 0000002D.00000002.3061861979.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://154.216.17.216/joffer2.exe
Source: Hkbsse.exe, 0000002D.00000002.3061861979.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://154.216.17.216/joffer2.exe69c8c83ebf0f2
Source: Hkbsse.exe, 0000002D.00000002.3061861979.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://154.216.17.216/joffer2.exe;H
Source: axplong.exe, 00000003.00000002.3050434559.00000000009CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.117/inc/gold.exeMy
Source: axplong.exe, 00000003.00000002.3050434559.00000000009CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.117/inc/gold.exesy
Source: axplong.exe, 00000003.00000002.3050434559.0000000000A49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.117/inc/needmoney.exeDomM
Source: axplong.exe, 00000003.00000002.3050434559.0000000000A49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.117/inc/needmoney.exeg
Source: axplong.exe, 00000003.00000002.3050434559.0000000000A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/
Source: axplong.exe, 00000003.00000002.3050434559.0000000000A49000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000003.00000002.3050434559.0000000000A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php
Source: axplong.exe, 00000003.00000002.3050434559.0000000000A49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php0o
Source: axplong.exe, 00000003.00000002.3050434559.0000000000A49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpCnkM
Source: axplong.exe, 00000003.00000002.3050434559.0000000000A49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpHo
Source: axplong.exe, 00000003.00000002.3050434559.0000000000A49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpded
Source: axplong.exe, 00000003.00000002.3050434559.0000000000A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpi
Source: axplong.exe, 00000003.00000002.3050434559.0000000000A49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncoded
Source: axplong.exe, 00000003.00000002.3050434559.0000000000A49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncodedVn~M
Source: axplong.exe, 00000003.00000002.3050434559.0000000000A49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpnu
Source: axplong.exe, 00000003.00000002.3050434559.0000000000A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/a
Source: axplong.exe, 00000003.00000002.3050434559.0000000000A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/e19fbffd5744f69c5867ee8214f815db3496a3a9a776d7d3d99b6b47cfcc28766ada#ue
Source: axplong.exe, 00000003.00000002.3050434559.0000000000A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/es
Source: axplong.exe, 00000003.00000002.3050434559.0000000000A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/ferences.SourceAumid2
Source: axplong.exe, 00000003.00000002.3050434559.0000000000A49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/5KNCHALAH.exe
Source: axplong.exe, 00000003.00000002.3050434559.0000000000A49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/Amadeus.exe
Source: axplong.exe, 00000003.00000002.3050434559.0000000000A49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/Amadeus.exeYJ
Source: axplong.exe, 00000003.00000002.3050434559.0000000000A49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/S
Source: axplong.exe, 00000003.00000002.3050434559.0000000000A49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/bundle.exe
Source: axplong.exe, 00000003.00000002.3050434559.0000000000A49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/bundle.exefJ
Source: axplong.exe, 00000003.00000002.3050434559.0000000000A49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/crypteda.exe
Source: axplong.exe, 00000003.00000002.3050434559.0000000000A49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/penis.exeO&nL-
Source: axplong.exe, 00000003.00000002.3050434559.0000000000A49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/penis.exeg
Source: axplong.exe, 00000003.00000002.3050434559.0000000000A49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/runtime.exeAI
Source: axplong.exe, 00000003.00000002.3050434559.0000000000A49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/runtime.exeRJ
Source: axplong.exe, 00000003.00000002.3050434559.0000000000A1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/stealc_default2.exe
Source: axplong.exe, 00000003.00000002.3050434559.0000000000A1F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/stealc_default2.exey
Source: axplong.exe, 00000003.00000002.3050434559.0000000000A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/ones
Source: stealc_default2.exe, 00000014.00000002.2122450244.00000000008AE000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000014.00000002.2123355501.0000000000F9C000.00000004.00000001.01000000.00000015.sdmp, stealc_default2.exe, 00000014.00000002.2123355501.000000000110D000.00000004.00000001.01000000.00000015.sdmp	String found in binary or memory: http://185.215.113.17
Source: stealc_default2.exe, 00000014.00000002.2122450244.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000014.00000002.2122450244.00000000008AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/
Source: stealc_default2.exe, 00000014.00000002.2122450244.00000000008AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/#
Source: stealc_default2.exe, 00000014.00000002.2122450244.00000000008A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.php
Source: stealc_default2.exe, 00000014.00000002.2122450244.0000000000916000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.php/A
Source: stealc_default2.exe, 00000014.00000002.2122450244.0000000000916000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.php7A9
Source: stealc_default2.exe, 00000014.00000002.2122450244.00000000008A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.php=6
Source: stealc_default2.exe, 00000014.00000002.2122450244.00000000008A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpAp267
Source: stealc_default2.exe, 00000014.00000002.2122450244.00000000008F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpBFIJEHDHCBGDGDGCB
Source: stealc_default2.exe, 00000014.00000002.2122450244.00000000008A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpC:
Source: stealc_default2.exe, 00000014.00000002.2122450244.00000000008A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpNAs6v
Source: stealc_default2.exe, 00000014.00000002.2122450244.00000000008A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpOF-6
Source: stealc_default2.exe, 00000014.00000002.2122450244.0000000000916000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpSA
Source: stealc_default2.exe, 00000014.00000002.2122450244.0000000000916000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpcAU
Source: stealc_default2.exe, 00000014.00000002.2122450244.00000000008A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phple
Source: stealc_default2.exe, 00000014.00000002.2122450244.00000000008A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpm
Source: stealc_default2.exe, 00000014.00000002.2122450244.00000000008F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpnfigOverlay
Source: stealc_default2.exe, 00000014.00000002.2122450244.0000000000916000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpnomi
Source: stealc_default2.exe, 00000014.00000002.2122450244.0000000000916000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpo
Source: stealc_default2.exe, 00000014.00000002.2122450244.00000000008A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpome6d
Source: stealc_default2.exe, 00000014.00000002.2122450244.0000000000916000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpser
Source: stealc_default2.exe, 00000014.00000002.2123355501.000000000110D000.00000004.00000001.01000000.00000015.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phption:
Source: stealc_default2.exe, 00000014.00000002.2122450244.0000000000916000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpw
Source: stealc_default2.exe, 00000014.00000002.2122450244.00000000008F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/freebl3.dll
Source: stealc_default2.exe, 00000014.00000002.2122450244.00000000008F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/mozglue.dll
Source: stealc_default2.exe, 00000014.00000002.2122450244.00000000008F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/mozglue.dllrs
Source: stealc_default2.exe, 00000014.00000002.2122450244.00000000008F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/msvcp140.dll
Source: stealc_default2.exe, 00000014.00000002.2122450244.00000000008AE000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000014.00000002.2122450244.0000000000916000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/nss3.dll
Source: stealc_default2.exe, 00000014.00000002.2122450244.00000000008AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/nss3.dll2
Source: stealc_default2.exe, 00000014.00000002.2122450244.00000000008AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/nss3.dll_
Source: stealc_default2.exe, 00000014.00000002.2122450244.00000000008AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/nss3.dllk
Source: stealc_default2.exe, 00000014.00000002.2122450244.00000000008F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/softokn3.dll
Source: stealc_default2.exe, 00000014.00000002.2122450244.00000000008F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/softokn3.dllds
Source: stealc_default2.exe, 00000014.00000002.2122450244.00000000008F2000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000014.00000002.2123355501.0000000000FCA000.00000004.00000001.01000000.00000015.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/sqlite3.dll
Source: stealc_default2.exe, 00000014.00000002.2122450244.00000000008F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/sqlite3.dll:sU
Source: stealc_default2.exe, 00000014.00000002.2122450244.00000000008F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/vcruntime140.dll
Source: stealc_default2.exe, 00000014.00000002.2123355501.000000000110D000.00000004.00000001.01000000.00000015.sdmp	String found in binary or memory: http://185.215.113.172fb6c2cc8dce150a.phption:
Source: stealc_default2.exe, 00000014.00000002.2122450244.00000000008AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17o
Source: runtime.exe, 00000019.00000002.2240011081.0000000002DE6000.00000004.00000800.00020000.00000000.sdmp, runtime.exe, 00000023.00000002.3068284554.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, runtime.exe, 00000023.00000002.3068284554.000000000256E000.00000004.00000800.00020000.00000000.sdmp, runtime.exe, 00000027.00000002.2418200772.0000000002D6E000.00000004.00000800.00020000.00000000.sdmp, runtime.exe, 0000002F.00000002.2575995048.000000000329E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19
Source: AppLaunch.exe, 0000001D.00000002.3067478958.0000000007091000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 0000001D.00000002.3067478958.0000000007094000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 0000001D.00000002.3056256702.0000000004D43000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 0000001D.00000002.3056256702.0000000004CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/CoreOPT/index.php
Source: AppLaunch.exe, 0000001D.00000002.3056256702.0000000004D43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/CoreOPT/index.php&
Source: AppLaunch.exe, 0000001D.00000002.3056256702.0000000004D43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/CoreOPT/index.php(
Source: AppLaunch.exe, 0000001D.00000002.3056256702.0000000004D43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/CoreOPT/index.php369.jpg
Source: AppLaunch.exe, 0000001D.00000002.3056256702.0000000004D43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/CoreOPT/index.php369.jpgh
Source: AppLaunch.exe, 0000001D.00000002.3056256702.0000000004D43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/CoreOPT/index.php369.jpgp
Source: AppLaunch.exe, 0000001D.00000002.3056256702.0000000004D43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/CoreOPT/index.php369.jpgx
Source: AppLaunch.exe, 0000001D.00000002.3056256702.0000000004CCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/CoreOPT/index.php?scr=1
Source: AppLaunch.exe, 0000001D.00000002.3056256702.0000000004D43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/CoreOPT/index.phpe
Source: AppLaunch.exe, 0000001D.00000002.3056256702.0000000004D43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/CoreOPT/index.phph
Source: runtime.exe, 00000019.00000002.2240011081.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, runtime.exe, 00000023.00000002.3068284554.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, runtime.exe, 00000027.00000002.2418200772.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp, runtime.exe, 0000002F.00000002.2575995048.0000000003256000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.19/ProlongedPortable.dll
Source: Hkbsse.exe, 0000002D.00000002.3061861979.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/
Source: Hkbsse.exe, 0000002D.00000002.3061861979.0000000000FC4000.00000004.00000020.00020000.00000000.sdmp, Hkbsse.exe, 0000002D.00000002.3061861979.0000000000F58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Dem7kTu/index.php
Source: Hkbsse.exe, 0000002D.00000002.3061861979.0000000000FC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Dem7kTu/index.php(
Source: Hkbsse.exe, 0000002D.00000002.3061861979.0000000000F97000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Dem7kTu/index.php2
Source: Hkbsse.exe, 0000002D.00000002.3061861979.0000000000FC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Dem7kTu/index.php9001
Source: Hkbsse.exe, 0000002D.00000002.3061861979.0000000000FC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Dem7kTu/index.phpB
Source: Hkbsse.exe, 0000002D.00000002.3061861979.0000000000FC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Dem7kTu/index.phpD
Source: Hkbsse.exe, 0000002D.00000002.3061861979.0000000000FC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Dem7kTu/index.phpH
Source: Hkbsse.exe, 0000002D.00000002.3061861979.0000000000FC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Dem7kTu/index.phpN
Source: Hkbsse.exe, 0000002D.00000002.3061861979.0000000000FC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Dem7kTu/index.phpP
Source: Hkbsse.exe, 0000002D.00000002.3061861979.0000000000F58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Dem7kTu/index.phpTQ
Source: Hkbsse.exe, 0000002D.00000002.3061861979.0000000000FC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Dem7kTu/index.phpX
Source: Hkbsse.exe, 0000002D.00000002.3061861979.0000000000FC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Dem7kTu/index.phpf
Source: Hkbsse.exe, 0000002D.00000002.3061861979.0000000000FC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Dem7kTu/index.phpx
Source: Hkbsse.exe, 0000002D.00000002.3061861979.0000000000FC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Dem7kTu/index.php~
Source: axplong.exe, 00000003.00000002.3050434559.0000000000A49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/Nework.exe
Source: Hkbsse.exe, 0000002D.00000002.3061861979.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/a
Source: Hkbsse.exe, 0000002D.00000002.3061861979.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.26/es
Source: runtime.exe, 00000023.00000002.3068284554.000000000256E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.215H
Source: svchost015.exe, 00000017.00000002.2475542759.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158
Source: svchost015.exe, 00000017.00000002.2499846584.0000000000A7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158.
Source: svchost015.exe, 00000017.00000002.2499846584.0000000000A7E000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000017.00000002.2499846584.0000000000AC2000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000017.00000002.2499846584.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/
Source: svchost015.exe, 00000017.00000002.2499846584.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158//R
Source: svchost015.exe, 00000017.00000002.2499846584.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/3836fd5700214436/freebl3.dll
Source: svchost015.exe, 00000017.00000002.2499846584.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/3836fd5700214436/mozglue.dll
Source: svchost015.exe, 00000017.00000002.2499846584.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/3836fd5700214436/mozglue.dll36
Source: svchost015.exe, 00000017.00000002.2499846584.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/3836fd5700214436/msvcp140.dll
Source: svchost015.exe, 00000017.00000002.2499846584.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/3836fd5700214436/msvcp140.dll%79
Source: svchost015.exe, 00000017.00000002.2499846584.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/3836fd5700214436/nss3.dll
Source: svchost015.exe, 00000017.00000002.2499846584.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/3836fd5700214436/nss3.dll4S
Source: svchost015.exe, 00000017.00000002.2499846584.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/3836fd5700214436/nss3.dllhS
Source: svchost015.exe, 00000017.00000002.2499846584.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/3836fd5700214436/softokn3.dll
Source: svchost015.exe, 00000017.00000002.2499846584.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/3836fd5700214436/softokn3.dll77
Source: svchost015.exe, 00000017.00000002.2475542759.000000000046A000.00000040.00000400.00020000.00000000.sdmp, svchost015.exe, 00000017.00000002.2499846584.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/3836fd5700214436/sqlite3.dll
Source: svchost015.exe, 00000017.00000002.2499846584.0000000000AC2000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000017.00000002.2499846584.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/3836fd5700214436/vcruntime140.dll
Source: svchost015.exe, 00000017.00000002.2499846584.0000000000AC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/3836fd5700214436/vcruntime140.dllox
Source: svchost015.exe, 00000017.00000002.2499846584.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/EHJEBAAFIDHJEBGIEBFIJK
Source: svchost015.exe, 00000017.00000002.2499846584.0000000000AC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/d
Source: svchost015.exe, 00000017.00000002.2499846584.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000017.00000002.2645242552.0000000026F66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/e96ea2db21fa9a1b.php
Source: svchost015.exe, 00000017.00000002.2499846584.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/e96ea2db21fa9a1b.php49
Source: svchost015.exe, 00000017.00000002.2499846584.0000000000AC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/e96ea2db21fa9a1b.php8g
Source: svchost015.exe, 00000017.00000002.2499846584.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/e96ea2db21fa9a1b.phpCoinomi
Source: svchost015.exe, 00000017.00000002.2499846584.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/e96ea2db21fa9a1b.phpHCGIDBAAFHIDHDAAE
Source: svchost015.exe, 00000017.00000002.2499846584.0000000000AC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/e96ea2db21fa9a1b.phpLg
Source: svchost015.exe, 00000017.00000002.2499846584.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/e96ea2db21fa9a1b.phpW6
Source: svchost015.exe, 00000017.00000002.2499846584.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/e96ea2db21fa9a1b.phpdll
Source: svchost015.exe, 00000017.00000002.2499846584.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/e96ea2db21fa9a1b.phpdll?9
Source: svchost015.exe, 00000017.00000002.2499846584.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/e96ea2db21fa9a1b.phpf
Source: svchost015.exe, 00000017.00000002.2499846584.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/e96ea2db21fa9a1b.phpser
Source: svchost015.exe, 00000017.00000002.2499846584.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/e96ea2db21fa9a1b.phpsimple-storage.jsonHY
Source: svchost015.exe, 00000017.00000002.2499846584.0000000000AC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/e96ea2db21fa9a1b.phptg
Source: svchost015.exe, 00000017.00000002.2475542759.00000000005AD000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158/e96ea2db21fa9a1b.phption:
Source: svchost015.exe, 00000017.00000002.2475542759.00000000005AD000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.158AFIJ
Source: axplong.exe, 00000003.00000002.3050434559.0000000000A49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: freebl3.dll.20.dr, nss3.dll.20.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: freebl3.dll.20.dr, nss3.dll.20.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: freebl3.dll.20.dr, nss3.dll.20.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: axplong.exe, 00000003.00000002.3050434559.0000000000A49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: freebl3.dll.20.dr, nss3.dll.20.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: axplong.exe, 00000003.00000002.3050434559.0000000000A49000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.20.dr, nss3.dll.20.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: needmoney.exe, 00000016.00000002.2122597398.0000000002E30000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0Q
Source: axplong.exe, 00000003.00000002.3050434559.0000000000A49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: axplong.exe, 00000003.00000002.3050434559.0000000000A49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: needmoney.exe, 00000016.00000002.2122597398.0000000002E30000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: freebl3.dll.20.dr, nss3.dll.20.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: freebl3.dll.20.dr, nss3.dll.20.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: freebl3.dll.20.dr, nss3.dll.20.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: axplong.exe, 00000003.00000002.3050434559.0000000000A49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: freebl3.dll.20.dr, nss3.dll.20.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: axplong.exe, 00000003.00000002.3050434559.0000000000A49000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.20.dr, nss3.dll.20.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: freebl3.dll.20.dr, nss3.dll.20.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: freebl3.dll.20.dr, nss3.dll.20.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: freebl3.dll.20.dr, nss3.dll.20.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
Source: axplong.exe, 00000003.00000002.3050434559.0000000000A49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: freebl3.dll.20.dr, nss3.dll.20.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: needmoney.exe, 00000016.00000002.2122597398.0000000002E30000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl0
Source: needmoney.exe, 00000016.00000002.2122597398.0000000002E30000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
Source: needmoney.exe, 00000016.00000002.2122597398.0000000002E30000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: S tup.exe, 00000015.00000003.2826542012.0000000001494000.00000004.00000020.00020000.00000000.sdmp, S tup.exe, 00000015.00000003.2797050556.00000000014A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fivev5ht.top/
Source: S tup.exe, 00000015.00000003.2136179467.0000000001491000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fivev5ht.top/6Z
Source: S tup.exe, 00000015.00000003.2816166125.0000000001492000.00000004.00000020.00020000.00000000.sdmp, S tup.exe, 00000015.00000003.2797050556.0000000001491000.00000004.00000020.00020000.00000000.sdmp, S tup.exe, 00000015.00000002.3077015225.0000000001494000.00000004.00000020.00020000.00000000.sdmp, S tup.exe, 00000015.00000003.2826542012.0000000001494000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fivev5ht.top/f1V
Source: S tup.exe, 00000015.00000003.2136179467.0000000001491000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fivev5ht.top/f1ZZ
Source: S tup.exe, 00000015.00000003.2797050556.00000000014A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fivev5ht.top/v1/upload.php
Source: S tup.exe, 00000015.00000003.2136179467.00000000014A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fivev5ht.top/v1/upload.phpFB5
Source: S tup.exe, 00000015.00000003.2136179467.00000000014A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fivev5ht.top/v1/upload.phpl
Source: S tup.exe, 00000015.00000003.2816166125.0000000001492000.00000004.00000020.00020000.00000000.sdmp, S tup.exe, 00000015.00000003.2797050556.0000000001491000.00000004.00000020.00020000.00000000.sdmp, S tup.exe, 00000015.00000002.3077015225.0000000001494000.00000004.00000020.00020000.00000000.sdmp, S tup.exe, 00000015.00000003.2826542012.0000000001494000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fivev5ht.top/v1/upload.phpyY
Source: S tup.exe, 00000015.00000003.2136179467.00000000014A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fivev5ht.top:80/v1/upload.php
Source: axplong.exe, 00000003.00000002.3050434559.0000000000A49000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.20.dr, nss3.dll.20.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: axplong.exe, 00000003.00000002.3050434559.0000000000A49000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.20.dr, nss3.dll.20.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: freebl3.dll.20.dr, nss3.dll.20.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: freebl3.dll.20.dr, nss3.dll.20.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: freebl3.dll.20.dr, nss3.dll.20.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: axplong.exe, 00000003.00000002.3050434559.0000000000A49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net02
Source: axplong.exe, 00000003.00000002.3050434559.0000000000A49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: needmoney.exe, 00000016.00000002.2122597398.0000000002E30000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: needmoney.exe, 00000016.00000002.2122597398.0000000002E30000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsps.ssl.com0
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9R
Source: vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9n
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultp9y
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002ABC000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, runtime.exe, 00000019.00000002.2240011081.0000000002DE6000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000028A2000.00000004.00000800.00020000.00000000.sdmp, runtime.exe, 00000023.00000002.3068284554.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, runtime.exe, 00000023.00000002.3068284554.000000000256E000.00000004.00000800.00020000.00000000.sdmp, 5KNCHALAH.exe, 00000024.00000002.3071200614.0000023D58801000.00000004.00000800.00020000.00000000.sdmp, runtime.exe, 00000027.00000002.2418200772.0000000002D6E000.00000004.00000800.00020000.00000000.sdmp, runtime.exe, 0000002F.00000002.2575995048.000000000329E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/D
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002EA5000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000028A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002ABC000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002C3C000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000028A2000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002ABC000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002C94000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000028A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000028A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000028A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002C94000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000028EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
Source: vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002C94000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14V
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002B5B000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002BE4000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002C94000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000028EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002B5B000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000028A2000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002ABC000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002EA5000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000028A2000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.000000000289A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002ABC000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002EA5000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000028A2000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002C94000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002EA5000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002ABC000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002EA5000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000028A2000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002B5B000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000028A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002A75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002BE4000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002EA5000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002A75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2002581116.0000000002BE4000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002BE4000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002EA5000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002A79000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002ABC000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000028A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002A75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002B2B000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000028A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002ABC000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002ABC000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002C94000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9
Source: RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002ABC000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002EA5000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000028A2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
Source: Channel3.exe, 00000026.00000002.3077725303.00000000015CE000.00000004.00000020.00020000.00000000.sdmp, Channel3.exe, 00000026.00000003.2689901437.00000000015CD000.00000004.00000020.00020000.00000000.sdmp, Channel3.exe, 00000026.00000002.3077074474.000000000159E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thirtv13ht.top/
Source: Channel3.exe, 00000026.00000002.3077725303.00000000015CE000.00000004.00000020.00020000.00000000.sdmp, Channel3.exe, 00000026.00000003.2689901437.00000000015CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thirtv13ht.top/F
Source: Channel3.exe, 00000026.00000002.3077725303.00000000015CE000.00000004.00000020.00020000.00000000.sdmp, Channel3.exe, 00000026.00000003.2689901437.00000000015CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thirtv13ht.top/L
Source: Channel3.exe, 00000026.00000002.3077725303.00000000015CE000.00000004.00000020.00020000.00000000.sdmp, Channel3.exe, 00000026.00000003.2689901437.00000000015CD000.00000004.00000020.00020000.00000000.sdmp, Channel3.exe, 00000026.00000002.3077074474.000000000159E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thirtv13ht.top/v1/upload.php
Source: Channel3.exe, 00000026.00000002.3077074474.000000000159E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thirtv13ht.top/v1/upload.php-
Source: Channel3.exe, 00000026.00000003.2416559925.00000000015D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://thirtv13ht.top/v1/upload.php_
Source: c4W13ZFj1P.exe, 0000000B.00000002.1919860184.0000000006802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: c4W13ZFj1P.exe, 0000000B.00000002.1919860184.0000000006802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: axplong.exe, 00000003.00000002.3050434559.0000000000A49000.00000004.00000020.00020000.00000000.sdmp, freebl3.dll.20.dr, nss3.dll.20.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: axplong.exe, 00000003.00000002.3050434559.0000000000A49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.entrust.net/rpa03
Source: c4W13ZFj1P.exe, 0000000B.00000002.1919860184.0000000006802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: c4W13ZFj1P.exe, 0000000B.00000002.1919860184.0000000006802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: c4W13ZFj1P.exe, 0000000B.00000002.1919860184.0000000006802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: c4W13ZFj1P.exe, 0000000B.00000002.1919860184.0000000006802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: c4W13ZFj1P.exe, 0000000B.00000002.1919860184.0000000006802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: c4W13ZFj1P.exe, 0000000B.00000002.1919860184.0000000006802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: c4W13ZFj1P.exe, 0000000B.00000002.1919860184.0000000006802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: c4W13ZFj1P.exe, 0000000B.00000002.1919860184.0000000006802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: c4W13ZFj1P.exe, 0000000B.00000002.1919860184.0000000006802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: c4W13ZFj1P.exe, 0000000B.00000002.1919860184.0000000006802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: c4W13ZFj1P.exe, 0000000B.00000002.1919860184.0000000006802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: c4W13ZFj1P.exe, 0000000B.00000002.1919860184.0000000006802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: c4W13ZFj1P.exe, 0000000B.00000002.1919860184.0000000006802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: c4W13ZFj1P.exe, 0000000B.00000002.1919860184.0000000006802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: c4W13ZFj1P.exe, 0000000B.00000002.1919860184.0000000006802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: c4W13ZFj1P.exe, 0000000B.00000002.1919860184.0000000006802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: stealc_default2.exe, 00000014.00000002.2155945319.000000006C1BD000.00000002.00000001.01000000.0000001A.sdmp, svchost015.exe, 00000017.00000002.2700385866.000000006957D000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: c4W13ZFj1P.exe, 0000000B.00000002.1919860184.0000000006802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: c4W13ZFj1P.exe, 0000000B.00000002.1919860184.0000000006802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: c4W13ZFj1P.exe, 0000000B.00000002.1919860184.0000000006802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: stealc_default2.exe, 00000014.00000002.2155436068.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000014.00000002.2140136003.000000001ACBB000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000017.00000002.2575436325.000000001AEE1000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000017.00000002.2683537024.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: c4W13ZFj1P.exe, 0000000B.00000002.1919860184.0000000006802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: c4W13ZFj1P.exe, 0000000B.00000002.1919860184.0000000006802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: c4W13ZFj1P.exe, 0000000B.00000002.1919860184.0000000006802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: runtime.exe, 0000002F.00000002.2575995048.000000000324D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.
Source: needmoney.exe, 00000016.00000002.2122597398.0000000002E30000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000017.00000000.2107557693.0000000000401000.00000020.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://www.x-ways.net/order
Source: needmoney.exe, 00000016.00000002.2122597398.0000000002E30000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000017.00000000.2107557693.0000000000401000.00000020.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://www.x-ways.net/order.html-d.htmlS
Source: needmoney.exe, 00000016.00000002.2122597398.0000000002E30000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000017.00000000.2107557693.0000000000401000.00000020.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://www.x-ways.net/winhex/license
Source: needmoney.exe, 00000016.00000002.2122597398.0000000002E30000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000017.00000000.2107557693.0000000000401000.00000020.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://www.x-ways.net/winhex/license-d-f.htmlS
Source: needmoney.exe, 00000016.00000002.2122597398.0000000002E30000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000017.00000000.2107557693.0000000000401000.00000020.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://www.x-ways.net/winhex/subscribe
Source: needmoney.exe, 00000016.00000002.2122597398.0000000002E30000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000017.00000000.2107557693.0000000000401000.00000020.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://www.x-ways.net/winhex/subscribe-d.htmlU
Source: c4W13ZFj1P.exe, 0000000B.00000002.1919860184.0000000006802000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: vzVy6ZevhK.exe, 0000000D.00000002.2037249305.0000000003D46000.00000004.00000800.00020000.00000000.sdmp, S tup.exe, 00000015.00000003.2146844632.00000000033AB000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000017.00000003.2186838025.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, Channel3.exe, 00000026.00000003.2475146620.000000000325D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: c4W13ZFj1P.exe, 0000000B.00000002.1906741069.00000000026E3000.00000004.00000800.00020000.00000000.sdmp, penis.exe, 0000001A.00000002.2241610570.000000000279E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.s
Source: penis.exe, 0000001A.00000002.2241610570.000000000279E000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000000.2187298068.0000000000421000.00000002.00000001.01000000.00000020.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: stealc_default2.exe, 00000014.00000002.2147998864.0000000026D32000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000014.00000002.2122450244.0000000000998000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000014.00000002.2122450244.0000000000916000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000017.00000002.2645242552.0000000026F00000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000017.00000002.2499846584.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: stealc_default2.exe, 00000014.00000002.2147998864.0000000026D32000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000014.00000002.2122450244.0000000000998000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000014.00000002.2122450244.0000000000916000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000017.00000002.2645242552.0000000026F00000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000017.00000002.2499846584.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: vzVy6ZevhK.exe, 0000000D.00000002.2037249305.0000000003D46000.00000004.00000800.00020000.00000000.sdmp, S tup.exe, 00000015.00000003.2146844632.00000000033AB000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000017.00000003.2186838025.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, Channel3.exe, 00000026.00000003.2475146620.000000000325D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: stealc_default2.exe, 00000014.00000002.2122450244.0000000000916000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ep
Source: stealc_default2.exe, 00000014.00000002.2122450244.0000000000916000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.epnacl
Source: vzVy6ZevhK.exe, 0000000D.00000002.2037249305.0000000003D46000.00000004.00000800.00020000.00000000.sdmp, stealc_default2.exe, 00000014.00000002.2122450244.0000000000916000.00000004.00000020.00020000.00000000.sdmp, S tup.exe, 00000015.00000003.2146844632.00000000033AB000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000017.00000003.2186838025.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, Channel3.exe, 00000026.00000003.2475146620.000000000325D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: vzVy6ZevhK.exe, 0000000D.00000002.2037249305.0000000003D46000.00000004.00000800.00020000.00000000.sdmp, stealc_default2.exe, 00000014.00000002.2122450244.0000000000916000.00000004.00000020.00020000.00000000.sdmp, S tup.exe, 00000015.00000003.2146844632.00000000033AB000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000017.00000003.2186838025.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, Channel3.exe, 00000026.00000003.2475146620.000000000325D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: BitLockerToGo.exe, 00000025.00000003.2305204277.0000000002955000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000002E.00000003.2500472620.0000000002E21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://condedqpwqm.shop/
Source: BitLockerToGo.exe, 0000002E.00000003.2500472620.0000000002E21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://condedqpwqm.shop//=
Source: BitLockerToGo.exe, 00000025.00000003.2305204277.0000000002955000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://condedqpwqm.shop/E
Source: BitLockerToGo.exe, 00000025.00000003.2305204277.0000000002955000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000002E.00000003.2500472620.0000000002E2F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000002E.00000002.2544758685.0000000002E2F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000002E.00000003.2505661424.0000000002E43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://condedqpwqm.shop/api
Source: BitLockerToGo.exe, 0000002E.00000003.2500472620.0000000002E2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://condedqpwqm.shop/api/
Source: BitLockerToGo.exe, 00000025.00000003.2305204277.0000000002955000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://condedqpwqm.shop/api2U
Source: BitLockerToGo.exe, 0000002E.00000002.2544758685.0000000002E21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://condedqpwqm.shop/apibul
Source: BitLockerToGo.exe, 0000002E.00000002.2544758685.0000000002E2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://condedqpwqm.shop/apic
Source: BitLockerToGo.exe, 0000002E.00000003.2500472620.0000000002E2F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000002E.00000003.2505661424.0000000002E43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://condedqpwqm.shop/apii
Source: BitLockerToGo.exe, 00000025.00000003.2305204277.0000000002955000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://condedqpwqm.shop/apit
Source: BitLockerToGo.exe, 0000002E.00000003.2500472620.0000000002E21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://condedqpwqm.shop:443/apii
Source: stealc_default2.exe, 00000014.00000002.2147998864.0000000026D32000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000014.00000002.2122450244.0000000000998000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000014.00000002.2122450244.0000000000916000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000017.00000002.2645242552.0000000026F00000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000017.00000002.2499846584.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: stealc_default2.exe, 00000014.00000002.2147998864.0000000026D32000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000014.00000002.2122450244.0000000000998000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000014.00000002.2122450244.0000000000916000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000017.00000002.2645242552.0000000026F00000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000017.00000002.2499846584.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: penis.exe, 0000001A.00000002.2241610570.0000000002830000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: vzVy6ZevhK.exe, 0000000D.00000002.2037249305.0000000003D46000.00000004.00000800.00020000.00000000.sdmp, S tup.exe, 00000015.00000003.2146844632.00000000033AB000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000017.00000003.2186838025.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, Channel3.exe, 00000026.00000003.2475146620.000000000325D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: S tup.exe, 00000015.00000003.2146844632.00000000033AB000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000017.00000003.2186838025.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, Channel3.exe, 00000026.00000003.2475146620.000000000325D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: vzVy6ZevhK.exe, 0000000D.00000002.2037249305.0000000003D46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabS
Source: vzVy6ZevhK.exe, 0000000D.00000002.2037249305.0000000003D46000.00000004.00000800.00020000.00000000.sdmp, S tup.exe, 00000015.00000003.2146844632.00000000033AB000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000017.00000003.2186838025.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, Channel3.exe, 00000026.00000003.2475146620.000000000325D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: S tup.exe, 00000015.00000002.3079738326.0000000003F33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: 5KNCHALAH.exe, 00000024.00000002.3069125421.0000023D58760000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: 5KNCHALAH.exe, 00000024.00000002.3069125421.0000023D58760000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: 5KNCHALAH.exe, 00000024.00000002.3069125421.0000023D58760000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: needmoney.exe, 00000016.00000002.2122597398.0000000002E30000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000017.00000000.2107557693.0000000000401000.00000020.00000001.01000000.0000001B.sdmp	String found in binary or memory: https://github.com/tesseract-ocr/tessdata/
Source: 5KNCHALAH.exe, 00000024.00000002.3071200614.0000023D58951000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/testdemo345/DemoThing/raw/main/WebDriver.dll
Source: 5KNCHALAH.exe, 00000024.00000002.3071200614.0000023D58951000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/testdemo345/DemoThing/raw/main/chromedriver.exe
Source: 5KNCHALAH.exe, 00000024.00000002.3071200614.0000023D58951000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/testdemo345/DemoThing/raw/main/msedgedriver.exe
Source: svchost015.exe, 00000017.00000002.2499846584.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: BitLockerToGo.exe, 0000002E.00000003.2500472620.0000000002E2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://locatedblsoqp.sh
Source: BitLockerToGo.exe, 0000002E.00000003.2500472620.0000000002E2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://locatedblsoqp.shop/
Source: BitLockerToGo.exe, 00000025.00000003.2305204277.0000000002955000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://locatedblsoqp.shop/api
Source: freebl3.dll.20.dr, nss3.dll.20.dr	String found in binary or memory: https://mozilla.org0/
Source: needmoney.exe, 00000016.00000002.2122597398.0000000002E30000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: 5KNCHALAH.exe, 00000024.00000002.3071200614.0000023D58951000.00000004.00000800.00020000.00000000.sdmp, 5KNCHALAH.exe, 00000024.00000002.3069125421.0000023D58760000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: 5KNCHALAH.exe, 00000024.00000002.3071200614.0000023D58951000.00000004.00000800.00020000.00000000.sdmp, 5KNCHALAH.exe, 00000024.00000002.3069125421.0000023D58760000.00000004.08000000.00040000.00000000.sdmp, 5KNCHALAH.exe, 00000024.00000002.3071200614.0000023D58801000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: 5KNCHALAH.exe, 00000024.00000002.3069125421.0000023D58760000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: 5KNCHALAH.exe, 00000024.00000002.3071200614.0000023D58951000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354rCannot
Source: svchost015.exe, 00000017.00000003.2407677282.0000000027088000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: svchost015.exe, 00000017.00000003.2407677282.0000000027088000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: stealc_default2.exe, 00000014.00000003.2000394496.0000000020C41000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000014.00000002.2123355501.0000000000F9C000.00000004.00000001.01000000.00000015.sdmp, stealc_default2.exe, 00000014.00000002.2123355501.0000000000F8C000.00000004.00000001.01000000.00000015.sdmp, svchost015.exe, 00000017.00000002.2475542759.000000000043C000.00000040.00000400.00020000.00000000.sdmp, svchost015.exe, 00000017.00000003.2178737672.0000000020E71000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000017.00000002.2475542759.000000000042C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: stealc_default2.exe, 00000014.00000002.2123355501.0000000000F9C000.00000004.00000001.01000000.00000015.sdmp, stealc_default2.exe, 00000014.00000002.2123355501.0000000000F8C000.00000004.00000001.01000000.00000015.sdmp, svchost015.exe, 00000017.00000002.2475542759.000000000043C000.00000040.00000400.00020000.00000000.sdmp, svchost015.exe, 00000017.00000002.2475542759.000000000042C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK201621kbG1nY
Source: stealc_default2.exe, 00000014.00000002.2123355501.0000000000F8C000.00000004.00000001.01000000.00000015.sdmp, svchost015.exe, 00000017.00000002.2475542759.000000000042C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Ed1aWxkV
Source: stealc_default2.exe, 00000014.00000003.2000394496.0000000020C41000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000014.00000002.2123355501.0000000000F9C000.00000004.00000001.01000000.00000015.sdmp, svchost015.exe, 00000017.00000002.2475542759.000000000043C000.00000040.00000400.00020000.00000000.sdmp, svchost015.exe, 00000017.00000003.2178737672.0000000020E71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: svchost015.exe, 00000017.00000002.2475542759.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e1710.9
Source: stealc_default2.exe, 00000014.00000002.2123355501.0000000000F9C000.00000004.00000001.01000000.00000015.sdmp, svchost015.exe, 00000017.00000002.2475542759.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17WdsYWhtbmRlZHwxfDB8MHxab2hvIF
Source: stealc_default2.exe, 00000014.00000002.2123355501.0000000000F9C000.00000004.00000001.01000000.00000015.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17date
Source: stealc_default2.exe, 00000014.00000002.2123355501.0000000000F9C000.00000004.00000001.01000000.00000015.sdmp, svchost015.exe, 00000017.00000002.2475542759.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17mluIFdhbGxldHxmbmpobWtoaG1rYm
Source: BitLockerToGo.exe, 0000002E.00000003.2500472620.0000000002E2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://traineiwnqo.shop
Source: BitLockerToGo.exe, 0000002E.00000003.2500472620.0000000002E2F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000002E.00000002.2544758685.0000000002E2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://traineiwnqo.shop/%
Source: BitLockerToGo.exe, 0000002E.00000003.2500472620.0000000002E2F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000002E.00000002.2544758685.0000000002E2F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000002E.00000003.2505661424.0000000002E43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://traineiwnqo.shop/api
Source: S tup.exe, 00000015.00000002.3068224934.0000000000882000.00000002.00000001.01000000.00000017.sdmp, Channel3.exe, 00000026.00000002.3070824295.0000000000881000.00000002.00000001.01000000.00000023.sdmp	String found in binary or memory: https://update-ledger.net/update
Source: stealc_default2.exe, 00000014.00000002.2147998864.0000000026D32000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000014.00000002.2122450244.0000000000998000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000014.00000002.2122450244.0000000000916000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000017.00000002.2645242552.0000000026F00000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000017.00000002.2499846584.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: BitLockerToGo.exe, 00000025.00000002.2342127287.0000000002932000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000025.00000003.2304902282.00000000029AD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000025.00000003.2305204277.00000000029AC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000002E.00000003.2500472620.0000000002E2F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000002E.00000003.2499936890.0000000002E7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: BitLockerToGo.exe, 00000025.00000003.2304902282.00000000029AD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000025.00000003.2305204277.00000000029AC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000002E.00000003.2500472620.0000000002E2F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000002E.00000003.2499936890.0000000002E7D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000002E.00000003.2505661424.0000000002E43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: freebl3.dll.20.dr, nss3.dll.20.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: stealc_default2.exe, 00000014.00000002.2122450244.0000000000916000.00000004.00000020.00020000.00000000.sdmp, S tup.exe, 00000015.00000003.2146844632.00000000033AB000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000017.00000003.2186838025.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, Channel3.exe, 00000026.00000003.2475146620.000000000325D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: axplong.exe, 00000003.00000002.3050434559.0000000000A49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.entrust.net/rpa0
Source: stealc_default2.exe, 00000014.00000002.2147998864.0000000026D32000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000014.00000002.2122450244.0000000000998000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000014.00000002.2122450244.0000000000916000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000017.00000002.2645242552.0000000026F00000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000017.00000002.2499846584.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: vzVy6ZevhK.exe, 0000000D.00000002.2037249305.0000000003D46000.00000004.00000800.00020000.00000000.sdmp, S tup.exe, 00000015.00000003.2146844632.00000000033AB000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000017.00000003.2186838025.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, Channel3.exe, 00000026.00000003.2475146620.000000000325D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: stealc_default2.exe, 00000014.00000002.2123355501.0000000000F9C000.00000004.00000001.01000000.00000015.sdmp, svchost015.exe, 00000017.00000002.2475542759.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: svchost015.exe, 00000017.00000003.2407677282.0000000027088000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: stealc_default2.exe, 00000014.00000002.2123355501.0000000000F9C000.00000004.00000001.01000000.00000015.sdmp, svchost015.exe, 00000017.00000002.2475542759.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: svchost015.exe, 00000017.00000003.2407677282.0000000027088000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: stealc_default2.exe, 00000014.00000002.2123355501.0000000000F9C000.00000004.00000001.01000000.00000015.sdmp, svchost015.exe, 00000017.00000002.2475542759.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: stealc_default2.exe, 00000014.00000003.2088393550.0000000026F9C000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000017.00000003.2407677282.0000000027088000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: stealc_default2.exe, 00000014.00000002.2123355501.0000000000F9C000.00000004.00000001.01000000.00000015.sdmp, svchost015.exe, 00000017.00000002.2475542759.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/ZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58MXwwfDB8SmF4eCBM
Source: stealc_default2.exe, 00000014.00000002.2123355501.0000000000F9C000.00000004.00000001.01000000.00000015.sdmp, svchost015.exe, 00000017.00000002.2475542759.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/lvYnwxfDB8MHxMYXN0UGFzc3xoZG9raWVqbnBpbWFrZWRoYWpoZGxj
Source: svchost015.exe, 00000017.00000003.2407677282.0000000027088000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000017.00000002.2475542759.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: stealc_default2.exe, 00000014.00000002.2123355501.0000000000F9C000.00000004.00000001.01000000.00000015.sdmp, svchost015.exe, 00000017.00000002.2475542759.000000000043C000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: stealc_default2.exe, 00000014.00000003.2088393550.0000000026F9C000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000017.00000003.2407677282.0000000027088000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: needmoney.exe, 00000016.00000002.2122597398.0000000002E30000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.ssl.com/repository0
Source: needmoney.exe, 00000016.00000002.2122597398.0000000002E30000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000017.00000000.2107557693.0000000000401000.00000020.00000001.01000000.0000001B.sdmp	String found in binary or memory: https://www.x-ways.net/forensics/x-tensions.html
Source: needmoney.exe, 00000016.00000002.2122597398.0000000002E30000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000017.00000000.2107557693.0000000000401000.00000020.00000001.01000000.0000001B.sdmp	String found in binary or memory: https://www.x-ways.net/forensics/x-tensions.htmlf
Source: needmoney.exe, 00000016.00000002.2122597398.0000000002E30000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000017.00000000.2107557693.0000000000401000.00000020.00000001.01000000.0000001B.sdmp	String found in binary or memory: https://www.x-ways.net/winhex/forum/
Source: needmoney.exe, 00000016.00000002.2122597398.0000000002E30000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000017.00000000.2107557693.0000000000401000.00000020.00000001.01000000.0000001B.sdmp	String found in binary or memory: https://www.x-ways.net/winhex/forum/www.x-ways.net/winhex/templates/www.x-ways.net/dongle_protection

Source: c4W13ZFj1P.exe, 0000000B.00000002.1906741069.00000000028D9000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_ca759cf3-f

Source: Yara match	File source: 23.0.svchost015.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000002.2122597398.0000000002E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: needmoney.exe PID: 8104, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost015.exe PID: 5408, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp5ECB.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	File created: C:\Users\user\AppData\Local\Temp\TmpE31F.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp6D24.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	File created: C:\Users\user\AppData\Local\Temp\TmpE30E.tmp	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp5EDC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp6CD5.tmp	Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: 26.0.penis.exe.310000.0.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 11.0.c4W13ZFj1P.exe.2d0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 10.2.RegAsm.exe.482060.0.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 10.2.RegAsm.exe.482060.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 10.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 00000018.00000002.2456285511.0000000001C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 00000018.00000002.2427689635.0000000001A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: 0000002C.00000002.2785633624.0000000001F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Metasploit Payloads - file msf.war - contents Author: Florian Roth
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\penis[1].exe, type: DROPPED	Matched rule: Detects zgRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe, type: DROPPED	Matched rule: Detects zgRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe, type: DROPPED	Matched rule: Detects zgRAT Author: ditekSHen

.NET source code contains very large array initializations

Source: gold[1].exe.3.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 311296
Source: gold.exe.3.dr, MoveAngles.cs	Large array initialization: MoveAngles: array initializer size 311296

Drops large PE files

Source: C:\Users\user\AppData\Local\Temp\1000129001\S tup.exe

File dump: service123.exe.21.dr 314613760

Jump to dropped file

PE file contains section with special chars

Source: g082Q9DajU.exe	Static PE information: section name:
Source: g082Q9DajU.exe	Static PE information: section name: .idata
Source: g082Q9DajU.exe	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name: .idata
Source: axplong.exe.0.dr	Static PE information: section name:

PE file has a writeable .text section

Source: stealc_default2[1].exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: stealc_default2.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe

Code function: 15_2_00C3C9F7 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers,

15_2_00C3C9F7

Source: C:\Users\user\Desktop\g082Q9DajU.exe	File created: C:\Windows\Tasks\axplong.job			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	File created: C:\Windows\Tasks\Hkbsse.job

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 3_2_00E1E440	3_2_00E1E440
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 3_2_00E14CF0	3_2_00E14CF0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 3_2_00E53068	3_2_00E53068
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 3_2_00E47D83	3_2_00E47D83
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 3_2_00E14AF0	3_2_00E14AF0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 3_2_00E5765B	3_2_00E5765B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 3_2_00E52BD0	3_2_00E52BD0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 3_2_00E5777B	3_2_00E5777B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 3_2_00E58720	3_2_00E58720
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 3_2_00E56F09	3_2_00E56F09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00CBDC74	7_2_00CBDC74
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0625A688	7_2_0625A688
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_062567D8	7_2_062567D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_06253F50	7_2_06253F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_06256FE8	7_2_06256FE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_06256FF8	7_2_06256FF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_064FEF40	7_2_064FEF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_064F0A0C	7_2_064F0A0C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_064F1EF1	7_2_064F1EF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_064F1F00	7_2_064F1F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0653D770	7_2_0653D770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_06539711	7_2_06539711
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0653B718	7_2_0653B718
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0653E420	7_2_0653E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0653A5F0	7_2_0653A5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_06536A90	7_2_06536A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_065313C0	7_2_065313C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_065361C0	7_2_065361C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0653C1B8	7_2_0653C1B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_06535E78	7_2_06535E78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0653D760	7_2_0653D760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_065313B0	7_2_065313B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00402310	10_2_00402310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_004050B0	10_2_004050B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0042045E	10_2_0042045E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0040FCE0	10_2_0040FCE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00419D09	10_2_00419D09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0041950B	10_2_0041950B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00415625	10_2_00415625
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00404EF0	10_2_00404EF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0040CF7F	10_2_0040CF7F
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Code function: 11_2_02437770	11_2_02437770
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Code function: 11_2_02437762	11_2_02437762
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Code function: 11_2_02437458	11_2_02437458
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Code function: 11_2_02437468	11_2_02437468
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Code function: 13_2_028A25D8	13_2_028A25D8
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Code function: 13_2_028ADC74	13_2_028ADC74
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Code function: 13_2_061C67D0	13_2_061C67D0
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Code function: 13_2_061C3F50	13_2_061C3F50
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Code function: 13_2_061CA3BD	13_2_061CA3BD
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Code function: 13_2_061C6FF8	13_2_061C6FF8
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Code function: 13_2_061C6FE8	13_2_061C6FE8
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 15_2_00C2AC50	15_2_00C2AC50
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 15_2_00C2E390	15_2_00C2E390
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 15_2_00C68650	15_2_00C68650
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 15_2_00C24AF0	15_2_00C24AF0
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 15_2_00C62B00	15_2_00C62B00
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 15_2_00C24CF0	15_2_00C24CF0
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 15_2_00C40C73	15_2_00C40C73
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 15_2_00C66E39	15_2_00C66E39
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 15_2_00C62F98	15_2_00C62F98
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 15_2_00C41462	15_2_00C41462
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 15_2_00C6758B	15_2_00C6758B
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 15_2_00C676AB	15_2_00C676AB
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 15_2_00C57CB3	15_2_00C57CB3
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 15_2_00C43C51	15_2_00C43C51
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 15_2_00C45FF2	15_2_00C45FF2

Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe

Process token adjusted: Security

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00407D20 appears 55 times
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: String function: 00C37F20 appears 129 times
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: String function: 00C3D7A2 appears 82 times
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: String function: 00C3D4C4 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: String function: 00C3DDE0 appears 46 times

Source: S?tup[1].exe.3.dr	Static PE information: Number of sections : 18 > 10
Source: S tup.exe.3.dr	Static PE information: Number of sections : 18 > 10

Source: g082Q9DajU.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 26.0.penis.exe.310000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 11.0.c4W13ZFj1P.exe.2d0000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 10.2.RegAsm.exe.482060.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 10.2.RegAsm.exe.482060.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 10.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 00000018.00000002.2456285511.0000000001C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 00000018.00000002.2427689635.0000000001A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: 0000002C.00000002.2785633624.0000000001F60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Msfpayloads_msf_9 date = 2017-02-09, hash1 = e408678042642a5d341e8042f476ee7cef253871ef1c9e289acf0ee9591d1e81, author = Florian Roth, description = Metasploit Payloads - file msf.war - contents, reference = Internal Research
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\penis[1].exe, type: DROPPED	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe, type: DROPPED	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe, type: DROPPED	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: crypteda[1].exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: crypteda.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: gold[1].exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: gold.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: g082Q9DajU.exe	Static PE information: Section: ZLIB complexity 0.997291169959128
Source: g082Q9DajU.exe	Static PE information: Section: ckpyoeob ZLIB complexity 0.9946028605916616
Source: axplong.exe.0.dr	Static PE information: Section: ZLIB complexity 0.997291169959128
Source: axplong.exe.0.dr	Static PE information: Section: ckpyoeob ZLIB complexity 0.9946028605916616

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@75/84@0/16

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\gold[1].exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe	Mutant created: \Sessions\1\BaseNamedObjects\bd25d52e2a
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7740:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Mutant created: \Sessions\1\BaseNamedObjects\07c6bc37dc50874878dcb010336ed906
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8128:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7512:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Mutant created: \Sessions\1\BaseNamedObjects\c1ec479e5342a25940592acf24703eb2
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3272:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7632:120:WilError_03

Source: C:\Users\user\Desktop\g082Q9DajU.exe

File created: C:\Users\user\AppData\Local\Temp\44111dbc49

Jump to behavior

Source: Yara match	File source: 23.0.svchost015.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000000.2107557693.0000000000401000.00000020.00000001.01000000.0000001B.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2122597398.0000000002E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\g082Q9DajU.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\g082Q9DajU.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: stealc_default2.exe, 00000014.00000002.2140136003.000000001ACBB000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000014.00000002.2155262031.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000014.00000002.2156279608.000000006C37F000.00000002.00000001.01000000.00000019.sdmp, svchost015.exe, 00000017.00000002.2679941656.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, svchost015.exe, 00000017.00000002.2575436325.000000001AEE1000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000017.00000002.2723045527.000000006973F000.00000002.00000001.01000000.00000019.sdmp, nss3.dll.20.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: stealc_default2.exe, 00000014.00000002.2140136003.000000001ACBB000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000014.00000002.2155262031.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000014.00000002.2156279608.000000006C37F000.00000002.00000001.01000000.00000019.sdmp, svchost015.exe, 00000017.00000002.2679941656.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, svchost015.exe, 00000017.00000002.2575436325.000000001AEE1000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000017.00000002.2723045527.000000006973F000.00000002.00000001.01000000.00000019.sdmp, nss3.dll.20.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: stealc_default2.exe, 00000014.00000002.2140136003.000000001ACBB000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000014.00000002.2155262031.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000014.00000002.2156279608.000000006C37F000.00000002.00000001.01000000.00000019.sdmp, svchost015.exe, 00000017.00000002.2679941656.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, svchost015.exe, 00000017.00000002.2575436325.000000001AEE1000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000017.00000002.2723045527.000000006973F000.00000002.00000001.01000000.00000019.sdmp, nss3.dll.20.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: stealc_default2.exe, 00000014.00000002.2140136003.000000001ACBB000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000014.00000002.2155262031.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000014.00000002.2156279608.000000006C37F000.00000002.00000001.01000000.00000019.sdmp, svchost015.exe, 00000017.00000002.2679941656.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, svchost015.exe, 00000017.00000002.2575436325.000000001AEE1000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000017.00000002.2723045527.000000006973F000.00000002.00000001.01000000.00000019.sdmp, nss3.dll.20.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: stealc_default2.exe, 00000014.00000002.2140136003.000000001ACBB000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000014.00000002.2155262031.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000014.00000002.2156279608.000000006C37F000.00000002.00000001.01000000.00000019.sdmp, svchost015.exe, 00000017.00000002.2679941656.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, svchost015.exe, 00000017.00000002.2575436325.000000001AEE1000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000017.00000002.2723045527.000000006973F000.00000002.00000001.01000000.00000019.sdmp, nss3.dll.20.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: stealc_default2.exe, 00000014.00000002.2140136003.000000001ACBB000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000014.00000002.2155262031.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, svchost015.exe, 00000017.00000002.2679941656.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, svchost015.exe, 00000017.00000002.2575436325.000000001AEE1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: stealc_default2.exe, 00000014.00000002.2140136003.000000001ACBB000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000014.00000002.2155262031.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000014.00000002.2156279608.000000006C37F000.00000002.00000001.01000000.00000019.sdmp, svchost015.exe, 00000017.00000002.2679941656.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, svchost015.exe, 00000017.00000002.2575436325.000000001AEE1000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000017.00000002.2723045527.000000006973F000.00000002.00000001.01000000.00000019.sdmp, nss3.dll.20.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: stealc_default2.exe, 00000014.00000003.2006080608.0000000020C39000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000017.00000003.2185250864.0000000020E69000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: stealc_default2.exe, 00000014.00000002.2140136003.000000001ACBB000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000014.00000002.2155262031.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, svchost015.exe, 00000017.00000002.2679941656.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, svchost015.exe, 00000017.00000002.2575436325.000000001AEE1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: stealc_default2.exe, 00000014.00000002.2140136003.000000001ACBB000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000014.00000002.2155262031.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, svchost015.exe, 00000017.00000002.2679941656.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, svchost015.exe, 00000017.00000002.2575436325.000000001AEE1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: g082Q9DajU.exe	Virustotal: Detection: 52%
Source: g082Q9DajU.exe	ReversingLabs: Detection: 76%

Source: g082Q9DajU.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\g082Q9DajU.exe

File read: C:\Users\user\Desktop\g082Q9DajU.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\g082Q9DajU.exe "C:\Users\user\Desktop\g082Q9DajU.exe"
Source: C:\Users\user\Desktop\g082Q9DajU.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe "C:\Users\user\AppData\Local\Temp\1000002001\gold.exe"
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe "C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe"
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe "C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe"
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe "C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe "C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe"
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Process created: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe "C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe "C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000129001\S tup.exe "C:\Users\user\AppData\Local\Temp\1000129001\S tup.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe "C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe"
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Process created: C:\Users\user\AppData\Local\Temp\svchost015.exe C:\Users\user\AppData\Local\Temp\svchost015.exe
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\1000238002\Amadeus.exe "C:\Users\user\1000238002\Amadeus.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe "C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe "C:\Users\user\AppData\Local\Temp\1000254001\penis.exe"
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c copy "C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe" "C:\Users\user\Pictures\Lighter Tech\runtime.exe" && schtasks /Create /SC MINUTE /MO 1 /TN "runtime" /TR "C:\Users\user\Pictures\Lighter Tech\runtime.exe" /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe "C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Create /SC MINUTE /MO 1 /TN "runtime" /TR "C:\Users\user\Pictures\Lighter Tech\runtime.exe" /F
Source: unknown	Process created: C:\Users\user\Pictures\Lighter Tech\runtime.exe "C:\Users\user\Pictures\Lighter Tech\runtime.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe "C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe"
Source: C:\Users\user\1000238002\Amadeus.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process created: C:\Users\user\AppData\Local\Temp\1000296001\Channel3.exe "C:\Users\user\AppData\Local\Temp\1000296001\Channel3.exe"
Source: unknown	Process created: C:\Users\user\Pictures\Lighter Tech\runtime.exe "C:\Users\user\Pictures\Lighter Tech\runtime.exe"
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c copy "C:\Users\user\Pictures\Lighter Tech\runtime.exe" "C:\Users\user\Pictures\Lighter Tech\runtime.exe" && schtasks /Create /SC MINUTE /MO 1 /TN "runtime" /TR "C:\Users\user\Pictures\Lighter Tech\runtime.exe" /F
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\1000238002\Amadeus.exe "C:\Users\user\1000238002\Amadeus.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
Source: C:\Users\user\1000238002\Amadeus.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: unknown	Process created: C:\Users\user\Pictures\Lighter Tech\runtime.exe "C:\Users\user\Pictures\Lighter Tech\runtime.exe"
Source: C:\Users\user\Desktop\g082Q9DajU.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe "C:\Users\user\AppData\Local\Temp\1000002001\gold.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe "C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe "C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe "C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000129001\S tup.exe "C:\Users\user\AppData\Local\Temp\1000129001\S tup.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe "C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\1000238002\Amadeus.exe "C:\Users\user\1000238002\Amadeus.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe "C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe "C:\Users\user\AppData\Local\Temp\1000254001\penis.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe "C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe "C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe "C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe "C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe"
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Process created: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe "C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Process created: C:\Users\user\AppData\Local\Temp\svchost015.exe C:\Users\user\AppData\Local\Temp\svchost015.exe
Source: C:\Users\user\1000238002\Amadeus.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c copy "C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe" "C:\Users\user\Pictures\Lighter Tech\runtime.exe" && schtasks /Create /SC MINUTE /MO 1 /TN "runtime" /TR "C:\Users\user\Pictures\Lighter Tech\runtime.exe" /F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process created: C:\Users\user\AppData\Local\Temp\1000296001\Channel3.exe "C:\Users\user\AppData\Local\Temp\1000296001\Channel3.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Create /SC MINUTE /MO 1 /TN "runtime" /TR "C:\Users\user\Pictures\Lighter Tech\runtime.exe" /F
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c copy "C:\Users\user\Pictures\Lighter Tech\runtime.exe" "C:\Users\user\Pictures\Lighter Tech\runtime.exe" && schtasks /Create /SC MINUTE /MO 1 /TN "runtime" /TR "C:\Users\user\Pictures\Lighter Tech\runtime.exe" /F
Source: C:\Users\user\1000238002\Amadeus.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\g082Q9DajU.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\g082Q9DajU.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\g082Q9DajU.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\g082Q9DajU.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\g082Q9DajU.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\g082Q9DajU.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\g082Q9DajU.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\g082Q9DajU.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\g082Q9DajU.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\g082Q9DajU.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\g082Q9DajU.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\g082Q9DajU.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\g082Q9DajU.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\g082Q9DajU.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\g082Q9DajU.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\g082Q9DajU.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\g082Q9DajU.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\g082Q9DajU.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\g082Q9DajU.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\g082Q9DajU.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\g082Q9DajU.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\g082Q9DajU.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\g082Q9DajU.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\g082Q9DajU.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\g082Q9DajU.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\g082Q9DajU.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\g082Q9DajU.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\g082Q9DajU.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\g082Q9DajU.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\g082Q9DajU.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\g082Q9DajU.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\g082Q9DajU.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\g082Q9DajU.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\g082Q9DajU.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\g082Q9DajU.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\g082Q9DajU.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\g082Q9DajU.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\g082Q9DajU.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\g082Q9DajU.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\g082Q9DajU.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\g082Q9DajU.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\g082Q9DajU.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\g082Q9DajU.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: esdsip.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: propsys.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: edputil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: appresolver.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: slc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sppc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Section loaded: msisip.dll
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Section loaded: wshext.dll
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Section loaded: appxsip.dll
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Section loaded: opcservices.dll
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Section loaded: esdsip.dll
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Section loaded: scrrun.dll
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Section loaded: linkinfo.dll
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: mstask.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: dui70.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: duser.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: chartv.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: oleacc.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: atlthunk.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: windows.fileexplorer.common.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: explorerframe.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: mozglue.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: msvcp140.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\S tup.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\S tup.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\S tup.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\S tup.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\S tup.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\S tup.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\S tup.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\S tup.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\S tup.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\S tup.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\S tup.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\S tup.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\S tup.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\S tup.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\S tup.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\S tup.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000129001\S tup.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: mozglue.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: msvcp140.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\1000238002\Amadeus.exe	Section loaded: apphelp.dll
Source: C:\Users\user\1000238002\Amadeus.exe	Section loaded: powrprof.dll
Source: C:\Users\user\1000238002\Amadeus.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Section loaded: textshaping.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: wininet.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: propsys.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: edputil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: appresolver.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: slc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: sppc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Section loaded: msisip.dll
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Section loaded: wshext.dll
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Section loaded: appxsip.dll
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Section loaded: opcservices.dll
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Section loaded: esdsip.dll
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Section loaded: scrrun.dll
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Section loaded: linkinfo.dll
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Section loaded: version.dll
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Section loaded: ucrtbase_clr0400.dll

Source: C:\Users\user\Desktop\g082Q9DajU.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Source: g082Q9DajU.exe

Static file information: File size 1873408 > 1048576

Source: g082Q9DajU.exe

Static PE information: Raw size of ckpyoeob is bigger than: 0x100000 < 0x197c00

Source:	Binary string: mozglue.pdbP source: stealc_default2.exe, 00000014.00000002.2155945319.000000006C1BD000.00000002.00000001.01000000.0000001A.sdmp, svchost015.exe, 00000017.00000002.2700385866.000000006957D000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: freebl3.pdb source: freebl3.dll.20.dr
Source:	Binary string: freebl3.pdbp source: freebl3.dll.20.dr
Source:	Binary string: nss3.pdb@ source: stealc_default2.exe, 00000014.00000002.2156279608.000000006C37F000.00000002.00000001.01000000.00000019.sdmp, svchost015.exe, 00000017.00000002.2723045527.000000006973F000.00000002.00000001.01000000.00000019.sdmp, nss3.dll.20.dr
Source:	Binary string: c:\rje\tg\3sgd\obj\Re\ease\gqa.pdb source: axplong.exe, 00000003.00000002.3050434559.0000000000A38000.00000004.00000020.00020000.00000000.sdmp, gold.exe.3.dr
Source:	Binary string: F:\IlluminatedControls\Simple-Calculator-master\obj\Release\Simple Calculator.pdb source: axplong.exe, 00000003.00000002.3050434559.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, runtime.exe, 00000019.00000000.2132138745.0000000000902000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: BitLockerToGo.pdb source: Amadeus.exe, 00000018.00000002.2427689635.0000000001980000.00000004.00001000.00020000.00000000.sdmp, Amadeus.exe, 0000002C.00000002.2785633624.0000000001D80000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: 5KNCHALAH.exe, 00000024.00000002.3307039374.0000023D714E0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: F:\IlluminatedControls\Simple-Calculator-master\obj\Release\Simple Calculator.pdbb source: axplong.exe, 00000003.00000002.3050434559.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, runtime.exe, 00000019.00000000.2132138745.0000000000902000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: 5KNCHALAH.exe, 00000024.00000002.3307039374.0000023D714E0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: msvcp140.dll.20.dr
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: 5KNCHALAH.exe, 00000024.00000002.3069125421.0000023D58760000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: nss3.pdb source: stealc_default2.exe, 00000014.00000002.2156279608.000000006C37F000.00000002.00000001.01000000.00000019.sdmp, svchost015.exe, 00000017.00000002.2723045527.000000006973F000.00000002.00000001.01000000.00000019.sdmp, nss3.dll.20.dr
Source:	Binary string: mozglue.pdb source: stealc_default2.exe, 00000014.00000002.2155945319.000000006C1BD000.00000002.00000001.01000000.0000001A.sdmp, svchost015.exe, 00000017.00000002.2700385866.000000006957D000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: BitLockerToGo.pdbGCTL source: Amadeus.exe, 00000018.00000002.2427689635.0000000001980000.00000004.00001000.00020000.00000000.sdmp, Amadeus.exe, 0000002C.00000002.2785633624.0000000001D80000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: 5KNCHALAH.exe, 00000024.00000002.3069125421.0000023D58760000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: G.pdb source: axplong.exe, 00000003.00000002.3050434559.0000000000A49000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\g082Q9DajU.exe	Unpacked PE file: 0.2.g082Q9DajU.exe.260000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ckpyoeob:EW;nhhoofat:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ckpyoeob:EW;nhhoofat:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 1.2.axplong.exe.e10000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ckpyoeob:EW;nhhoofat:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ckpyoeob:EW;nhhoofat:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 2.2.axplong.exe.e10000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ckpyoeob:EW;nhhoofat:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ckpyoeob:EW;nhhoofat:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 3.2.axplong.exe.e10000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ckpyoeob:EW;nhhoofat:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ckpyoeob:EW;nhhoofat:EW;.taggant:EW;

.NET source code contains potential unpacker

Source: runtime[1].exe.3.dr, CalculatorForm1.cs	.Net Code: FixLayout System.Reflection.Assembly.Load(byte[])
Source: runtime.exe.3.dr, CalculatorForm1.cs	.Net Code: FixLayout System.Reflection.Assembly.Load(byte[])

Yara detected Costura Assembly Loader

Source: Yara match	File source: 36.2.5KNCHALAH.exe.23d71340000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000024.00000002.3290631876.0000023D71340000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.3071200614.0000023D58801000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 5KNCHALAH.exe PID: 7064, type: MEMORYSTR

Source: runtime[1].exe.3.dr

Static PE information: 0xBA490597 [Mon Jan 14 00:08:55 2069 UTC]

Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe

Code function: 15_2_00C4BDF9 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

15_2_00C4BDF9

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: needmoney[1].exe.3.dr	Static PE information: real checksum: 0x0 should be: 0x39d770
Source: Nework[1].exe.3.dr	Static PE information: real checksum: 0x0 should be: 0x6abc6
Source: runtime[1].exe.3.dr	Static PE information: real checksum: 0x0 should be: 0x10013
Source: needmoney.exe.3.dr	Static PE information: real checksum: 0x0 should be: 0x39d770
Source: axplong.exe.0.dr	Static PE information: real checksum: 0x1d7c3a should be: 0x1ca1e3
Source: crypteda[1].exe.3.dr	Static PE information: real checksum: 0x0 should be: 0x11b6f1
Source: Nework.exe.3.dr	Static PE information: real checksum: 0x0 should be: 0x6abc6
Source: stealc_default2.exe.3.dr	Static PE information: real checksum: 0x0 should be: 0x31181
Source: penis[1].exe.3.dr	Static PE information: real checksum: 0x0 should be: 0x9958e
Source: crypteda.exe.3.dr	Static PE information: real checksum: 0x0 should be: 0x11b6f1
Source: g082Q9DajU.exe	Static PE information: real checksum: 0x1d7c3a should be: 0x1ca1e3
Source: stealc_default2[1].exe.3.dr	Static PE information: real checksum: 0x0 should be: 0x31181
Source: runtime.exe.3.dr	Static PE information: real checksum: 0x0 should be: 0x10013

Source: g082Q9DajU.exe	Static PE information: section name:
Source: g082Q9DajU.exe	Static PE information: section name: .idata
Source: g082Q9DajU.exe	Static PE information: section name:
Source: g082Q9DajU.exe	Static PE information: section name: ckpyoeob
Source: g082Q9DajU.exe	Static PE information: section name: nhhoofat
Source: g082Q9DajU.exe	Static PE information: section name: .taggant
Source: axplong.exe.0.dr	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name: .idata
Source: axplong.exe.0.dr	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name: ckpyoeob
Source: axplong.exe.0.dr	Static PE information: section name: nhhoofat
Source: axplong.exe.0.dr	Static PE information: section name: .taggant
Source: S?tup[1].exe.3.dr	Static PE information: section name: /4
Source: S?tup[1].exe.3.dr	Static PE information: section name: /14
Source: S?tup[1].exe.3.dr	Static PE information: section name: /29
Source: S?tup[1].exe.3.dr	Static PE information: section name: /41
Source: S?tup[1].exe.3.dr	Static PE information: section name: /55
Source: S?tup[1].exe.3.dr	Static PE information: section name: /67
Source: S?tup[1].exe.3.dr	Static PE information: section name: /80
Source: S?tup[1].exe.3.dr	Static PE information: section name: /91
Source: S?tup[1].exe.3.dr	Static PE information: section name: /102
Source: S tup.exe.3.dr	Static PE information: section name: /4
Source: S tup.exe.3.dr	Static PE information: section name: /14
Source: S tup.exe.3.dr	Static PE information: section name: /29
Source: S tup.exe.3.dr	Static PE information: section name: /41
Source: S tup.exe.3.dr	Static PE information: section name: /55
Source: S tup.exe.3.dr	Static PE information: section name: /67
Source: S tup.exe.3.dr	Static PE information: section name: /80
Source: S tup.exe.3.dr	Static PE information: section name: /91
Source: S tup.exe.3.dr	Static PE information: section name: /102
Source: Amadeus[1].exe.3.dr	Static PE information: section name: .symtab
Source: Amadeus.exe.3.dr	Static PE information: section name: .symtab

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 3_2_00E2D84C push ecx; ret	3_2_00E2D85F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0625EFB2 push eax; ret	7_2_0625EFC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_06253B4F push dword ptr [esp+ecx*2-75h]; ret	7_2_06253B53
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_062549AB push FFFFFF8Bh; retf	7_2_062549AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_064FA4AD push es; iretd	7_2_064FA4CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_064F1D21 push es; ret	7_2_064F1D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_064F4A22 push es; ret	7_2_064F4A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_064FE3F0 push es; ret	7_2_064FE400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_064F2952 push es; ret	7_2_064F2960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_064F4998 push es; ret	7_2_064F49F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00428E7D push esi; ret	10_2_00428E86
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_004076D3 push ecx; ret	10_2_004076E6
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Code function: 13_2_061CE060 push es; ret	13_2_061CE070
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Code function: 13_2_061CECF2 push eax; ret	13_2_061CED01
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Code function: 13_2_061C3B4F push dword ptr [esp+ecx*2-75h]; ret	13_2_061C3B53
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Code function: 13_2_061C49AB push FFFFFF8Bh; retf	13_2_061C49AD
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 15_2_00C3D77C push ecx; ret	15_2_00C3D78F
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 15_2_00C5DCCB push ss; iretd	15_2_00C5DCCC
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 15_2_00C3DE26 push ecx; ret	15_2_00C3DE39

Source: g082Q9DajU.exe	Static PE information: section name: entropy: 7.981188062174272
Source: g082Q9DajU.exe	Static PE information: section name: ckpyoeob entropy: 7.953465161442263
Source: axplong.exe.0.dr	Static PE information: section name: entropy: 7.981188062174272
Source: axplong.exe.0.dr	Static PE information: section name: ckpyoeob entropy: 7.953465161442263
Source: crypteda[1].exe.3.dr	Static PE information: section name: .text entropy: 7.99930616062516
Source: crypteda.exe.3.dr	Static PE information: section name: .text entropy: 7.99930616062516
Source: gold[1].exe.3.dr	Static PE information: section name: .text entropy: 7.996679559232497
Source: gold.exe.3.dr	Static PE information: section name: .text entropy: 7.996679559232497

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\gold[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	File created: C:\Users\user\AppData\Local\Temp\svchost015.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\penis[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\needmoney[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000129001\S tup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\5KNCHALAH[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\Nework[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000129001\S tup.exe	File created: C:\Users\user\AppData\Local\Temp\rgqzVBZOCfumjeaMDHRm.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\crypteda[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\stealc_default2[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\joffer2[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	File created: C:\Users\user\AppData\Local\Temp\1000019001\joffer2.exe	Jump to dropped file
Source: C:\Windows\System32\cmd.exe	File created: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File created: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\1000238002\Amadeus.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	File created: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	File created: C:\Users\user\AppData\Local\Temp\1000296001\Channel3.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Channel3[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Jump to dropped file
Source: C:\Users\user\Desktop\g082Q9DajU.exe	File created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\bundle[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000129001\S tup.exe	File created: C:\Users\user\AppData\Local\Temp\service123.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\S?tup[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\Amadeus[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\runtime[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\nss3[1].dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce runtime
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Amadeus.exe			Jump to behavior

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\g082Q9DajU.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\g082Q9DajU.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\g082Q9DajU.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\g082Q9DajU.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\g082Q9DajU.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\schtasks.exe schtasks /Create /SC MINUTE /MO 1 /TN "runtime" /TR "C:\Users\user\Pictures\Lighter Tech\runtime.exe" /F

Source: C:\Users\user\Desktop\g082Q9DajU.exe

File created: C:\Windows\Tasks\axplong.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Amadeus.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Amadeus.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce runtime
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce runtime
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce runtime
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce runtime

Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe

Code function: 15_2_00C3C5C8 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

15_2_00C3C5C8

Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Source: C:\Users\user\Desktop\g082Q9DajU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\1000238002\Amadeus.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\g082Q9DajU.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\g082Q9DajU.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 5KNCHALAH.exe, 00000024.00000002.3071200614.0000023D58801000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: c4W13ZFj1P.exe, 0000000B.00000002.1906741069.00000000027B0000.00000004.00000800.00020000.00000000.sdmp, penis.exe, 0000001A.00000002.2241610570.0000000002830000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE@\^Q
Source: c4W13ZFj1P.exe, 0000000B.00000002.1906741069.00000000027B0000.00000004.00000800.00020000.00000000.sdmp, penis.exe, 0000001A.00000002.2241610570.0000000002830000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE`,^Q
Source: c4W13ZFj1P.exe, 0000000B.00000002.1906741069.00000000027B0000.00000004.00000800.00020000.00000000.sdmp, penis.exe, 0000001A.00000002.2241610570.0000000002830000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 2CEA37 second address: 2CEA41 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F9D94F7C37Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 43E081 second address: 43E085 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 43CFDA second address: 43D00F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9D94F7C385h 0x00000009 popad 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F9D94F7C388h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4364DC second address: 4364E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 43D324 second address: 43D328 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 43D5C1 second address: 43D5D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F9D94F79B3Bh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 43D73A second address: 43D74F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F9D94F7C376h 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jp 00007F9D94F7C376h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 44014F second address: 440154 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 440154 second address: 44018A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D94F7C388h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b pushad 0x0000000c jmp 00007F9D94F7C383h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 44018A second address: 44018E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 440237 second address: 44023C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 44023C second address: 440242 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 440242 second address: 440267 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a mov edx, 0CF85159h 0x0000000f push 00000000h 0x00000011 xor edx, dword ptr [ebp+122D389Ch] 0x00000017 push FC6F3A33h 0x0000001c je 00007F9D94F7C37Eh 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 440267 second address: 4402FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 add dword ptr [esp], 0390C64Dh 0x0000000c mov esi, dword ptr [ebp+122D38D8h] 0x00000012 push 00000003h 0x00000014 push 00000000h 0x00000016 push ebp 0x00000017 call 00007F9D94F79B38h 0x0000001c pop ebp 0x0000001d mov dword ptr [esp+04h], ebp 0x00000021 add dword ptr [esp+04h], 00000017h 0x00000029 inc ebp 0x0000002a push ebp 0x0000002b ret 0x0000002c pop ebp 0x0000002d ret 0x0000002e mov esi, dword ptr [ebp+122D3798h] 0x00000034 jmp 00007F9D94F79B3Eh 0x00000039 push 00000000h 0x0000003b xor dword ptr [ebp+122D2FD3h], edx 0x00000041 push 00000003h 0x00000043 add esi, dword ptr [ebp+122D38CCh] 0x00000049 push 6A4A4D44h 0x0000004e jc 00007F9D94F79B4Dh 0x00000054 jnp 00007F9D94F79B47h 0x0000005a jmp 00007F9D94F79B41h 0x0000005f add dword ptr [esp], 55B5B2BCh 0x00000066 xor di, 4413h 0x0000006b lea ebx, dword ptr [ebp+12445090h] 0x00000071 push eax 0x00000072 push eax 0x00000073 push edx 0x00000074 jnl 00007F9D94F79B38h 0x0000007a rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4402FD second address: 44030E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D94F7C37Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 440600 second address: 440604 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 440604 second address: 440617 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F9D94F7C37Ah 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 460F18 second address: 460F26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F9D94F79B36h 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 45F50D second address: 45F513 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 45F513 second address: 45F522 instructions: 0x00000000 rdtsc 0x00000002 js 00007F9D94F79B36h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 45F646 second address: 45F64A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 45F64A second address: 45F654 instructions: 0x00000000 rdtsc 0x00000002 js 00007F9D94F79B36h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 45F654 second address: 45F677 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F9D94F7C388h 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 45F810 second address: 45F816 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 45FAC1 second address: 45FAC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 45FAC6 second address: 45FACB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 45FC0E second address: 45FC12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 45FD80 second address: 45FD8A instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F9D94F79B3Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 45FEE7 second address: 45FEF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 460041 second address: 46005F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jl 00007F9D94F79B36h 0x0000000d jmp 00007F9D94F79B41h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 46005F second address: 460063 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 460063 second address: 46008D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F9D94F79B4Ch 0x0000000c jmp 00007F9D94F79B46h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push edx 0x00000016 pop edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 46008D second address: 460093 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 460093 second address: 4600AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9D94F79B44h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 46066E second address: 460674 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 460674 second address: 460678 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 460678 second address: 46067C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 46067C second address: 46068D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jp 00007F9D94F79B36h 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 46068D second address: 460699 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 460699 second address: 46069D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4609AA second address: 4609AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4609AE second address: 4609C2 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F9D94F79B36h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnp 00007F9D94F79B42h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4645F2 second address: 4645F7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 464CA9 second address: 464CAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 464CAF second address: 464CB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 46C39A second address: 46C3A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 46C3A0 second address: 46C3AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F9D94F7C376h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 46C3AA second address: 46C3AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 46B940 second address: 46B976 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jl 00007F9D94F7C376h 0x0000000b jl 00007F9D94F7C376h 0x00000011 jmp 00007F9D94F7C386h 0x00000016 popad 0x00000017 push eax 0x00000018 pushad 0x00000019 jmp 00007F9D94F7C37Ah 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 46BAFD second address: 46BB22 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D94F79B3Bh 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F9D94F79B40h 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 46C17F second address: 46C1A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F9D94F7C376h 0x0000000a jmp 00007F9D94F7C382h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 46C1A0 second address: 46C1B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9D94F79B41h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 46C1B5 second address: 46C1B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 46C1B9 second address: 46C1CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9D94F79B3Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 46C1CB second address: 46C1D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 46C1D3 second address: 46C1D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 46C1D7 second address: 46C1DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 46E5C4 second address: 46E5C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 46E680 second address: 46E686 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 46F127 second address: 46F12C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 46F211 second address: 46F217 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 46F217 second address: 46F21D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 46F3F9 second address: 46F41C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pushad 0x00000006 jmp 00007F9D94F7C389h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 470206 second address: 47020A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 471D0E second address: 471D12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4727FD second address: 472878 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D94F79B41h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007F9D94F79B3Fh 0x00000010 nop 0x00000011 mov esi, dword ptr [ebp+122D37B8h] 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push esi 0x0000001c call 00007F9D94F79B38h 0x00000021 pop esi 0x00000022 mov dword ptr [esp+04h], esi 0x00000026 add dword ptr [esp+04h], 00000014h 0x0000002e inc esi 0x0000002f push esi 0x00000030 ret 0x00000031 pop esi 0x00000032 ret 0x00000033 sub esi, 1543832Ah 0x00000039 push 00000000h 0x0000003b push 00000000h 0x0000003d push eax 0x0000003e call 00007F9D94F79B38h 0x00000043 pop eax 0x00000044 mov dword ptr [esp+04h], eax 0x00000048 add dword ptr [esp+04h], 00000017h 0x00000050 inc eax 0x00000051 push eax 0x00000052 ret 0x00000053 pop eax 0x00000054 ret 0x00000055 mov si, di 0x00000058 push eax 0x00000059 push ebx 0x0000005a push eax 0x0000005b push edx 0x0000005c push ecx 0x0000005d pop ecx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 475B21 second address: 475B58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F9D94F7C388h 0x0000000a jmp 00007F9D94F7C382h 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F9D94F7C386h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 47708A second address: 4770A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F9D94F79B44h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4770A5 second address: 4770A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 477571 second address: 477575 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 477575 second address: 47757B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 478619 second address: 47861D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 47773F second address: 477746 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 47861D second address: 478633 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jc 00007F9D94F79B36h 0x0000000d push esi 0x0000000e pop esi 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 479504 second address: 47950A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 478786 second address: 47878C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 47950A second address: 47950E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 47A41F second address: 47A425 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 47B484 second address: 47B488 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 47A647 second address: 47A660 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F9D94F79B41h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 47B488 second address: 47B48C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 47B48C second address: 47B527 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jns 00007F9D94F79B42h 0x0000000e nop 0x0000000f and edi, dword ptr [ebp+122D381Ch] 0x00000015 cmc 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push eax 0x0000001b call 00007F9D94F79B38h 0x00000020 pop eax 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 add dword ptr [esp+04h], 00000018h 0x0000002d inc eax 0x0000002e push eax 0x0000002f ret 0x00000030 pop eax 0x00000031 ret 0x00000032 mov bl, dl 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push edx 0x00000039 call 00007F9D94F79B38h 0x0000003e pop edx 0x0000003f mov dword ptr [esp+04h], edx 0x00000043 add dword ptr [esp+04h], 00000016h 0x0000004b inc edx 0x0000004c push edx 0x0000004d ret 0x0000004e pop edx 0x0000004f ret 0x00000050 call 00007F9D94F79B3Fh 0x00000055 js 00007F9D94F79B4Bh 0x0000005b call 00007F9D94F79B44h 0x00000060 pop edi 0x00000061 pop edi 0x00000062 push eax 0x00000063 jo 00007F9D94F79B3Eh 0x00000069 push ebx 0x0000006a push eax 0x0000006b push edx 0x0000006c rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 47C683 second address: 47C695 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9D94F7C37Dh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 47D775 second address: 47D783 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007F9D94F79B36h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 47C695 second address: 47C6B7 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F9D94F7C37Ch 0x00000008 jo 00007F9D94F7C376h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 jnp 00007F9D94F7C37Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b pop eax 0x0000001c rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 47E46E second address: 47E472 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 47D783 second address: 47D79A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F9D94F7C37Dh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 47D79A second address: 47D7A4 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F9D94F79B3Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 480431 second address: 4804A0 instructions: 0x00000000 rdtsc 0x00000002 je 00007F9D94F7C37Ch 0x00000008 ja 00007F9D94F7C376h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], eax 0x00000013 push 00000000h 0x00000015 push esi 0x00000016 call 00007F9D94F7C378h 0x0000001b pop esi 0x0000001c mov dword ptr [esp+04h], esi 0x00000020 add dword ptr [esp+04h], 00000015h 0x00000028 inc esi 0x00000029 push esi 0x0000002a ret 0x0000002b pop esi 0x0000002c ret 0x0000002d mov bx, BE7Dh 0x00000031 push 00000000h 0x00000033 mov dword ptr [ebp+122D1A3Bh], eax 0x00000039 push 00000000h 0x0000003b push 00000000h 0x0000003d push ebx 0x0000003e call 00007F9D94F7C378h 0x00000043 pop ebx 0x00000044 mov dword ptr [esp+04h], ebx 0x00000048 add dword ptr [esp+04h], 00000019h 0x00000050 inc ebx 0x00000051 push ebx 0x00000052 ret 0x00000053 pop ebx 0x00000054 ret 0x00000055 mov dword ptr [ebp+122D1C59h], esi 0x0000005b xchg eax, esi 0x0000005c jbe 00007F9D94F7C380h 0x00000062 pushad 0x00000063 push eax 0x00000064 push edx 0x00000065 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 48149E second address: 48153A instructions: 0x00000000 rdtsc 0x00000002 jc 00007F9D94F79B3Ch 0x00000008 jng 00007F9D94F79B36h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007F9D94F79B38h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 00000018h 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b mov ebx, dword ptr [ebp+12445449h] 0x00000031 and di, D592h 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push ebp 0x0000003b call 00007F9D94F79B38h 0x00000040 pop ebp 0x00000041 mov dword ptr [esp+04h], ebp 0x00000045 add dword ptr [esp+04h], 0000001Ch 0x0000004d inc ebp 0x0000004e push ebp 0x0000004f ret 0x00000050 pop ebp 0x00000051 ret 0x00000052 or bl, FFFFFFE1h 0x00000055 mov bl, 44h 0x00000057 js 00007F9D94F79B57h 0x0000005d push 00000000h 0x0000005f sub dword ptr [ebp+122D1A0Ah], eax 0x00000065 xchg eax, esi 0x00000066 push eax 0x00000067 push edx 0x00000068 push esi 0x00000069 push eax 0x0000006a push edx 0x0000006b rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 48153A second address: 48153F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 48153F second address: 481549 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F9D94F79B36h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 481549 second address: 48155B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007F9D94F7C376h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 48155B second address: 481565 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 481565 second address: 481569 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 47F66F second address: 47F681 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D94F79B3Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 482676 second address: 48268C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F9D94F7C37Ch 0x0000000f rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 484430 second address: 4844A1 instructions: 0x00000000 rdtsc 0x00000002 je 00007F9D94F79B38h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007F9D94F79B38h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 0000001Dh 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push ecx 0x0000002c call 00007F9D94F79B38h 0x00000031 pop ecx 0x00000032 mov dword ptr [esp+04h], ecx 0x00000036 add dword ptr [esp+04h], 00000014h 0x0000003e inc ecx 0x0000003f push ecx 0x00000040 ret 0x00000041 pop ecx 0x00000042 ret 0x00000043 ja 00007F9D94F79B3Ch 0x00000049 push 00000000h 0x0000004b push eax 0x0000004c and edi, dword ptr [ebp+122D3814h] 0x00000052 pop ebx 0x00000053 xchg eax, esi 0x00000054 push eax 0x00000055 push edx 0x00000056 ja 00007F9D94F79B3Ch 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4844A1 second address: 4844A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4844A5 second address: 4844BB instructions: 0x00000000 rdtsc 0x00000002 js 00007F9D94F79B38h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e jnp 00007F9D94F79B3Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4852F8 second address: 4852FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 48740C second address: 487410 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 487410 second address: 487416 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 487968 second address: 487972 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F9D94F79B36h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 487972 second address: 487976 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 487BE2 second address: 487BE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 48AAF2 second address: 48AAF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 48AAF6 second address: 48AB13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F9D94F79B3Ch 0x0000000e js 00007F9D94F79B36h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4380A7 second address: 4380AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4348F6 second address: 4348FC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 491F24 second address: 491F33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnp 00007F9D94F7C37Eh 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4921E1 second address: 4921EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 49A3BD second address: 49A3C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 49A4EC second address: 49A4F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F9D94F79B36h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 49A60F second address: 49A615 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 49A615 second address: 49A619 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 49A619 second address: 49A61D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 49E4F6 second address: 49E54A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F9D94F79B36h 0x0000000a pop ebx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007F9D94F79B44h 0x00000012 jmp 00007F9D94F79B41h 0x00000017 jl 00007F9D94F79B4Fh 0x0000001d jmp 00007F9D94F79B49h 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 49EA4C second address: 49EA5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9D94F7C37Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4A366D second address: 4A3673 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4A3673 second address: 4A3677 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4A3677 second address: 4A367D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4A3AE6 second address: 4A3AFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 jmp 00007F9D94F7C37Eh 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4A3AFD second address: 4A3B40 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D94F79B3Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push edi 0x0000000c pop edi 0x0000000d jmp 00007F9D94F79B3Dh 0x00000012 jmp 00007F9D94F79B3Ch 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F9D94F79B3Bh 0x0000001f jng 00007F9D94F79B36h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4A3CE6 second address: 4A3CEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4A3E14 second address: 4A3E18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4A3E18 second address: 4A3E1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4A3E1C second address: 4A3E3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F9D94F79B42h 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f push esi 0x00000010 pop esi 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4A3FAD second address: 4A3FC8 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F9D94F7C376h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F9D94F7C37Fh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4A3FC8 second address: 4A3FE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D94F79B3Eh 0x00000009 jc 00007F9D94F79B36h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4A4167 second address: 4A416D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4A416D second address: 4A4171 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4A4171 second address: 4A4175 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4A4175 second address: 4A4198 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9D94F79B43h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d js 00007F9D94F79B36h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4A4198 second address: 4A419C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4A419C second address: 4A41A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 je 00007F9D94F79B36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 458016 second address: 45801A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 45801A second address: 458038 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F9D94F79B42h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 458038 second address: 45803C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4A9031 second address: 4A905D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F9D94F79B36h 0x0000000a pop ecx 0x0000000b push edi 0x0000000c jnl 00007F9D94F79B36h 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 jmp 00007F9D94F79B43h 0x0000001b push ebx 0x0000001c pop ebx 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 46CC3E second address: 4574D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 pushad 0x00000007 popad 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007F9D94F7C37Fh 0x00000011 pushad 0x00000012 jbe 00007F9D94F7C376h 0x00000018 push esi 0x00000019 pop esi 0x0000001a popad 0x0000001b popad 0x0000001c nop 0x0000001d mov edx, esi 0x0000001f call dword ptr [ebp+12445F92h] 0x00000025 push ebx 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 46D321 second address: 46D326 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 46D326 second address: 46D32B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 46D4D2 second address: 46D500 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F9D94F79B4Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, esi 0x0000000b mov edi, 62AD1AB7h 0x00000010 nop 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 46DE8B second address: 46DE96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 46DF15 second address: 46DF76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 jnc 00007F9D94F79B4Ch 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007F9D94F79B38h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 0000001Ah 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 sub dl, FFFFFF81h 0x0000002b lea eax, dword ptr [ebp+12471973h] 0x00000031 nop 0x00000032 pushad 0x00000033 jg 00007F9D94F79B3Ch 0x00000039 push eax 0x0000003a push edx 0x0000003b push edi 0x0000003c pop edi 0x0000003d rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 46DF76 second address: 46DF7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 46DF7A second address: 46DF90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 ja 00007F9D94F79B48h 0x0000000e push eax 0x0000000f push edx 0x00000010 jo 00007F9D94F79B36h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 46DF90 second address: 46DF94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 46DF94 second address: 458016 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push esi 0x0000000a call 00007F9D94F79B38h 0x0000000f pop esi 0x00000010 mov dword ptr [esp+04h], esi 0x00000014 add dword ptr [esp+04h], 00000015h 0x0000001c inc esi 0x0000001d push esi 0x0000001e ret 0x0000001f pop esi 0x00000020 ret 0x00000021 mov edi, dword ptr [ebp+122D3824h] 0x00000027 or edx, dword ptr [ebp+122D38F0h] 0x0000002d call dword ptr [ebp+122D1C9Eh] 0x00000033 push edi 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F9D94F79B3Ah 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4A82C1 second address: 4A82D5 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F9D94F7C378h 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c jns 00007F9D94F7C376h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4A82D5 second address: 4A82D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4A8596 second address: 4A85CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F9D94F7C37Fh 0x0000000a pop eax 0x0000000b jns 00007F9D94F7C3A0h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F9D94F7C388h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4A85CB second address: 4A85D5 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F9D94F79B36h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4A8750 second address: 4A8765 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 jo 00007F9D94F7C378h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f popad 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4A8765 second address: 4A876B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4A876B second address: 4A876F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 428C51 second address: 428C56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4B7570 second address: 4B758B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jc 00007F9D94F7C376h 0x0000000c jmp 00007F9D94F7C37Ah 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4B758B second address: 4B75A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D94F79B45h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 432D7B second address: 432D7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 432D7F second address: 432D83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 432D83 second address: 432D89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4B6290 second address: 4B62B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D94F79B3Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jng 00007F9D94F79B38h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 jns 00007F9D94F79B36h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4B62B2 second address: 4B62D0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F9D94F7C382h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4B62D0 second address: 4B62D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4B62D4 second address: 4B62D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4B657B second address: 4B658E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jg 00007F9D94F79B38h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4B658E second address: 4B65A4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b jc 00007F9D94F7C376h 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4B65A4 second address: 4B65B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9D94F79B3Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4B68B3 second address: 4B68D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F9D94F7C384h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4B68D0 second address: 4B68DA instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F9D94F79B36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4B6D2F second address: 4B6D35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4B7256 second address: 4B7263 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnc 00007F9D94F79B38h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4B7263 second address: 4B726F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jne 00007F9D94F7C376h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BBDF0 second address: 4BBDF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BBF46 second address: 4BBF88 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F9D94F7C385h 0x00000008 jmp 00007F9D94F7C381h 0x0000000d pop esi 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jno 00007F9D94F7C37Eh 0x00000018 push eax 0x00000019 push edx 0x0000001a push esi 0x0000001b pop esi 0x0000001c push esi 0x0000001d pop esi 0x0000001e rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BBF88 second address: 4BBF9D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D94F79B41h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BBF9D second address: 4BBFA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BC271 second address: 4BC27B instructions: 0x00000000 rdtsc 0x00000002 jo 00007F9D94F79B3Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C2CAA second address: 4C2CAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C1573 second address: 4C157E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C157E second address: 4C1582 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C1582 second address: 4C1596 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F9D94F79B3Ah 0x0000000f rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C19A1 second address: 4C19B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F9D94F7C37Ch 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C1AF3 second address: 4C1AF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C1AF7 second address: 4C1B35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jo 00007F9D94F7C376h 0x00000012 jbe 00007F9D94F7C376h 0x00000018 push esi 0x00000019 pop esi 0x0000001a jmp 00007F9D94F7C387h 0x0000001f popad 0x00000020 pushad 0x00000021 pushad 0x00000022 popad 0x00000023 pushad 0x00000024 popad 0x00000025 jc 00007F9D94F7C376h 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C1CB1 second address: 4C1CB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C1CB5 second address: 4C1CC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C1CC1 second address: 4C1CDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9D94F79B49h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C1CDE second address: 4C1CE4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 46DACB second address: 46DAD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 46DAD2 second address: 46DAED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D94F7C387h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 46DAED second address: 46DAFF instructions: 0x00000000 rdtsc 0x00000002 je 00007F9D94F79B36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 46DAFF second address: 46DB03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C1E35 second address: 4C1E39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C1E39 second address: 4C1E3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C1FC3 second address: 4C1FC8 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C1FC8 second address: 4C1FE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 jo 00007F9D94F7C37Ch 0x0000000d jg 00007F9D94F7C376h 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C1FE4 second address: 4C1FE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C1FE8 second address: 4C2000 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 jno 00007F9D94F7C376h 0x0000000f pop eax 0x00000010 jnl 00007F9D94F7C37Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C67A6 second address: 4C67B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F9D94F79B36h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C648E second address: 4C64B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jno 00007F9D94F7C376h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jnl 00007F9D94F7C376h 0x00000013 jmp 00007F9D94F7C37Eh 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C64B6 second address: 4C64BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C9B1A second address: 4C9B20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C9C44 second address: 4C9C49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C9DA7 second address: 4C9DAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C9DAD second address: 4C9DB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4D1877 second address: 4D1887 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D94F7C37Ah 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4D1887 second address: 4D18AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D94F79B46h 0x00000007 jp 00007F9D94F79B38h 0x0000000d push esi 0x0000000e pop esi 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4D18AF second address: 4D18B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4D18B3 second address: 4D18BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4D18BB second address: 4D18C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4D18C1 second address: 4D18D1 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F9D94F79B36h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4D18D1 second address: 4D18D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4CFACF second address: 4CFADB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4CFADB second address: 4CFB11 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D94F7C381h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007F9D94F7C37Eh 0x0000000f pushad 0x00000010 popad 0x00000011 jne 00007F9D94F7C376h 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F9D94F7C380h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4D0137 second address: 4D013C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4D043A second address: 4D043E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4D043E second address: 4D0456 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jne 00007F9D94F79B36h 0x0000000d js 00007F9D94F79B36h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push edx 0x00000017 pop edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4D0456 second address: 4D046C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D94F7C37Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4D046C second address: 4D0474 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4D5906 second address: 4D590C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4D590C second address: 4D5930 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ebx 0x00000006 jmp 00007F9D94F79B45h 0x0000000b pop ebx 0x0000000c jp 00007F9D94F79B3Eh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4E50DA second address: 4E50DF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4E50DF second address: 4E50FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b ja 00007F9D94F79B38h 0x00000011 jnc 00007F9D94F79B3Ch 0x00000017 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4E338F second address: 4E3393 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4E3393 second address: 4E33C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F9D94F79B44h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F9D94F79B43h 0x00000014 push esi 0x00000015 pop esi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4E3904 second address: 4E3908 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4E3908 second address: 4E390E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4E3BED second address: 4E3BF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4E3BF1 second address: 4E3BFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F9D94F79B3Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4E3BFF second address: 4E3C03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4E481E second address: 4E4834 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007F9D94F79B3Dh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4E2F3F second address: 4E2F43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4E2F43 second address: 4E2F5C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F9D94F79B3Bh 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007F9D94F79B36h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4E2F5C second address: 4E2F8D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jns 00007F9D94F7C37Ah 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 ja 00007F9D94F7C37Ah 0x00000017 push eax 0x00000018 pop eax 0x00000019 pushad 0x0000001a popad 0x0000001b jmp 00007F9D94F7C382h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4EB94B second address: 4EB94F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4EB94F second address: 4EB953 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4EB953 second address: 4EB959 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4EB959 second address: 4EB95F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4EB95F second address: 4EB963 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4EBBFF second address: 4EBC33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F9D94F7C383h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F9D94F7C389h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4EBC33 second address: 4EBC47 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a jmp 00007F9D94F79B3Ah 0x0000000f rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4F2595 second address: 4F259B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4F8F46 second address: 4F8F57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jp 00007F9D94F79B3Ch 0x0000000b jp 00007F9D94F79B36h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4F8F57 second address: 4F8F63 instructions: 0x00000000 rdtsc 0x00000002 je 00007F9D94F7C37Eh 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4FB002 second address: 4FB013 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jp 00007F9D94F79B36h 0x0000000b push esi 0x0000000c pop esi 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4FAB66 second address: 4FAB6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4FAB6B second address: 4FAB71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4FAB71 second address: 4FAB75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4FACC0 second address: 4FACC6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4FD3FB second address: 4FD401 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4FD401 second address: 4FD405 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 50723B second address: 507247 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jnc 00007F9D94F7C376h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 517EF4 second address: 517F18 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D94F79B3Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F9D94F79B3Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 517F18 second address: 517F1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 5166D0 second address: 5166D6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 516B0C second address: 516B26 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D94F7C386h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 516CA8 second address: 516CB4 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F9D94F79B36h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 516CB4 second address: 516CE2 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F9D94F7C37Eh 0x00000008 push eax 0x00000009 pop eax 0x0000000a jl 00007F9D94F7C376h 0x00000010 jnp 00007F9D94F7C378h 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F9D94F7C382h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 516FCA second address: 516FE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F9D94F79B36h 0x0000000a jmp 00007F9D94F79B3Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 516FE2 second address: 517005 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 ja 00007F9D94F7C376h 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F9D94F7C37Ch 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push esi 0x00000019 pushad 0x0000001a popad 0x0000001b pop esi 0x0000001c rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 517005 second address: 51700D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 517BD8 second address: 517BF1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F9D94F7C37Fh 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 51CBE4 second address: 51CBE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 51CBE8 second address: 51CBEE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 51CBEE second address: 51CBF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 51CBF4 second address: 51CC0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D94F7C386h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 51C8B3 second address: 51C8B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 530E2A second address: 530E36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F9D94F7C376h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 5295F5 second address: 5295FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 5295FB second address: 529601 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 529601 second address: 529606 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 53FD64 second address: 53FD68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 53FD68 second address: 53FD81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9D94F79B3Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 53FD81 second address: 53FD87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 53FB79 second address: 53FB83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F9D94F79B36h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 557A82 second address: 557A91 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F9D94F7C376h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 557C15 second address: 557C19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 557C19 second address: 557C43 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D94F7C37Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a jmp 00007F9D94F7C37Bh 0x0000000f jmp 00007F9D94F7C37Ch 0x00000014 pop ebx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 557C43 second address: 557C78 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F9D94F79B45h 0x0000000a jmp 00007F9D94F79B47h 0x0000000f popad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 557C78 second address: 557C97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9D94F7C37Fh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 557C97 second address: 557C9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 557C9B second address: 557CB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007F9D94F7C380h 0x0000000c pushad 0x0000000d popad 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 557CB8 second address: 557CD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9D94F79B45h 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 557CD6 second address: 557CDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 557CDA second address: 557CE4 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F9D94F79B36h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 557E35 second address: 557E4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jmp 00007F9D94F7C37Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 557E4C second address: 557E55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 557E55 second address: 557E59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 55810C second address: 558110 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 558110 second address: 55813F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9D94F7C383h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jno 00007F9D94F7C376h 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F9D94F7C37Ch 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 55BBD3 second address: 55BBDD instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F9D94F79B3Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 55BBDD second address: 55BC19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jbe 00007F9D94F7C37Ah 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 jmp 00007F9D94F7C385h 0x00000016 mov eax, dword ptr [eax] 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F9D94F7C37Eh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 55E7BB second address: 55E7C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 55E7C1 second address: 55E7D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9D94F7C384h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 55E7D9 second address: 55E7E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BF0F34 second address: 4BF0F3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BF0F3A second address: 4BF0F3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BF0F3E second address: 4BF0F94 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 jmp 00007F9D94F7C384h 0x0000000e mov dword ptr [esp], ebp 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F9D94F7C37Eh 0x00000018 or esi, 16FD0D68h 0x0000001e jmp 00007F9D94F7C37Bh 0x00000023 popfd 0x00000024 push esi 0x00000025 pop edx 0x00000026 popad 0x00000027 mov ebp, esp 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007F9D94F7C37Dh 0x00000030 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BF0F94 second address: 4BF0FA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D94F79B3Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BF0FA4 second address: 4BF0FCA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D94F7C37Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F9D94F7C380h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BF0FCA second address: 4BF0FD0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BE0C8E second address: 4BE0C94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BE0C94 second address: 4BE0C98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BE0C98 second address: 4BE0CE9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F9D94F7C383h 0x00000012 adc si, 0EFEh 0x00000017 jmp 00007F9D94F7C389h 0x0000001c popfd 0x0000001d call 00007F9D94F7C380h 0x00000022 pop ecx 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BE0CE9 second address: 4BE0D2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F9D94F79B3Eh 0x00000008 pop eax 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 movsx ebx, cx 0x00000013 pushfd 0x00000014 jmp 00007F9D94F79B42h 0x00000019 add ecx, 50FB3788h 0x0000001f jmp 00007F9D94F79B3Bh 0x00000024 popfd 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BE0D2B second address: 4BE0D7A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F9D94F7C37Fh 0x00000009 add cl, FFFFFFCEh 0x0000000c jmp 00007F9D94F7C389h 0x00000011 popfd 0x00000012 mov dh, al 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 mov ebp, esp 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F9D94F7C386h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BE0D7A second address: 4BE0D90 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D94F79B3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BE0D90 second address: 4BE0D94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BE0D94 second address: 4BE0DAF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D94F79B47h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C20DD0 second address: 4C20DEA instructions: 0x00000000 rdtsc 0x00000002 mov si, 971Fh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dl, cl 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d mov dh, al 0x0000000f mov cx, bx 0x00000012 popad 0x00000013 xchg eax, ebp 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C20DEA second address: 4C20E06 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D94F79B48h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C20E06 second address: 4C20E0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BC00B3 second address: 4BC00B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BC00B7 second address: 4BC00BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BC00BD second address: 4BC00E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 4EE9FDF3h 0x00000008 mov dh, cl 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push ebx 0x0000000e jmp 00007F9D94F79B40h 0x00000013 mov dword ptr [esp], ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 movsx edx, si 0x0000001c push esi 0x0000001d pop edi 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BC00E7 second address: 4BC00F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D94F7C37Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BC00F9 second address: 4BC0123 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D94F79B3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F9D94F79B45h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BC01BB second address: 4BC01CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D94F7C37Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BE0A6A second address: 4BE0A6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BE0A6E second address: 4BE0A74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BE0A74 second address: 4BE0A7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BE0A7A second address: 4BE0A7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BE0A7E second address: 4BE0A8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BE0A8D second address: 4BE0A91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BE0A91 second address: 4BE0AA7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D94F79B42h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BE0AA7 second address: 4BE0AAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BE0AAD second address: 4BE0AB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BE0AB1 second address: 4BE0AB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BE0792 second address: 4BE07A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D94F79B3Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BE07A2 second address: 4BE07A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BE06C8 second address: 4BE06E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D94F79B3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F9D94F79B3Bh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BE06E7 second address: 4BE06ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BE044B second address: 4BE044F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BE044F second address: 4BE0453 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BE0453 second address: 4BE0459 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BE0459 second address: 4BE045F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BE045F second address: 4BE0463 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BF015F second address: 4BF0163 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BF0163 second address: 4BF0169 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BF0169 second address: 4BF0190 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, dx 0x00000006 mov eax, edx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c jmp 00007F9D94F7C380h 0x00000011 mov dword ptr [esp], ebp 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 mov dh, 45h 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C20D05 second address: 4C20D09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C20D09 second address: 4C20D0F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C20D0F second address: 4C20D27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 6D78h 0x00000007 mov cx, bx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov si, 54CBh 0x00000015 mov ebx, ecx 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C20D27 second address: 4C20D2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C00227 second address: 4C0027A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, cx 0x00000006 call 00007F9D94F79B3Ah 0x0000000b pop eax 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xchg eax, ebp 0x00000010 jmp 00007F9D94F79B41h 0x00000015 mov ebp, esp 0x00000017 pushad 0x00000018 pushad 0x00000019 mov dx, cx 0x0000001c movzx esi, bx 0x0000001f popad 0x00000020 movsx edx, si 0x00000023 popad 0x00000024 mov eax, dword ptr [ebp+08h] 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F9D94F79B49h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C0027A second address: 4C0028A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D94F7C37Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BE0615 second address: 4BE062D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D94F79B44h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BE062D second address: 4BE0649 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jmp 00007F9D94F7C37Ch 0x0000000e mov dword ptr [esp], ebp 0x00000011 pushad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BE0649 second address: 4BE065A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 mov si, C79Fh 0x00000009 popad 0x0000000a mov ebp, esp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BE065A second address: 4BE066D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007F9D94F7C37Dh 0x00000009 pop esi 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BE066D second address: 4BE0673 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BE0673 second address: 4BE0689 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F9D94F7C37Bh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BF0E8E second address: 4BF0E92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BF0E92 second address: 4BF0E98 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C000AD second address: 4C000EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 22433398h 0x00000008 mov dh, F1h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f mov cx, dx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushfd 0x00000015 jmp 00007F9D94F79B3Bh 0x0000001a and ax, 945Eh 0x0000001f jmp 00007F9D94F79B49h 0x00000024 popfd 0x00000025 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C000EC second address: 4C00109 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 7FFA1D27h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, ebp 0x0000000b jmp 00007F9D94F7C37Ah 0x00000010 mov ebp, esp 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C00109 second address: 4C0010D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C0010D second address: 4C00113 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C202AE second address: 4C202B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C202B2 second address: 4C202B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C202B8 second address: 4C202E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D94F79B3Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F9D94F79B40h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C202E0 second address: 4C202E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C202E4 second address: 4C20300 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D94F79B48h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C20300 second address: 4C2034D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bh, C9h 0x00000005 jmp 00007F9D94F7C37Ah 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e jmp 00007F9D94F7C380h 0x00000013 mov ebp, esp 0x00000015 jmp 00007F9D94F7C380h 0x0000001a xchg eax, ecx 0x0000001b pushad 0x0000001c mov esi, 11B072CDh 0x00000021 mov ah, 6Eh 0x00000023 popad 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F9D94F7C37Bh 0x0000002c rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C2034D second address: 4C20396 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D94F79B49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a jmp 00007F9D94F79B3Eh 0x0000000f mov eax, dword ptr [76FB65FCh] 0x00000014 jmp 00007F9D94F79B40h 0x00000019 test eax, eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C20396 second address: 4C203B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D94F7C389h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C203B3 second address: 4C203F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop esi 0x00000005 push edx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007F9E0728D0DFh 0x00000010 jmp 00007F9D94F79B45h 0x00000015 mov ecx, eax 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F9D94F79B48h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C203F6 second address: 4C20405 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D94F7C37Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C20405 second address: 4C2042B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D94F79B49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor eax, dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C2042B second address: 4C20431 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C20431 second address: 4C20463 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F9D94F79B3Ch 0x00000009 adc esi, 07532888h 0x0000000f jmp 00007F9D94F79B3Bh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 and ecx, 1Fh 0x0000001b pushad 0x0000001c mov al, C6h 0x0000001e push eax 0x0000001f push edx 0x00000020 mov ebx, 5DBE0282h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C20463 second address: 4C2049F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D94F7C383h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a ror eax, cl 0x0000000c pushad 0x0000000d movzx eax, dx 0x00000010 mov dh, 63h 0x00000012 popad 0x00000013 leave 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 call 00007F9D94F7C385h 0x0000001c pop eax 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C2049F second address: 4C204F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D94F79B3Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 retn 0004h 0x0000000c nop 0x0000000d mov esi, eax 0x0000000f lea eax, dword ptr [ebp-08h] 0x00000012 xor esi, dword ptr [002C2014h] 0x00000018 push eax 0x00000019 push eax 0x0000001a push eax 0x0000001b lea eax, dword ptr [ebp-10h] 0x0000001e push eax 0x0000001f call 00007F9D99919FF9h 0x00000024 push FFFFFFFEh 0x00000026 pushad 0x00000027 jmp 00007F9D94F79B3Ch 0x0000002c movzx eax, bx 0x0000002f popad 0x00000030 pop eax 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 pushad 0x00000035 popad 0x00000036 pushfd 0x00000037 jmp 00007F9D94F79B44h 0x0000003c adc si, CD38h 0x00000041 jmp 00007F9D94F79B3Bh 0x00000046 popfd 0x00000047 popad 0x00000048 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C204F3 second address: 4C204F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C204F9 second address: 4C204FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C204FD second address: 4C205B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D94F7C37Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b ret 0x0000000c nop 0x0000000d push eax 0x0000000e call 00007F9D9991C88Eh 0x00000013 mov edi, edi 0x00000015 pushad 0x00000016 call 00007F9D94F7C384h 0x0000001b mov ebx, esi 0x0000001d pop esi 0x0000001e pushfd 0x0000001f jmp 00007F9D94F7C387h 0x00000024 and ecx, 3C72850Eh 0x0000002a jmp 00007F9D94F7C389h 0x0000002f popfd 0x00000030 popad 0x00000031 xchg eax, ebp 0x00000032 jmp 00007F9D94F7C37Eh 0x00000037 push eax 0x00000038 pushad 0x00000039 mov esi, edx 0x0000003b call 00007F9D94F7C37Dh 0x00000040 pop ecx 0x00000041 popad 0x00000042 xchg eax, ebp 0x00000043 pushad 0x00000044 pushfd 0x00000045 jmp 00007F9D94F7C389h 0x0000004a xor cl, 00000056h 0x0000004d jmp 00007F9D94F7C381h 0x00000052 popfd 0x00000053 push eax 0x00000054 push edx 0x00000055 push esi 0x00000056 pop edi 0x00000057 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BD0076 second address: 4BD007C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BD007C second address: 4BD0080 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BD0080 second address: 4BD00DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ecx 0x00000009 jmp 00007F9D94F79B40h 0x0000000e push eax 0x0000000f jmp 00007F9D94F79B3Bh 0x00000014 xchg eax, ecx 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007F9D94F79B44h 0x0000001c or cl, 00000078h 0x0000001f jmp 00007F9D94F79B3Bh 0x00000024 popfd 0x00000025 mov ah, 15h 0x00000027 popad 0x00000028 push ebx 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F9D94F79B3Ah 0x00000032 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BD00DD second address: 4BD00EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D94F7C37Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BD00EC second address: 4BD0175 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, D3h 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], ebx 0x0000000d jmp 00007F9D94F79B3Ch 0x00000012 mov ebx, dword ptr [ebp+10h] 0x00000015 jmp 00007F9D94F79B40h 0x0000001a xchg eax, esi 0x0000001b jmp 00007F9D94F79B40h 0x00000020 push eax 0x00000021 pushad 0x00000022 mov dx, FF44h 0x00000026 mov eax, edi 0x00000028 popad 0x00000029 xchg eax, esi 0x0000002a jmp 00007F9D94F79B3Fh 0x0000002f mov esi, dword ptr [ebp+08h] 0x00000032 jmp 00007F9D94F79B46h 0x00000037 xchg eax, edi 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007F9D94F79B47h 0x0000003f rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BD0175 second address: 4BD017B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BD017B second address: 4BD017F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BD017F second address: 4BD018D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BD018D second address: 4BD0193 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BD0193 second address: 4BD0198 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BD0198 second address: 4BD019E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BD019E second address: 4BD01C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, edi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F9D94F7C389h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BD01C2 second address: 4BD027A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9D94F79B47h 0x00000008 jmp 00007F9D94F79B48h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 test esi, esi 0x00000012 jmp 00007F9D94F79B40h 0x00000017 je 00007F9E072D7F42h 0x0000001d jmp 00007F9D94F79B40h 0x00000022 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000029 jmp 00007F9D94F79B40h 0x0000002e je 00007F9E072D7F2Bh 0x00000034 pushad 0x00000035 mov dl, ch 0x00000037 pushfd 0x00000038 jmp 00007F9D94F79B43h 0x0000003d sub ch, FFFFFFFEh 0x00000040 jmp 00007F9D94F79B49h 0x00000045 popfd 0x00000046 popad 0x00000047 mov edx, dword ptr [esi+44h] 0x0000004a push eax 0x0000004b push edx 0x0000004c push eax 0x0000004d push edx 0x0000004e pushad 0x0000004f popad 0x00000050 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BD027A second address: 4BD027E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BD027E second address: 4BD0284 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BD0284 second address: 4BD02B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D94F7C382h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 or edx, dword ptr [ebp+0Ch] 0x0000000c jmp 00007F9D94F7C380h 0x00000011 test edx, 61000000h 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BD02B9 second address: 4BD02BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BD02BD second address: 4BD02DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D94F7C389h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BD02DA second address: 4BD02EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D94F79B3Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BC079E second address: 4BC07B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D94F7C385h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BC07B7 second address: 4BC07E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 jmp 00007F9D94F79B3Ah 0x0000000e mov dword ptr [esp], ebp 0x00000011 jmp 00007F9D94F79B40h 0x00000016 mov ebp, esp 0x00000018 pushad 0x00000019 mov cl, 75h 0x0000001b pushad 0x0000001c mov di, 43DCh 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BC07E9 second address: 4BC07FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 and esp, FFFFFFF8h 0x00000009 pushad 0x0000000a mov si, bx 0x0000000d push eax 0x0000000e push edx 0x0000000f mov eax, edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BC07FA second address: 4BC081B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D94F79B45h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BC081B second address: 4BC081F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BC081F second address: 4BC0823 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BC0823 second address: 4BC0829 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BC0829 second address: 4BC082F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BC082F second address: 4BC0833 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BC0833 second address: 4BC0854 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F9D94F79B46h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BC0854 second address: 4BC085A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BC085A second address: 4BC085E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BC085E second address: 4BC0862 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BC0862 second address: 4BC0873 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push esi 0x0000000d pop ebx 0x0000000e mov cl, 86h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BC0873 second address: 4BC0879 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BC0879 second address: 4BC087D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BC087D second address: 4BC08C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D94F7C382h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c jmp 00007F9D94F7C380h 0x00000011 push eax 0x00000012 pushad 0x00000013 mov ax, bx 0x00000016 jmp 00007F9D94F7C37Dh 0x0000001b popad 0x0000001c xchg eax, esi 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F9D94F7C37Dh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BC08C9 second address: 4BC0904 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 318BA6A2h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esi, dword ptr [ebp+08h] 0x0000000e jmp 00007F9D94F79B44h 0x00000013 sub ebx, ebx 0x00000015 jmp 00007F9D94F79B41h 0x0000001a test esi, esi 0x0000001c pushad 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BC0904 second address: 4BC090A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BC090A second address: 4BC094F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F9D94F79B46h 0x0000000a popad 0x0000000b je 00007F9E072DF59Eh 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F9D94F79B3Eh 0x00000018 sub ah, FFFFFFF8h 0x0000001b jmp 00007F9D94F79B3Bh 0x00000020 popfd 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BC094F second address: 4BC0953 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BC0953 second address: 4BC096A instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 4F69014Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a cmp dword ptr [esi+08h], DDEEDDEEh 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BC096A second address: 4BC0970 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BC0970 second address: 4BC09AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F9D94F79B40h 0x00000009 xor cx, C988h 0x0000000e jmp 00007F9D94F79B3Bh 0x00000013 popfd 0x00000014 mov dl, ch 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov ecx, esi 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F9D94F79B3Dh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BC09AD second address: 4BC09B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BC09B1 second address: 4BC09B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BC09B7 second address: 4BC09E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D94F7C37Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F9E072E1D52h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F9D94F7C387h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BC09E6 second address: 4BC0A99 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D94F79B49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test byte ptr [76FB6968h], 00000002h 0x00000010 pushad 0x00000011 mov bx, cx 0x00000014 movzx ecx, bx 0x00000017 popad 0x00000018 jne 00007F9E072DF4DAh 0x0000001e jmp 00007F9D94F79B3Bh 0x00000023 mov edx, dword ptr [ebp+0Ch] 0x00000026 jmp 00007F9D94F79B46h 0x0000002b xchg eax, ebx 0x0000002c pushad 0x0000002d movzx eax, di 0x00000030 call 00007F9D94F79B43h 0x00000035 pushfd 0x00000036 jmp 00007F9D94F79B48h 0x0000003b adc eax, 1C9667C8h 0x00000041 jmp 00007F9D94F79B3Bh 0x00000046 popfd 0x00000047 pop ecx 0x00000048 popad 0x00000049 push eax 0x0000004a push eax 0x0000004b push edx 0x0000004c jmp 00007F9D94F79B45h 0x00000051 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BC0A99 second address: 4BC0B29 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D94F7C381h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b pushad 0x0000000c call 00007F9D94F7C389h 0x00000011 pop esi 0x00000012 popad 0x00000013 pushfd 0x00000014 jmp 00007F9D94F7C381h 0x00000019 sub al, FFFFFFA6h 0x0000001c jmp 00007F9D94F7C381h 0x00000021 popfd 0x00000022 popad 0x00000023 xchg eax, ebx 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 mov si, di 0x0000002a pushfd 0x0000002b jmp 00007F9D94F7C37Fh 0x00000030 sub ch, FFFFFFDEh 0x00000033 jmp 00007F9D94F7C389h 0x00000038 popfd 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BC0B29 second address: 4BC0B39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D94F79B3Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BC0B39 second address: 4BC0B93 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D94F7C37Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F9D94F7C389h 0x00000011 xchg eax, ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 movsx ebx, ax 0x00000018 pushfd 0x00000019 jmp 00007F9D94F7C384h 0x0000001e adc esi, 543C3B98h 0x00000024 jmp 00007F9D94F7C37Bh 0x00000029 popfd 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BC0BE1 second address: 4BC0C52 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D94F79B45h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F9D94F79B3Ch 0x00000011 adc cl, FFFFFFE8h 0x00000014 jmp 00007F9D94F79B3Bh 0x00000019 popfd 0x0000001a pushad 0x0000001b mov edi, ecx 0x0000001d mov bx, cx 0x00000020 popad 0x00000021 popad 0x00000022 pop ebx 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007F9D94F79B3Ah 0x0000002a xor ah, 00000048h 0x0000002d jmp 00007F9D94F79B3Bh 0x00000032 popfd 0x00000033 mov dx, si 0x00000036 popad 0x00000037 mov esp, ebp 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007F9D94F79B3Ch 0x00000042 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BC0C52 second address: 4BC0C56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BC0C56 second address: 4BC0C5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BC0C5C second address: 4BC0C62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BC0C62 second address: 4BC0C66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BC0C66 second address: 4BC0C8B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D94F7C388h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BC0C8B second address: 4BC0C8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BC0C8F second address: 4BC0C95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BC0C95 second address: 4BC0C9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BD0D96 second address: 4BD0D9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BD0D9C second address: 4BD0DA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BD0DA0 second address: 4BD0E04 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov si, di 0x0000000d mov ax, bx 0x00000010 popad 0x00000011 xchg eax, ebp 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F9D94F7C37Dh 0x00000019 or esi, 7EBDEE96h 0x0000001f jmp 00007F9D94F7C381h 0x00000024 popfd 0x00000025 pushfd 0x00000026 jmp 00007F9D94F7C380h 0x0000002b sbb cx, AEB8h 0x00000030 jmp 00007F9D94F7C37Bh 0x00000035 popfd 0x00000036 popad 0x00000037 mov ebp, esp 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BD0E04 second address: 4BD0E08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BD0E08 second address: 4BD0E0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BD0E0C second address: 4BD0E12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BD0B49 second address: 4BD0B4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BD0B4F second address: 4BD0B53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C506A6 second address: 4C506AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C506AC second address: 4C506B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C506B0 second address: 4C506C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D94F7C37Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C506C8 second address: 4C506E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D94F79B47h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C506E3 second address: 4C50764 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F9D94F7C37Fh 0x00000009 xor cl, FFFFFF8Eh 0x0000000c jmp 00007F9D94F7C389h 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007F9D94F7C380h 0x00000018 xor ecx, 58A47E08h 0x0000001e jmp 00007F9D94F7C37Bh 0x00000023 popfd 0x00000024 popad 0x00000025 pop edx 0x00000026 pop eax 0x00000027 push eax 0x00000028 pushad 0x00000029 push edx 0x0000002a mov esi, 6D1DDD11h 0x0000002f pop esi 0x00000030 mov bl, 0Ch 0x00000032 popad 0x00000033 xchg eax, ebp 0x00000034 jmp 00007F9D94F7C386h 0x00000039 mov ebp, esp 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C50764 second address: 4C50768 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C50768 second address: 4C50785 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D94F7C389h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C40A71 second address: 4C40ACB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, E5h 0x00000005 mov ebx, eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push edi 0x0000000d pushfd 0x0000000e jmp 00007F9D94F79B3Eh 0x00000013 xor eax, 43645FF8h 0x00000019 jmp 00007F9D94F79B3Bh 0x0000001e popfd 0x0000001f pop ecx 0x00000020 mov edi, 0049A33Ch 0x00000025 popad 0x00000026 xchg eax, ebp 0x00000027 pushad 0x00000028 mov di, 1DD4h 0x0000002c mov di, 4340h 0x00000030 popad 0x00000031 mov ebp, esp 0x00000033 jmp 00007F9D94F79B3Fh 0x00000038 pop ebp 0x00000039 pushad 0x0000003a mov edx, esi 0x0000003c pushad 0x0000003d mov ebx, ecx 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C40DD8 second address: 4C40DDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C40DDE second address: 4C40DE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C40DE2 second address: 4C40E01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F9D94F7C381h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C40E7A second address: 4C40E90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, di 0x00000006 mov dx, D6F6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d movzx eax, al 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C40E90 second address: 4C40E96 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C40E96 second address: 4C40EA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D94F79B3Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4C40EA6 second address: 4C40ECF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D94F7C37Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F9D94F7C385h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BF05AD second address: 4BF05B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BF05B1 second address: 4BF05B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BF05B7 second address: 4BF05BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BF05BD second address: 4BF05C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BF06F1 second address: 4BF0740 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 7FC6h 0x00000007 pushfd 0x00000008 jmp 00007F9D94F79B47h 0x0000000d sbb ch, 0000004Eh 0x00000010 jmp 00007F9D94F79B49h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 nop 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F9D94F79B3Dh 0x00000021 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BF0740 second address: 4BF07A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D94F7C381h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F9D94F7C381h 0x0000000f nop 0x00000010 jmp 00007F9D94F7C37Eh 0x00000015 sub esp, 1Ch 0x00000018 pushad 0x00000019 mov al, 8Bh 0x0000001b popad 0x0000001c xchg eax, ebx 0x0000001d jmp 00007F9D94F7C384h 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F9D94F7C37Dh 0x0000002c rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BF07A4 second address: 4BF07AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BF07AA second address: 4BF07C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D94F7C383h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BF07C1 second address: 4BF07C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BF07C5 second address: 4BF07E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F9D94F7C387h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BF07E9 second address: 4BF07EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BF07EF second address: 4BF083E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D94F7C384h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007F9D94F7C380h 0x0000000f push eax 0x00000010 pushad 0x00000011 mov si, dx 0x00000014 push edi 0x00000015 mov esi, 20B8537Fh 0x0000001a pop ecx 0x0000001b popad 0x0000001c xchg eax, esi 0x0000001d pushad 0x0000001e push edx 0x0000001f mov bl, al 0x00000021 pop ebx 0x00000022 movzx eax, dx 0x00000025 popad 0x00000026 push edx 0x00000027 pushad 0x00000028 movzx esi, bx 0x0000002b popad 0x0000002c mov dword ptr [esp], edi 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BF083E second address: 4BF0842 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BF0842 second address: 4BF085E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D94F7C388h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BF085E second address: 4BF0870 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9D94F79B3Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BF0870 second address: 4BF0918 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D94F7C37Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [76FBB370h] 0x00000010 pushad 0x00000011 push eax 0x00000012 pushad 0x00000013 popad 0x00000014 pop edx 0x00000015 pushfd 0x00000016 jmp 00007F9D94F7C37Eh 0x0000001b and si, 2288h 0x00000020 jmp 00007F9D94F7C37Bh 0x00000025 popfd 0x00000026 popad 0x00000027 xor dword ptr [ebp-08h], eax 0x0000002a jmp 00007F9D94F7C386h 0x0000002f xor eax, ebp 0x00000031 jmp 00007F9D94F7C381h 0x00000036 nop 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a jmp 00007F9D94F7C383h 0x0000003f pushfd 0x00000040 jmp 00007F9D94F7C388h 0x00000045 adc cl, FFFFFFA8h 0x00000048 jmp 00007F9D94F7C37Bh 0x0000004d popfd 0x0000004e popad 0x0000004f rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BF0918 second address: 4BF091E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BF091E second address: 4BF0992 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov ebx, esi 0x0000000c pushad 0x0000000d mov edi, esi 0x0000000f pushfd 0x00000010 jmp 00007F9D94F7C382h 0x00000015 adc ecx, 7FE44738h 0x0000001b jmp 00007F9D94F7C37Bh 0x00000020 popfd 0x00000021 popad 0x00000022 popad 0x00000023 nop 0x00000024 jmp 00007F9D94F7C386h 0x00000029 lea eax, dword ptr [ebp-10h] 0x0000002c jmp 00007F9D94F7C380h 0x00000031 mov dword ptr fs:[00000000h], eax 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F9D94F7C37Ah 0x00000040 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BF0992 second address: 4BF0996 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BF0996 second address: 4BF099C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BF099C second address: 4BF09A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BF09A2 second address: 4BF09A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BF09A6 second address: 4BF0A04 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, dword ptr [ebp+08h] 0x0000000b pushad 0x0000000c mov dh, cl 0x0000000e mov dx, 0672h 0x00000012 popad 0x00000013 mov eax, dword ptr [esi+10h] 0x00000016 jmp 00007F9D94F79B49h 0x0000001b test eax, eax 0x0000001d jmp 00007F9D94F79B3Eh 0x00000022 jne 00007F9E07248E75h 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F9D94F79B47h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BF0A04 second address: 4BF0A4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, 00000000h 0x0000000f jmp 00007F9D94F7C37Ch 0x00000014 mov dword ptr [ebp-20h], eax 0x00000017 jmp 00007F9D94F7C380h 0x0000001c mov ebx, dword ptr [esi] 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F9D94F7C387h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BF0A4D second address: 4BF0AAA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D94F79B49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [ebp-24h], ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F9D94F79B43h 0x00000015 sbb eax, 37E64F4Eh 0x0000001b jmp 00007F9D94F79B49h 0x00000020 popfd 0x00000021 mov eax, 24EF9757h 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BF0AAA second address: 4BF0AAF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\g082Q9DajU.exe	RDTSC instruction interceptor: First address: 4BF0AAF second address: 4BF0B16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F9D94F79B49h 0x0000000a jmp 00007F9D94F79B3Bh 0x0000000f popfd 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 test ebx, ebx 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007F9D94F79B44h 0x0000001c or cl, 00000058h 0x0000001f jmp 00007F9D94F79B3Bh 0x00000024 popfd 0x00000025 mov ah, 2Eh 0x00000027 popad 0x00000028 je 00007F9E07248CADh 0x0000002e pushad 0x0000002f mov si, dx 0x00000032 push eax 0x00000033 push edx 0x00000034 mov bx, B81Eh 0x00000038 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: E7EA37 second address: E7EA41 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F9D94F7C37Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: FEE081 second address: FEE085 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: FECFDA second address: FED00F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9D94F7C385h 0x00000009 popad 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F9D94F7C388h 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: FED324 second address: FED328 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: FE64DC second address: FE64E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: FED5C1 second address: FED5D4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F9D94F79B3Bh 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: FED73A second address: FED74F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F9D94F7C376h 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jp 00007F9D94F7C376h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: FF014F second address: FF0154 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: FF0154 second address: FF018A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9D94F7C388h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b pushad 0x0000000c jmp 00007F9D94F7C383h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: FF018A second address: FF018E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: FF0237 second address: FF023C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	RDTSC instruction interceptor: First address: FF023C second address: FF0242 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\g082Q9DajU.exe	Special instruction interceptor: First address: 2CE9D4 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\g082Q9DajU.exe	Special instruction interceptor: First address: 2CEA83 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\g082Q9DajU.exe	Special instruction interceptor: First address: 48B5CF instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\g082Q9DajU.exe	Special instruction interceptor: First address: 4633BC instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\g082Q9DajU.exe	Special instruction interceptor: First address: 46CD6D instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\g082Q9DajU.exe	Special instruction interceptor: First address: 4F2EDF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: E7E9D4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: E7EA83 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 103B5CF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 10133BC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 101CD6D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 10A2EDF instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Memory allocated: CA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Memory allocated: 2A00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Memory allocated: 2720000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: CB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 29C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 28E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Memory allocated: FD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Memory allocated: 2BF0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Memory allocated: 2A10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Memory allocated: 2430000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Memory allocated: 2680000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Memory allocated: 2490000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Memory allocated: 2840000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Memory allocated: 29E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Memory allocated: 49E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Memory allocated: 1040000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Memory allocated: 1AD50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Memory allocated: AD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Memory allocated: 2700000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Memory allocated: 4700000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Memory allocated: 2570000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Memory allocated: 27B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Memory allocated: 2700000 memory reserve \| memory write watch
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Memory allocated: 860000 memory reserve \| memory write watch
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Memory allocated: 1A4E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe	Memory allocated: 23D56D70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe	Memory allocated: 23D70800000 memory reserve \| memory write watch
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Memory allocated: 12D0000 memory reserve \| memory write watch
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Memory allocated: 1ACE0000 memory reserve \| memory write watch
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Memory allocated: 16F0000 memory reserve \| memory write watch
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Memory allocated: 1B210000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\1000296001\Channel3.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\g082Q9DajU.exe

Code function: 0_2_04C40E1B rdtsc

0_2_04C40E1B

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 180000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Thread delayed: delay time: 180000

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 634	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 750	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 4097	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 3377	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 6373	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Window / User API: threadDelayed 1478
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Window / User API: threadDelayed 3531
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Window / User API: threadDelayed 3090
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Window / User API: threadDelayed 1008

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000129001\S tup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\rgqzVBZOCfumjeaMDHRm.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000129001\S tup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\service123.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\joffer2[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000019001\joffer2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe

Evasive API call chain: GetLocalTime,DecisionNodes

graph_15-36889

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	API coverage: 0.0 %
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API coverage: 9.8 %
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	API coverage: 3.6 %

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7908	Thread sleep count: 47 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7908	Thread sleep time: -94047s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7880	Thread sleep count: 634 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7880	Thread sleep time: -1268634s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7864	Thread sleep count: 195 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7864	Thread sleep time: -5850000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7884	Thread sleep count: 750 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7884	Thread sleep time: -1500750s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7980	Thread sleep time: -1080000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7896	Thread sleep count: 4097 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7896	Thread sleep time: -8198097s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7884	Thread sleep count: 60 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7884	Thread sleep time: -120060s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe TID: 8176	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7740	Thread sleep time: -34126476536362649s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe TID: 6692	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe TID: 7580	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe TID: 8012	Thread sleep time: -14757395258967632s >= -30000s
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe TID: 8004	Thread sleep count: 1478 > 30
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe TID: 8004	Thread sleep count: 3531 > 30
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe TID: 2504	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000129001\S tup.exe TID: 8176	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe TID: 4500	Thread sleep time: -36000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe TID: 7564	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 7560	Thread sleep time: -1290000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 3372	Thread sleep time: -180000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 7652	Thread sleep time: -540000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe TID: 7560	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe TID: 2300	Thread sleep time: -14757395258967632s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe TID: 4284	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 1612	Thread sleep time: -90000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000296001\Channel3.exe TID: 7216	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe TID: 3544	Thread sleep count: 194 > 30
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe TID: 3544	Thread sleep time: -5820000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe TID: 1148	Thread sleep time: -1620000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe TID: 3544	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe TID: 2920	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : Select Name from Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\g082Q9DajU.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe

Code function: 15_2_00C27C40 GetVersionExW,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,

15_2_00C27C40

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 30000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 180000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 180000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Thread delayed: delay time: 30000

Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	File opened: C:\Users\user
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	File opened: C:\Users\user\Documents\desktop.ini
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	File opened: C:\Users\user\AppData
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	File opened: C:\Users\user\AppData\Local\Temp
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	File opened: C:\Users\user\Desktop\desktop.ini
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	File opened: C:\Users\user\AppData\Local

Source: axplong.exe, axplong.exe, 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: svchost015.exe, 00000017.00000002.2499846584.0000000000AAF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW87
Source: runtime.exe, 00000023.00000002.3098270995.000000001CB64000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\
Source: needmoney.exe, 00000016.00000002.2122597398.0000000002E30000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000017.00000000.2107557693.0000000000401000.00000020.00000001.01000000.0000001B.sdmp	Binary or memory string: ParallelsVirtualMachine
Source: stealc_default2.exe, 00000014.00000002.2122450244.00000000008F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW/aE
Source: c4W13ZFj1P.exe, 0000000B.00000002.1906741069.00000000027B0000.00000004.00000800.00020000.00000000.sdmp, penis.exe, 0000001A.00000002.2241610570.0000000002830000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe`,^q
Source: BitLockerToGo.exe, 00000025.00000003.2305204277.0000000002955000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWn
Source: needmoney.exe, 00000016.00000000.2051744308.0000000000401000.00000020.00000001.01000000.00000018.sdmp, needmoney.exe.3.dr	Binary or memory string: QEMUU
Source: axplong.exe, 00000003.00000002.3050434559.0000000000A38000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000003.00000002.3050434559.0000000000A07000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000014.00000002.2122450244.00000000008AE000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000014.00000002.2122450244.000000000090E000.00000004.00000020.00020000.00000000.sdmp, S tup.exe, 00000015.00000003.2136179467.00000000014A7000.00000004.00000020.00020000.00000000.sdmp, S tup.exe, 00000015.00000003.2826736221.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, S tup.exe, 00000015.00000002.3076415418.000000000146E000.00000004.00000020.00020000.00000000.sdmp, S tup.exe, 00000015.00000003.2107038035.00000000014A7000.00000004.00000020.00020000.00000000.sdmp, S tup.exe, 00000015.00000002.3077416090.00000000014BF000.00000004.00000020.00020000.00000000.sdmp, S tup.exe, 00000015.00000003.2791264388.00000000014B1000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000017.00000002.2499846584.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: runtime.exe, 00000023.00000002.3098270995.000000001CB64000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: runtime.exe, 00000019.00000002.2196071148.0000000000E92000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll,
Source: AppLaunch.exe, 0000001D.00000002.3056256702.0000000004C87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: RegAsm.exe, 00000007.00000002.2017032806.0000000005C9F000.00000004.00000020.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2470566085.00000000009EA000.00000004.00000020.00020000.00000000.sdmp, runtime.exe, 00000023.00000002.3049569741.00000000007CF000.00000004.00000020.00020000.00000000.sdmp, 5KNCHALAH.exe, 00000024.00000002.3298753895.0000023D71423000.00000004.00000020.00020000.00000000.sdmp, runtime.exe, 00000027.00000002.2359188275.0000000000F08000.00000004.00000020.00020000.00000000.sdmp, Amadeus.exe, 0000002C.00000002.2554285048.00000000016FC000.00000004.00000020.00020000.00000000.sdmp, runtime.exe, 0000002F.00000002.2522686401.00000000014C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: vzVy6ZevhK.exe, 0000000D.00000002.2048287341.00000000064A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllc
Source: Hkbsse.exe, 0000002D.00000002.3061861979.0000000000F58000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW ;
Source: c4W13ZFj1P.exe, 0000000B.00000002.1906741069.00000000027B0000.00000004.00000800.00020000.00000000.sdmp, penis.exe, 0000001A.00000002.2241610570.0000000002830000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe
Source: needmoney.exe, 00000016.00000002.2122597398.0000000002E30000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000017.00000000.2107557693.0000000000401000.00000020.00000001.01000000.0000001B.sdmp	Binary or memory string: xmlphpvlczpl wpl xpacketimport hrefXML:NAMESPACEaid DOCTYPE ELEMENT ENTITY -- <mdb:mork:zAFDR aom saved from url=(-->xmlns=jobwmlRDFnzbsvgkmlgpxCaRxslJDFrssRSStagTAGXMIlmxloclogIMGtmxosmX3DVERCFLRCCncxxbkSCFrtcpseSDOmapnviofcasxdivLogopmlsmilrootpgmlxfdfXFDLBASEtei2xbeljnlpdgmlfeedFEEDinfobeancasevxmlsesxnotesitetasklinkxbrlGAEBXZFXFormqgisSMAIHDMLjsonpsplbodyheadmetadictdocuembedplistTEI.2xliffformsQBXMLTypeseaglehtml5myapptablestyleentrygroupLXFMLwindowdialogSchemaschemacommonCanvaslayoutobjectFFDataReporttaglibARCXMLgnc-v2modulerobloxXDFV:4Xara3DLayoutRDCManattachwidgetreportSchemewebbuyloaderdeviceRDF:RDFweb:RDFoverlayprojectProjectabiwordxdp:xdpsvg:svgCOLLADASOFTPKGfo:rootlm:lmxarchivecollagelibraryHelpTOCpackagesiteMapen-noteFoundryweblinkReportssharingWebPartTestRunpopularsnippetwhpropsQBWCXMLcontentkml:kmlSDOListkDRouteFormSetactionslookupssectionns2:gpxPaletteCatalogProfileTreePadMIFFileKeyFilepayloadPresetsstringsdocumentDocumentNETSCAPEmetalinkresourcenewsItemhtmlplusEnvelopeplandatamoleculelicensesDatabasebindingsWorkbookPlaylistBookFileTimeLinejsp:rootbrowsersfotobookMTSScenemessengercomponentc:contactr:licensex:xmpmetadiscoveryERDiagramWorksheetcrickgridHelpIndexWinampXMLrecoIndexTomTomTocen-exportAnswerSetwinzipjobmuseScorePHONEBOOKm:myListsedmx:EdmxYNABData1workspacePlacemarkMakerFileoor:itemsscriptletcolorBookSignaturexsd:schemadlg:windowFinalDraftVirtualBoxTfrxReportVSTemplateWhiteboardstylesheetBurnWizarddictionaryPCSettingsRedlineXMLBackupMetaxbrli:xbrlFontFamilys:WorkbookFictionBookdia:diagramdefinitionsNmfDocumentSnippetRootSEC:SECMetanet:NetfileCustSectionDieCutLabelPremierDataUserControljsp:includess:Workbookapplicationjsp:useBeancfcomponentparticipantSessionFilejasperReporthelpdocumentxsl:documentxsl:templatePremiereDataSettingsFileCodeSnippetsFileInstancetpmOwnerDataDataTemplateProject_DataTfrReportBSAnote:notepadFieldCatalogUserSettingsgnm:WorkbookLIBRARY_ITEMDocumentDatamso:customUIpicasa2albumrnpddatabasepdfpreflightrn-customizecml:moleculemuveeProjectRelationshipsVisioDocumentxsl:transformD:multistatusKMYMONEY-FILEBackupCatalogfile:ManifestPocketMindMapDiagramLayoutannotationSetLEAPTOFROGANSpublic:attachsoap:EnvelopepersistedQuerymx:ApplicationOverDriveMediaasmv1:assemblyHelpCollectionQvdTableHeaderSCRIBUSUTF8NEWw:wordDocumentPADocumentRootConfigMetadataBorlandProjectDTS:ExecutableMMC_ConsoleFilelibrary:libraryglade-interfacerg:licenseGroupdisco:discoveryAdobeSwatchbookaudacityprojectoffice:documentCoolpixTransfersqueeze_projectwirelessProfileProjectFileInfowsdl:definitionsScrivenerProjectfulfillmentTokenkey:presentationdynamicDiscoverylibrary:librariesClickToDvdProjectDataCladFileStorechat_api_responseMyApplicationDataKeyboardShortcutsDeepBurner_recordXmlTransformationdata.vos.BudgetVOIRIDASCompositionpresentationClipsoor:component-datalibraryDescriptionPowerShellMetadataResourceDictionaryxsf:xDocumentClassoffice:color-tableVisualStudioProjectActiveReportsLayoutwap-provisioningdocAfterEffectsProjectoor:component-sch
Source: RegAsm.exe, 0000000A.00000002.1884009401.0000000000479000.00000040.00000400.00020000.00000000.sdmp, c4W13ZFj1P.exe, 0000000B.00000000.1882466924.00000000002D2000.00000002.00000001.01000000.0000000D.sdmp	Binary or memory string: HgFSVDCVdb86m2CfHM1
Source: c4W13ZFj1P.exe, 0000000B.00000002.1906741069.00000000027B0000.00000004.00000800.00020000.00000000.sdmp, penis.exe, 0000001A.00000002.2241610570.0000000002830000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe@\^q
Source: 5KNCHALAH.exe, 00000024.00000002.3071200614.0000023D58801000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SerialNumber0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: Amadeus.exe, 00000018.00000002.2273348013.0000000000ABE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllF
Source: svchost015.exe, 00000017.00000002.2499846584.0000000000A7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: runtime.exe, 00000023.00000002.3098270995.000000001CB64000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: 5KNCHALAH.exe, 00000024.00000002.3071200614.0000023D58801000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: S tup.exe, 00000015.00000002.3068224934.0000000000882000.00000002.00000001.01000000.00000017.sdmp	Binary or memory string: Steam\Riot Games\PC Manager StoreMAGIXTeamViewer%d x %dwebcachewebcache2ForagerWindows MailCLR_v4.0_32PanasonicjavaSUPERAntiSpywareVMwareFree_PDF_SolutionsThinkBuzanMSBuildInputPersonalizationWarThunderOverwolf\user_data#2user_data#3user_data#4Valve Corporation.ACEStreamasus_framework11.0.2RazerWaves AudioFiveMcoinbitF:E:C:D:Windows Vista %wSCodeBlocksPycharmProjects.pdfSony3uToolsCiscoSparkLauncherPowerISOPower BI Desktop Store AppDropboxOEMWebExCLR_v2.0_32VirtualStoreCLR_v2.0.arduinoIDEarduino-ide.package-manager.dartServer
Source: g082Q9DajU.exe, 00000000.00000002.1723738635.0000000000445000.00000040.00000001.01000000.00000003.sdmp, axplong.exe, 00000001.00000002.1748496629.0000000000FF5000.00000040.00000001.01000000.00000007.sdmp, axplong.exe, 00000002.00000002.1749587449.0000000000FF5000.00000040.00000001.01000000.00000007.sdmp, axplong.exe, 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: Channel3.exe, 00000026.00000002.3070824295.0000000000881000.00000002.00000001.01000000.00000023.sdmp	Binary or memory string: VMwareAviraOxygen - Atomic Crypto WalletYoroiPolkadot{.js} extensionSolflare WalletSui WalletBitwarden - Free Password ManagerLastPass - Free Password ManagerEnkrypt - Multichain Crypto WalletRabby WalletAuthyCrypto.com - Wallet ExtensionZilPayExodus Web3 WalletTrust WalletMartian Aptos & Sui Wallet ExtensionOKX WalletAuthenticatorBackpackXverse WalletUniSat WalletTonkeeper - wallet for TONSafePal Extension WalletKeplrTemple - Tezos WalletMEW CXJaxx LibertyGuarda WalletSollet WalletTrezor Password ManagerUnknown Walletcom.adobe.dunamisBraavos Smart WalletCiscoSparkLauncherWebExCiscoSparkarduino-ideMetaMaskCanonadspower_globalcwd_global

Source: C:\Users\user\Desktop\g082Q9DajU.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\g082Q9DajU.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\g082Q9DajU.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\g082Q9DajU.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\g082Q9DajU.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\g082Q9DajU.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process queried: DebugPort
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\g082Q9DajU.exe

Code function: 0_2_04C40E1B rdtsc

0_2_04C40E1B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 7_2_06537BD8 LdrInitializeThunk,

7_2_06537BD8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 10_2_00407AF1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

10_2_00407AF1

Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe

Code function: 15_2_00C4BDF9 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

15_2_00C4BDF9

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 3_2_00E4645B mov eax, dword ptr fs:[00000030h]	3_2_00E4645B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 3_2_00E4A1C2 mov eax, dword ptr fs:[00000030h]	3_2_00E4A1C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0041913C mov eax, dword ptr fs:[00000030h]	10_2_0041913C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00411496 mov ecx, dword ptr fs:[00000030h]	10_2_00411496
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 15_2_00C5A0F2 mov eax, dword ptr fs:[00000030h]	15_2_00C5A0F2
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 15_2_00C5638B mov eax, dword ptr fs:[00000030h]	15_2_00C5638B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 10_2_0041EFC8 GetProcessHeap,

10_2_0041EFC8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe	Process token adjusted: Debug

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00407AF1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00407AF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00407C53 SetUnhandledExceptionFilter,	10_2_00407C53
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_00407D65 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00407D65
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 10_2_0040DD68 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_0040DD68
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 15_2_00C5690E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_00C5690E
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 15_2_00C3D048 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	15_2_00C3D048
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 15_2_00C3DA05 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_00C3DA05
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 15_2_00C3DB6A SetUnhandledExceptionFilter,	15_2_00C3DB6A

Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: stealc_default2.exe PID: 7688, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: needmoney.exe PID: 8104, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\stealc_default2[1].exe, type: DROPPED

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Memory allocated: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\1000238002\Amadeus.exe	Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 3A0000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\1000238002\Amadeus.exe	Memory allocated: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 protect: page execute and read and write

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe

Code function: 5_2_02A02531 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

5_2_02A02531

Detected PureCrypter Trojan

Source: 5KNCHALAH.exe, 00000024.00000002.3071200614.0000023D58951000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: 176.150.119.15MIIE5DCCAsygAwIBAgIQAIuU9+rP1LroD5a5cWxVxTANBgkqhkiG9w0BAQ0FADATMREwDwYDVQQDDAhLb3NxcXhwdTAgFw0yNDA4MTkxMzUzNTdaGA85OTk5MTIzMTIzNTk1OVowEzERMA8GA1UEAwwIS29zcXF4cHUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCD3pqpsOXhMaGQhMdQWsJVRDA75I4OJmrR2ABh5jQCWY7V63BCshMXybIGfe3vRDG1W0ntENv1gk5cWLW//5RRYFE9dVbixX7Z4bK8xhV13ez+3tYl1dZBhWiX2vrX4TxKEg6ukwbwuw5dPL5x+ZMCrtNzAnip2gVXr9T/bdM17qIS2xDJ7YDn+zx+2NNdTmZC1lu1k73ZvSNipC+8u/T87b1yWE6E2aDvVuAQTHMMDnhy8wBd5JTiFUgGNoPJB05Xyr41FZFOJtW4odPhzkykL1t15Zgkw82shy3DA95794D6+qsGFG7VK+BQ9DCJiHw9eyw+bKy1tEuC3cSG/+XHAyi8Dtp1By8SBMFXyEuFHyqI1nT7yvAXkdDjwq+MBcMsK7kNsP4dvgqreOxxS7/nEUXiPygg/9AmvsuylPWjUGsyujJkbaLETgATY0OP3COBkPW+xypM64uf8emzggt7LE+obVtWN7Mom5Ngik8dpucQqPyxvVWHjy78Zgb91Tds2vI1gCR97ShjJV8GKulV6MVyv2Y2FekXt9xPpmoMLfOefklG4nm50kgvqlYca44G0HF3NuKJUwrHiIeFyPp6IDfvuxTwE3NdH5jVonRQQ4Ska6as6Kb4HipK52Y9seA8OC1T6swNFoAb3fCqAjqOD5XvJif2Jqn/A3zXuenlOwIDAQABozIwMDAdBgNVHQ4EFgQUCLRx/jQK4q8575a+bNnq/9Iwb+YwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAgEAYRHTTkqoB4hOvFM/9Wpl1Qw7lJoAA5D8/MLdTkCQ8eNxSD5YPZBP1abvZ7rp1I+58hFPxU2+UD0KeLw5yRcdsfE16r/xJrdL194v/DsJvJ5JnRJXY2Uisn9bxR0e+olY0qj6HhavnYdNruVgj9AMImss8P9Ir/FVuZsj0UaaRlQAU/WChgtDbfUYlv/sFqrXiFa/wKdS7PXsFgNXOwi7XEmQJ4w1aA1LVDahifD0NhARwEQgP2TApWXyQ3x8XbVjajodsN1y/TN7tyjNx7F3lA7WU/BeyNOnh6XJjSygytVJT9TLjhTlqA+msheRjVpLyiA42V34VyDckKwlOBE2W/2sbD/zjyCa6l16K3kHG59X14UPI/VT5SUVxmAjMwHM69eDOuIetU231IVWec/gfpt+OD2mBWWQvA3sB+6oJ4UXqWEmBWS4PJyak/H0qPR9yIDR0V3kMu76yD+aS+9FX5R/UxSofakDEGdn8MfIpCfzxelrTakOoz60LxIrS83rAeBlf4UdycyZzojglMgUd0lZCacmRbTjrwC38Klw18ubGdISR61+PXs2tQNjyX56lazzqTQhIiRys/ZTAeROlrIGtLb2f7/r5dKme2/wbcmJMXeiv+IHAmOeHdNaYje1KyIk2DFLlvx2OmKkuuwm8XjqR5bGBWjS/9gfwilErjc="Default

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Memory written: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\1000238002\Amadeus.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 3A0000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\1000238002\Amadeus.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 value starts with: 4D5A

LummaC encrypted strings found

Source: Amadeus.exe, 00000018.00000002.2427689635.0000000001A80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: caffegclasiqwp.shop
Source: Amadeus.exe, 00000018.00000002.2427689635.0000000001A80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: stamppreewntnq.shop
Source: Amadeus.exe, 00000018.00000002.2427689635.0000000001A80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: stagedchheiqwo.shop
Source: Amadeus.exe, 00000018.00000002.2427689635.0000000001A80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: millyscroqwp.shop
Source: Amadeus.exe, 00000018.00000002.2427689635.0000000001A80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: evoliutwoqm.shop
Source: Amadeus.exe, 00000018.00000002.2427689635.0000000001A80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: condedqpwqm.shop
Source: Amadeus.exe, 00000018.00000002.2427689635.0000000001A80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: traineiwnqo.shop
Source: Amadeus.exe, 00000018.00000002.2427689635.0000000001A80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: locatedblsoqp.shop

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe

Section unmapped: C:\Users\user\AppData\Local\Temp\svchost015.exe base address: 400000

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 432000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 450000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 812008	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 426000
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 434000
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 436000
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 50B000
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: D7F008
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Memory written: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Memory written: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Memory written: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 41E000
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Memory written: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 42B000
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Memory written: C:\Users\user\AppData\Local\Temp\svchost015.exe base: 63E000
Source: C:\Users\user\1000238002\Amadeus.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 4AF008
Source: C:\Users\user\1000238002\Amadeus.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 3A0000
Source: C:\Users\user\1000238002\Amadeus.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 3A1000
Source: C:\Users\user\1000238002\Amadeus.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 3E1000
Source: C:\Users\user\1000238002\Amadeus.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 3E4000
Source: C:\Users\user\1000238002\Amadeus.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 3F3000
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 452000
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 464000
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 46B000
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 46C000
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 46A2008
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 401000
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 452000
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 464000
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 46B000
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 46C000
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 462C008
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 401000
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 452000
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 464000
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 46B000
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 46C000
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 4A28008
Source: C:\Users\user\1000238002\Amadeus.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 2BF0008
Source: C:\Users\user\1000238002\Amadeus.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 400000
Source: C:\Users\user\1000238002\Amadeus.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 401000
Source: C:\Users\user\1000238002\Amadeus.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 441000
Source: C:\Users\user\1000238002\Amadeus.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 444000
Source: C:\Users\user\1000238002\Amadeus.exe	Memory written: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe base: 453000
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 401000
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 452000
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 464000
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 46B000
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 46C000
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 469D008

Source: C:\Users\user\Desktop\g082Q9DajU.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe "C:\Users\user\AppData\Local\Temp\1000002001\gold.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe "C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe "C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe "C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000129001\S tup.exe "C:\Users\user\AppData\Local\Temp\1000129001\S tup.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe "C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\1000238002\Amadeus.exe "C:\Users\user\1000238002\Amadeus.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe "C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe "C:\Users\user\AppData\Local\Temp\1000254001\penis.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe "C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe "C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe "C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe "C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe"
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Process created: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe "C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
Source: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	Process created: C:\Users\user\AppData\Local\Temp\svchost015.exe C:\Users\user\AppData\Local\Temp\svchost015.exe
Source: C:\Users\user\1000238002\Amadeus.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c copy "C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe" "C:\Users\user\Pictures\Lighter Tech\runtime.exe" && schtasks /Create /SC MINUTE /MO 1 /TN "runtime" /TR "C:\Users\user\Pictures\Lighter Tech\runtime.exe" /F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Process created: C:\Users\user\AppData\Local\Temp\1000296001\Channel3.exe "C:\Users\user\AppData\Local\Temp\1000296001\Channel3.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /Create /SC MINUTE /MO 1 /TN "runtime" /TR "C:\Users\user\Pictures\Lighter Tech\runtime.exe" /F
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c copy "C:\Users\user\Pictures\Lighter Tech\runtime.exe" "C:\Users\user\Pictures\Lighter Tech\runtime.exe" && schtasks /Create /SC MINUTE /MO 1 /TN "runtime" /TR "C:\Users\user\Pictures\Lighter Tech\runtime.exe" /F
Source: C:\Users\user\1000238002\Amadeus.exe	Process created: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Process created: unknown unknown

Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c copy "c:\users\user\appdata\local\temp\1000243001\runtime.exe" "c:\users\user\pictures\lighter tech\runtime.exe" && schtasks /create /sc minute /mo 1 /tn "runtime" /tr "c:\users\user\pictures\lighter tech\runtime.exe" /f
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c copy "c:\users\user\appdata\local\temp\1000243001\runtime.exe" "c:\users\user\pictures\lighter tech\runtime.exe" && schtasks /create /sc minute /mo 1 /tn "runtime" /tr "c:\users\user\pictures\lighter tech\runtime.exe" /f

Source: c4W13ZFj1P.exe, 0000000B.00000002.1906741069.00000000028D9000.00000004.00000800.00020000.00000000.sdmp, penis.exe, 0000001A.00000002.2241610570.000000000295A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: GetProgmanWindow
Source: axplong.exe, axplong.exe, 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: t9\|Program Manager
Source: c4W13ZFj1P.exe, 0000000B.00000002.1906741069.00000000028D9000.00000004.00000800.00020000.00000000.sdmp, penis.exe, 0000001A.00000002.2241610570.000000000295A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SetProgmanWindow

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 3_2_00E2D312 cpuid

3_2_00E2D312

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	10_2_0041E815
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	10_2_00414128
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	10_2_0041EA68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	10_2_0041EB91
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	10_2_0041E402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	10_2_0041EC97
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	10_2_0041ED66
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	10_2_0041E5FD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	10_2_0041464E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	10_2_0041E6EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	10_2_0041E6A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	10_2_0041E78A

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\1000129001\S tup.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\1000296001\Channel3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000129001\S tup.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000129001\S tup.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\1000238002\Amadeus.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\1000238002\Amadeus.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000002001\gold.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Queries volume information: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\1000238002\Amadeus.exe	Queries volume information: C:\Windows VolumeInformation
Source: C:\Users\user\1000238002\Amadeus.exe	Queries volume information: C:\Windows\AppReadiness VolumeInformation
Source: C:\Users\user\1000238002\Amadeus.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformation
Source: C:\Users\user\1000238002\Amadeus.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation
Source: C:\Users\user\1000238002\Amadeus.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000296001\Channel3.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000296001\Channel3.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Queries volume information: C:\Users\user\Pictures\Lighter Tech\runtime.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe VolumeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Queries volume information: C:\Users\user\Pictures\Lighter Tech\runtime.exe VolumeInformation
Source: C:\Users\user\1000238002\Amadeus.exe	Queries volume information: C:\Windows VolumeInformation
Source: C:\Users\user\1000238002\Amadeus.exe	Queries volume information: C:\Windows\AppReadiness VolumeInformation
Source: C:\Users\user\1000238002\Amadeus.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents VolumeInformation
Source: C:\Users\user\1000238002\Amadeus.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation
Source: C:\Users\user\1000238002\Amadeus.exe	Queries volume information: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000019001\joffer2.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000019001\joffer2.exe VolumeInformation
Source: C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Pictures\Lighter Tech\runtime.exe	Queries volume information: C:\Users\user\Pictures\Lighter Tech\runtime.exe VolumeInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 10_2_004079E4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

10_2_004079E4

Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe

15_2_00C2AC50

Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe

Code function: 15_2_00C6252A _free,GetTimeZoneInformation,

15_2_00C6252A

Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe

Code function: 15_2_00C27C40 GetVersionExW,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,

15_2_00C27C40

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: gold.exe, 00000005.00000002.1850256188.0000000000D04000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avp.exe
Source: axplong.exe, 00000003.00000002.3050434559.0000000000A38000.00000004.00000020.00020000.00000000.sdmp, gold.exe, 00000005.00000002.1850256188.0000000000D04000.00000004.00000020.00020000.00000000.sdmp, gold.exe.3.dr	Binary or memory string: AVP.exe
Source: RegAsm.exe, 00000007.00000002.2031180492.0000000009136000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.1999711934.0000000000DCD000.00000004.00000020.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2026101968.0000000000BEF000.00000004.00000020.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2470566085.00000000009EA000.00000004.00000020.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2962100188.000000000723F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 41.2.AppLaunch.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.runtime.exe.12ebf87c.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.Nework.exe.c20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.Hkbsse.exe.a90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.runtime.exe.1d580324.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 45.2.Hkbsse.exe.a90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.runtime.exe.1d580324.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.AppLaunch.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.runtime.exe.12ebf87c.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.Hkbsse.exe.a90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 45.0.Hkbsse.exe.a90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.runtime.exe.1d580000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.Hkbsse.exe.a90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.axplong.exe.e10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.axplong.exe.e10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.runtime.exe.12ebf558.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.Nework.exe.c20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.axplong.exe.e10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.Hkbsse.exe.a90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.runtime.exe.12ebf558.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.g082Q9DajU.exe.260000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.runtime.exe.12e41b20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.1916812173.0000000000A91000.00000020.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1916345322.0000000000A91000.00000020.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.3044385898.0000000000A91000.00000020.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.1914368612.0000000000A91000.00000020.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.1913790607.0000000000A91000.00000020.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1915860342.0000000000C21000.00000020.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.2328370796.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1812249339.0000000004A50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2258945383.0000000012E41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1748418353.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1683484955.0000000004A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1749444823.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000000.2403189499.0000000000A91000.00000020.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1709099923.00000000055F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1707837826.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2319721857.000000001D580000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1723667142.0000000000261000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.1905853574.0000000000C21000.00000020.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\Nework[1].exe, type: DROPPED

Yara detected Clipboard Hijacker

Source: Yara match	File source: 00000015.00000002.3079738326.0000000003F33000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: S tup.exe PID: 2288, type: MEMORYSTR

Yara detected CryptOne packer

Source: Yara match

File source: 00000016.00000002.2122597398.0000000003139000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Cryptbot

Source: Yara match	File source: Process Memory Space: S tup.exe PID: 2288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Channel3.exe PID: 7680, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 26.0.penis.exe.310000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.c4W13ZFj1P.exe.2d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegAsm.exe.482060.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegAsm.exe.482060.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.1884009401.0000000000479000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.2160574126.0000000000312000.00000002.00000001.01000000.0000001E.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.1882466924.00000000002D2000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\penis[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: 32.0.bundle.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.gold.exe.3a05570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.gold.exe.3a05570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegAsm.exe.436060.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegAsm.exe.436060.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.vzVy6ZevhK.exe.6c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000000.1883338609.00000000006C2000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1851600707.0000000003A05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1997902146.0000000000421000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000000.2187298068.0000000000421000.00000002.00000001.01000000.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gold.exe PID: 8120, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 8180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: c4W13ZFj1P.exe PID: 3992, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vzVy6ZevhK.exe PID: 4948, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: penis.exe PID: 7488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bundle.exe PID: 7444, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\bundle[1].exe, type: DROPPED

Yara detected Stealc

Source: Yara match	File source: 00000017.00000002.2499846584.0000000000A7E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2122450244.00000000008AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: stealc_default2.exe PID: 7688, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost015.exe PID: 5408, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: Process Memory Space: stealc_default2.exe PID: 7688, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost015.exe PID: 5408, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 26.0.penis.exe.310000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.c4W13ZFj1P.exe.2d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegAsm.exe.482060.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegAsm.exe.482060.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\penis[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe, type: DROPPED

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ElectrumE#
Source: stealc_default2.exe, 00000014.00000002.2122450244.0000000000998000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\\ElectronCash\wallets\\.
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002BE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $^q1C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002B5B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: cjelfplplebdjjenllpjcblmjkfcffne\|JaxxxLiberty
Source: stealc_default2.exe, 00000014.00000002.2122450244.0000000000998000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\window-state.json
Source: stealc_default2.exe, 00000014.00000002.2122450244.00000000008F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: sers\user\AppData\Roaming\\Exodus\\exodus.conf.json}
Source: RegAsm.exe, 00000007.00000002.2031600449.0000000009179000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\*.json
Source: stealc_default2.exe, 00000014.00000002.2123355501.0000000000F9C000.00000004.00000001.01000000.00000015.sdmp	String found in binary or memory: info.seco
Source: stealc_default2.exe, 00000014.00000002.2123355501.0000000000F9C000.00000004.00000001.01000000.00000015.sdmp	String found in binary or memory: ElectrumLTC
Source: stealc_default2.exe, 00000014.00000002.2122450244.00000000008F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\passphrase.jsonKy
Source: stealc_default2.exe, 00000014.00000002.2123355501.0000000000FCA000.00000004.00000001.01000000.00000015.sdmp	String found in binary or memory: \jaxx\Local Storage\
Source: RegAsm.exe, 00000007.00000002.1999711934.0000000000DCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\wallets\*,
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ExodusE#
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002BE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $^q%appdata%`,^qdC:\Users\user\AppData\Roaming`,^qdC:\Users\user\AppData\Roaming\Binance
Source: RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: EthereumE#
Source: stealc_default2.exe, 00000014.00000002.2123355501.0000000000FCA000.00000004.00000001.01000000.00000015.sdmp	String found in binary or memory: file__0.localstorage
Source: RegAsm.exe, 00000007.00000002.2030250461.00000000090AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\*@?
Source: RegAsm.exe, 00000007.00000002.2030250461.00000000090AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
Source: stealc_default2.exe, 00000014.00000002.2122450244.0000000000998000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\\MultiDoge\\multidoge.wallet
Source: stealc_default2.exe, 00000014.00000002.2123355501.0000000000F9C000.00000004.00000001.01000000.00000015.sdmp	String found in binary or memory: seed.seco
Source: RegAsm.exe, 0000000A.00000002.1884009401.0000000000479000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: set_UseMachineKeyStore
Source: stealc_default2.exe, 00000014.00000002.2123355501.0000000000F9C000.00000004.00000001.01000000.00000015.sdmp	String found in binary or memory: \Electrum-LTC\wallets\
Source: stealc_default2.exe, 00000014.00000002.2122450244.0000000000916000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\.n

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\1000296001\Channel3.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal
Source: C:\Users\user\AppData\Local\Temp\1000296001\Channel3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\1000296001\Channel3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1000296001\Channel3.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1000296001\Channel3.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1000296001\Channel3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\svchost015.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Users\user\AppData\Local\Temp\svchost015.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004

Source: Yara match	File source: 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2122450244.0000000000916000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2500882491.00000000028EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2499846584.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2029479826.0000000002C94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2002581116.0000000002BE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 8180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vzVy6ZevhK.exe PID: 4948, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: stealc_default2.exe PID: 7688, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: S tup.exe PID: 2288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost015.exe PID: 5408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bundle.exe PID: 7444, type: MEMORYSTR

Remote Access Functionality

Yara detected CryptOne packer

Source: Yara match

File source: 00000016.00000002.2122597398.0000000003139000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Cryptbot

Source: Yara match	File source: Process Memory Space: S tup.exe PID: 2288, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Channel3.exe PID: 7680, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: 26.0.penis.exe.310000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.c4W13ZFj1P.exe.2d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegAsm.exe.482060.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegAsm.exe.482060.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.1884009401.0000000000479000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.2160574126.0000000000312000.00000002.00000001.01000000.0000001E.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000000.1882466924.00000000002D2000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\penis[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe, type: DROPPED

Yara detected RedLine Stealer

Source: Yara match	File source: 32.0.bundle.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.gold.exe.3a05570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.gold.exe.3a05570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegAsm.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegAsm.exe.436060.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegAsm.exe.436060.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.vzVy6ZevhK.exe.6c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000000.1883338609.00000000006C2000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1851600707.0000000003A05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.1997902146.0000000000421000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000000.2187298068.0000000000421000.00000002.00000001.01000000.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gold.exe PID: 8120, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 8180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1748, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: c4W13ZFj1P.exe PID: 3992, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: vzVy6ZevhK.exe PID: 4948, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: penis.exe PID: 7488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: bundle.exe PID: 7444, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\bundle[1].exe, type: DROPPED

Yara detected Stealc

Source: Yara match	File source: 00000017.00000002.2499846584.0000000000A7E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2122450244.00000000008AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: stealc_default2.exe PID: 7688, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost015.exe PID: 5408, type: MEMORYSTR

Yara detected Vidar stealer

Source: Yara match	File source: Process Memory Space: stealc_default2.exe PID: 7688, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost015.exe PID: 5408, type: MEMORYSTR

Yara detected zgRAT

Source: Yara match	File source: 26.0.penis.exe.310000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.0.c4W13ZFj1P.exe.2d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegAsm.exe.482060.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegAsm.exe.482060.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.RegAsm.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\penis[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe, type: DROPPED

Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 15_2_00C22400 __ehhandler$??1_Scoped_lock@?$SafeRWList@UListEntry@details@Concurrency@@VNoCount@CollectionTypes@23@V_ReaderWriterLock@23@@details@Concurrency@@QAE@XZ,	15_2_00C22400
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 15_2_00C4EAA8 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::ReleaseInternalContext,	15_2_00C4EAA8
Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	Code function: 15_2_00C4DDB1 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	15_2_00C4DDB1

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	231 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Native API	11 Scheduled Task/Job	512 Process Injection	21 Deobfuscate/Decode Files or Information	11 Input Capture	1 Account Discovery	Remote Desktop Protocol	4 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Shared Modules	11 Registry Run Keys / Startup Folder	11 Scheduled Task/Job	4 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	12 Command and Scripting Interpreter	Login Hook	11 Registry Run Keys / Startup Folder	1 Install Root Certificate	NTDS	359 System Information Discovery	Distributed Component Object Model	11 Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	11 Scheduled Task/Job	Network Logon Script	Network Logon Script	23 Software Packing	LSA Secrets	1 Query Registry	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	2 PowerShell	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	1091 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Masquerading	Proc Filesystem	471 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	471 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	512 Process Injection	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
g082Q9DajU.exe	52%	Virustotal		Browse
g082Q9DajU.exe	76%	ReversingLabs	Win32.Trojan.Generic
g082Q9DajU.exe	100%	Avira	TR/Crypt.TPM.Gen
g082Q9DajU.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\Amadeus[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\crypteda[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\5KNCHALAH[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\penis[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\needmoney[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\stealc_default2[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\Nework[1].exe	100%	Joe Sandbox ML
C:\Users\user\1000238002\Amadeus.exe	100%	Joe Sandbox ML
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\freebl3.dll	0%	Virustotal		Browse
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\mozglue.dll	0%	Virustotal		Browse
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	Virustotal		Browse
C:\ProgramData\nss3.dll	0%	ReversingLabs
C:\ProgramData\nss3.dll	0%	Virustotal		Browse
C:\ProgramData\softokn3.dll	0%	ReversingLabs
C:\ProgramData\softokn3.dll	0%	Virustotal		Browse
C:\ProgramData\vcruntime140.dll	0%	ReversingLabs
C:\ProgramData\vcruntime140.dll	0%	Virustotal		Browse
C:\Users\user\1000238002\Amadeus.exe	62%	ReversingLabs	Win32.Trojan.Amadey
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\5KNCHALAH[1].exe	29%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Channel3[1].exe	54%	ReversingLabs	Win32.Trojan.CryptBot
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\S?tup[1].exe	49%	ReversingLabs	Win32.Trojan.CryptBot
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\gold[1].exe	88%	ReversingLabs	Win32.Trojan.Jalapeno
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\Amadeus[1].exe	62%	ReversingLabs	Win32.Trojan.Amadey
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\Nework[1].exe	100%	ReversingLabs	Win32.Trojan.Multiverze
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\bundle[1].exe	66%	ReversingLabs	ByteCode-MSIL.Ransomware.RedLine
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\runtime[1].exe	71%	ReversingLabs	Win32.Trojan.Amadey
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\stealc_default2[1].exe	100%	ReversingLabs	Win32.Trojan.Stealerc
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\crypteda[1].exe	100%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\freebl3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\mozglue[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\msvcp140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\needmoney[1].exe	58%	ReversingLabs	Win32.Spyware.Stealc
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\nss3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\penis[1].exe	63%	ReversingLabs	Win32.Trojan.Jalapeno
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\softokn3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\vcruntime140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe	100%	ReversingLabs	Win32.Trojan.Multiverze
C:\Users\user\AppData\Local\Temp\1000002001\gold.exe	88%	ReversingLabs	Win32.Trojan.Jalapeno
C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe	100%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe	100%	ReversingLabs	Win32.Trojan.Multiverze
C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	100%	ReversingLabs	Win32.Trojan.Stealerc
C:\Users\user\AppData\Local\Temp\1000129001\S tup.exe	49%	ReversingLabs	Win32.Trojan.CryptBot
C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe	58%	ReversingLabs	Win32.Spyware.Stealc
C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe	71%	ReversingLabs	Win32.Trojan.Amadey
C:\Users\user\AppData\Local\Temp\1000254001\penis.exe	63%	ReversingLabs	Win32.Trojan.Jalapeno
C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe	66%	ReversingLabs	ByteCode-MSIL.Ransomware.RedLine
C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe	29%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla
C:\Users\user\AppData\Local\Temp\1000296001\Channel3.exe	54%	ReversingLabs	Win32.Trojan.CryptBot
C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	76%	ReversingLabs	Win32.Trojan.Generic

Name	Malicious	Antivirus Detection	Reputation
http://91.202.233.158/e96ea2db21fa9a1b.php	true
analforeverlovyu.top	true
95.179.250.45:26212	true
thirtv13ht.top	true

URLs from Memory and Binaries

Name	Source	Malicious
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text	RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/sc/sct	RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	false
https://www.cloudflare.com/learning/access-management/phishing-attack/	BitLockerToGo.exe, 00000025.00000003.2304902282.00000000029AD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000025.00000003.2305204277.00000000029AC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000002E.00000003.2500472620.0000000002E2F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000002E.00000003.2499936890.0000000002E7D000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000002E.00000003.2505661424.0000000002E43000.00000004.00000020.00020000.00000000.sdmp	false
http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0Q	needmoney.exe, 00000016.00000002.2122597398.0000000002E30000.00000040.00001000.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id23ResponseD	RegAsm.exe, 00000007.00000002.2002581116.0000000002BE4000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002EA5000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002A79000.00000004.00000800.00020000.00000000.sdmp	false
http://91.202.233.158/3836fd5700214436/msvcp140.dll	svchost015.exe, 00000017.00000002.2499846584.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp	false
http://thirtv13ht.top/v1/upload.php	Channel3.exe, 00000026.00000002.3077725303.00000000015CE000.00000004.00000020.00020000.00000000.sdmp, Channel3.exe, 00000026.00000003.2689901437.00000000015CD000.00000004.00000020.00020000.00000000.sdmp, Channel3.exe, 00000026.00000002.3077074474.000000000159E000.00000004.00000020.00020000.00000000.sdmp	false
http://tempuri.org/	RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id2Response	RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	false
http://www.x-ways.net/winhex/subscribe-d.htmlU	needmoney.exe, 00000016.00000002.2122597398.0000000002E30000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000017.00000000.2107557693.0000000000401000.00000020.00000001.01000000.0000001B.sdmp	false
http://www.fontbureau.com/designers	c4W13ZFj1P.exe, 0000000B.00000002.1919860184.0000000006802000.00000004.00000800.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id21Response	RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap	RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	false
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID	RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	false
http://91.202.233.158/3836fd5700214436/mozglue.dll36	svchost015.exe, 00000017.00000002.2499846584.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.17/2fb6c2cc8dce150a.phpSA	stealc_default2.exe, 00000014.00000002.2122450244.0000000000916000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	false
http://91.202.233.158/3836fd5700214436/nss3.dllhS	svchost015.exe, 00000017.00000002.2499846584.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault	RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/10/wsat	RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	false
http://www.galapagosdesign.com/DPlease	c4W13ZFj1P.exe, 0000000B.00000002.1919860184.0000000006802000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.17/2fb6c2cc8dce150a.phpNAs6v	stealc_default2.exe, 00000014.00000002.2122450244.00000000008A0000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.16/Jo89Ku7d/index.phpncoded	axplong.exe, 00000003.00000002.3050434559.0000000000A49000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey	RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	false
https://api.ip.sb/ip	penis.exe, 0000001A.00000002.2241610570.000000000279E000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000000.2187298068.0000000000421000.00000002.00000001.01000000.00000020.sdmp	false
http://185.215.113.17/2fb6c2cc8dce150a.phpAp267	stealc_default2.exe, 00000014.00000002.2122450244.00000000008A0000.00000004.00000020.00020000.00000000.sdmp	false
https://www.x-ways.net/winhex/forum/www.x-ways.net/winhex/templates/www.x-ways.net/dongle_protection	needmoney.exe, 00000016.00000002.2122597398.0000000002E30000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000017.00000000.2107557693.0000000000401000.00000020.00000001.01000000.0000001B.sdmp	false
https://stackoverflow.com/q/14436606/23354	5KNCHALAH.exe, 00000024.00000002.3071200614.0000023D58951000.00000004.00000800.00020000.00000000.sdmp, 5KNCHALAH.exe, 00000024.00000002.3069125421.0000023D58760000.00000004.08000000.00040000.00000000.sdmp, 5KNCHALAH.exe, 00000024.00000002.3071200614.0000023D58801000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.19/CoreOPT/index.php369.jpg	AppLaunch.exe, 0000001D.00000002.3056256702.0000000004D43000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.17/2fb6c2cc8dce150a.phpOF-6	stealc_default2.exe, 00000014.00000002.2122450244.00000000008A0000.00000004.00000020.00020000.00000000.sdmp	false
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	stealc_default2.exe, 00000014.00000002.2147998864.0000000026D32000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000014.00000002.2122450244.0000000000998000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000014.00000002.2122450244.0000000000916000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000017.00000002.2645242552.0000000026F00000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000017.00000002.2499846584.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1	RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	false
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17mluIFdhbGxldHxmbmpobWtoaG1rYm	stealc_default2.exe, 00000014.00000002.2123355501.0000000000F9C000.00000004.00000001.01000000.00000015.sdmp, svchost015.exe, 00000017.00000002.2475542759.000000000043C000.00000040.00000400.00020000.00000000.sdmp	false
http://185.215.113.19/CoreOPT/index.php	AppLaunch.exe, 0000001D.00000002.3067478958.0000000007091000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 0000001D.00000002.3067478958.0000000007094000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 0000001D.00000002.3056256702.0000000004D43000.00000004.00000020.00020000.00000000.sdmp, AppLaunch.exe, 0000001D.00000002.3056256702.0000000004CCD000.00000004.00000020.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id24Response	RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	false
https://www.ecosia.org/newtab/	stealc_default2.exe, 00000014.00000002.2122450244.0000000000916000.00000004.00000020.00020000.00000000.sdmp, S tup.exe, 00000015.00000003.2146844632.00000000033AB000.00000004.00000020.00020000.00000000.sdmp, svchost015.exe, 00000017.00000003.2186838025.0000000000B34000.00000004.00000020.00020000.00000000.sdmp, Channel3.exe, 00000026.00000003.2475146620.000000000325D000.00000004.00000020.00020000.00000000.sdmp	false
https://www.cloudflare.com/5xx-error-landing	BitLockerToGo.exe, 00000025.00000002.2342127287.0000000002932000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000025.00000003.2304902282.00000000029AD000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 00000025.00000003.2305204277.00000000029AC000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000002E.00000003.2500472620.0000000002E2F000.00000004.00000020.00020000.00000000.sdmp, BitLockerToGo.exe, 0000002E.00000003.2499936890.0000000002E7D000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego	RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	false
https://cdn.ep	stealc_default2.exe, 00000014.00000002.2122450244.0000000000916000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/08/addressing	RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id10ResponseD	RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002EA5000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000028A2000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse	RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.16/inc/runtime.exeRJ	axplong.exe, 00000003.00000002.3050434559.0000000000A49000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.117/inc/needmoney.exeg	axplong.exe, 00000003.00000002.3050434559.0000000000A49000.00000004.00000020.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id5Response	RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.16/inc/bundle.exe	axplong.exe, 00000003.00000002.3050434559.0000000000A49000.00000004.00000020.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id15ResponseD	RegAsm.exe, 00000007.00000002.2002581116.0000000002BE4000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002C94000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000028EE000.00000004.00000800.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id10Response	RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id8Response	RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	false
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17WdsYWhtbmRlZHwxfDB8MHxab2hvIF	stealc_default2.exe, 00000014.00000002.2123355501.0000000000F9C000.00000004.00000001.01000000.00000015.sdmp, svchost015.exe, 00000017.00000002.2475542759.000000000043C000.00000040.00000400.00020000.00000000.sdmp	false
http://www.founder.com.cn/cn/bThe	c4W13ZFj1P.exe, 0000000B.00000002.1919860184.0000000006802000.00000004.00000800.00020000.00000000.sdmp	false
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID	RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	false
http://thirtv13ht.top/F	Channel3.exe, 00000026.00000002.3077725303.00000000015CE000.00000004.00000020.00020000.00000000.sdmp, Channel3.exe, 00000026.00000003.2689901437.00000000015CD000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2006/02/addressingidentity	RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.26/Dem7kTu/index.phpx	Hkbsse.exe, 0000002D.00000002.3061861979.0000000000FC4000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.26/Dem7kTu/index.php~	Hkbsse.exe, 0000002D.00000002.3061861979.0000000000FC4000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT	RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.16/Jo89Ku7d/index.php0o	axplong.exe, 00000003.00000002.3050434559.0000000000A49000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.26/Dem7kTu/index.phpH	Hkbsse.exe, 0000002D.00000002.3061861979.0000000000FC4000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.26/Dem7kTu/index.phpN	Hkbsse.exe, 0000002D.00000002.3061861979.0000000000FC4000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce	RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.17/2fb6c2cc8dce150a.phpw	stealc_default2.exe, 00000014.00000002.2122450244.0000000000916000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.26/Dem7kTu/index.phpP	Hkbsse.exe, 0000002D.00000002.3061861979.0000000000FC4000.00000004.00000020.00020000.00000000.sdmp	false
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510	RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.17/2fb6c2cc8dce150a.phpm	stealc_default2.exe, 00000014.00000002.2122450244.00000000008A0000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.17/2fb6c2cc8dce150a.phpo	stealc_default2.exe, 00000014.00000002.2122450244.0000000000916000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.26/Dem7kTu/index.phpX	Hkbsse.exe, 0000002D.00000002.3061861979.0000000000FC4000.00000004.00000020.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id13Response	RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	false
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1	RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.26/Dem7kTu/index.phpf	Hkbsse.exe, 0000002D.00000002.3061861979.0000000000FC4000.00000004.00000020.00020000.00000000.sdmp	false
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1	RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty	RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.26/Dem7kTu/index.php(	Hkbsse.exe, 0000002D.00000002.3061861979.0000000000FC4000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement	RegAsm.exe, 00000007.00000002.2002581116.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.00000000029E1000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000027B1000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.26/Dem7kTu/index.php2	Hkbsse.exe, 0000002D.00000002.3061861979.0000000000F97000.00000004.00000020.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id4ResponseD	RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.16/inc/S	axplong.exe, 00000003.00000002.3050434559.0000000000A49000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap	RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.17/2fb6c2cc8dce150a.php7A9	stealc_default2.exe, 00000014.00000002.2122450244.0000000000916000.00000004.00000020.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id22ResponseD	RegAsm.exe, 00000007.00000002.2002581116.0000000002BE4000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002EA5000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002A75000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.19/ProlongedPortable.dll	runtime.exe, 00000019.00000002.2240011081.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, runtime.exe, 00000023.00000002.3068284554.00000000024E1000.00000004.00000800.00020000.00000000.sdmp, runtime.exe, 00000027.00000002.2418200772.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp, runtime.exe, 0000002F.00000002.2575995048.0000000003256000.00000004.00000800.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id16ResponseD	RegAsm.exe, 00000007.00000002.2002581116.0000000002B5B000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000028A2000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue	RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.26/Dem7kTu/index.phpB	Hkbsse.exe, 0000002D.00000002.3061861979.0000000000FC4000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext	RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/trust/Issue	RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id19ResponseD	RegAsm.exe, 00000007.00000002.2002581116.0000000002ABC000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002EA5000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.00000000028A2000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002AD1000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.26/Dem7kTu/index.phpD	Hkbsse.exe, 0000002D.00000002.3061861979.0000000000FC4000.00000004.00000020.00020000.00000000.sdmp	false
http://fivev5ht.top/v1/upload.phpyY	S tup.exe, 00000015.00000003.2816166125.0000000001492000.00000004.00000020.00020000.00000000.sdmp, S tup.exe, 00000015.00000003.2797050556.0000000001491000.00000004.00000020.00020000.00000000.sdmp, S tup.exe, 00000015.00000002.3077015225.0000000001494000.00000004.00000020.00020000.00000000.sdmp, S tup.exe, 00000015.00000003.2826542012.0000000001494000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.16/es	axplong.exe, 00000003.00000002.3050434559.0000000000A07000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.17/2fb6c2cc8dce150a.phpBFIJEHDHCBGDGDGCB	stealc_default2.exe, 00000014.00000002.2122450244.00000000008F2000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/trust/spnego	RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	false
http://www.founder.com.cn/cn	c4W13ZFj1P.exe, 0000000B.00000002.1919860184.0000000006802000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/sc	RegAsm.exe, 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, vzVy6ZevhK.exe, 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, bundle.exe, 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp	false
https://stackoverflow.com/q/2152978/23354	5KNCHALAH.exe, 00000024.00000002.3069125421.0000023D58760000.00000004.08000000.00040000.00000000.sdmp	false

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
91.202.233.158	unknown	Russian Federation	9009	M247GB	true
104.21.10.172	unknown	United States	13335	CLOUDFLARENETUS	false
185.215.113.26	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
185.215.113.67	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
185.215.113.19	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
103.130.147.211	unknown	Turkey	63859	MYREPUBLIC-AS-IDPTEkaMasRepublikID	false
185.215.113.16	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
185.215.113.17	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
95.179.250.45	unknown	Netherlands	20473	AS-CHOOPAUS	true
195.133.13.230	unknown	Russian Federation	197695	AS-REGRU	false
154.216.17.216	unknown	Seychelles	135357	SKHT-ASShenzhenKatherineHengTechnologyInformationCo	false
188.114.97.3	unknown	European Union	13335	CLOUDFLARENETUS	false
65.21.18.51	unknown	United States	199592	CP-ASDE	false
185.215.113.117	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
195.133.48.136	unknown	Russian Federation	48347	MTW-ASRU	false
176.150.119.15	unknown	France	5410	BOUYGTEL-ISPFR	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1505447
Start date and time:	2024-09-06 09:35:56 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 15m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	49
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	g082Q9DajU.exe renamed because original name is a hash value
Original Sample Name:	6e66aea8d0d6a8e404ccc60bb32a99f3.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@75/84@0/16
EGA Information:	Successful, ratio: 72.7%
HCA Information:	Successful, ratio: 60% Number of executed functions: 368 Number of non-executed functions: 78
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, dllhost.exe, SIHClient.exe, conhost.exe, svchost.exe
Execution Graph export aborted for target axplong.exe, PID 7588 because there are no executed function
Execution Graph export aborted for target axplong.exe, PID 7596 because there are no executed function
Execution Graph export aborted for target g082Q9DajU.exe, PID 7404 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Skipping network analysis since amount of network traffic is too extensive

Simulations

Behavior and APIs

Time	Type	Description
03:37:01	API Interceptor	495134x Sleep call for process: axplong.exe modified
03:37:13	API Interceptor	50x Sleep call for process: RegAsm.exe modified
03:37:18	API Interceptor	28x Sleep call for process: vzVy6ZevhK.exe modified
03:37:29	API Interceptor	3x Sleep call for process: S tup.exe modified
03:37:31	API Interceptor	6x Sleep call for process: svchost015.exe modified
03:37:35	API Interceptor	8x Sleep call for process: runtime.exe modified
03:37:36	API Interceptor	916x Sleep call for process: AppLaunch.exe modified
03:37:48	API Interceptor	4x Sleep call for process: BitLockerToGo.exe modified
03:37:56	API Interceptor	47x Sleep call for process: bundle.exe modified
03:37:58	API Interceptor	3x Sleep call for process: Channel3.exe modified
03:38:00	API Interceptor	509x Sleep call for process: Hkbsse.exe modified
08:36:49	Task Scheduler	Run new task: axplong path: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
08:37:11	Task Scheduler	Run new task: Hkbsse path: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
08:37:37	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce runtime C:\Users\user\Pictures\Lighter Tech\runtime.exe
08:37:40	Task Scheduler	Run new task: runtime path: C:\Users\user\Pictures\Lighter s>Tech\runtime.exe
08:37:47	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Amadeus.exe C:\Users\user\1000238002\Amadeus.exe
08:37:58	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce runtime C:\Users\user\Pictures\Lighter Tech\runtime.exe
08:38:07	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Amadeus.exe C:\Users\user\1000238002\Amadeus.exe
08:39:08	Task Scheduler	Run new task: ServiceData4 path: C:\Users\user\AppData\Local\Temp\/service123.exe

Process:	C:\Users\user\AppData\Local\Temp\svchost015.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\AFCBFIJEHDHCBGDGDGCB

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	9571
Entropy (8bit):	5.536643647658967
Encrypted:	false
SSDEEP:	192:qnaRt+YbBp6ihj4qyaaX86KKkfGNBw8DJSl:yegqumcwQ0
MD5:	5D8E5D85E880FB2D153275FCBE9DA6E5
SHA1:	72332A8A92B77A8B1E3AA00893D73FC2704B0D13
SHA-256:	50490DC0D0A953FA7D5E06105FE9676CDB9B49C399688068541B19DD911B90F9
SHA-512:	57441B4CCBA58F557E08AAA0918D1F9AC36D0AF6F6EB3D3C561DA7953ED156E89857FFB829305F65D220AE1075BC825F131D732B589B5844C82CA90B53AAF4EE
Malicious:	false
Reputation:	unknown
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696333830);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696333856);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

C:\ProgramData\AKEGDHJD

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BAEGCGCGIEGDHIDHJJEH

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BKFHCGIDBAAFHIDHDAAE

Download File

Process:	C:\Users\user\AppData\Local\Temp\svchost015.exe
File Type:	ASCII text, with very long lines (1809), with CRLF line terminators
Category:	dropped
Size (bytes):	9571
Entropy (8bit):	5.536643647658967
Encrypted:	false
SSDEEP:	192:qnaRt+YbBp6ihj4qyaaX86KKkfGNBw8DJSl:yegqumcwQ0
MD5:	5D8E5D85E880FB2D153275FCBE9DA6E5
SHA1:	72332A8A92B77A8B1E3AA00893D73FC2704B0D13
SHA-256:	50490DC0D0A953FA7D5E06105FE9676CDB9B49C399688068541B19DD911B90F9
SHA-512:	57441B4CCBA58F557E08AAA0918D1F9AC36D0AF6F6EB3D3C561DA7953ED156E89857FFB829305F65D220AE1075BC825F131D732B589B5844C82CA90B53AAF4EE
Malicious:	false
Reputation:	unknown
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696333830);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696333856);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

C:\ProgramData\DAECAECFCAAEBFHIEHDGHDHCBA

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\FHCGCFHD

Download File

Process:	C:\Users\user\AppData\Local\Temp\svchost015.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\GDHIEHJEBAAFIDHJEBGIEBFIJK

Download File

Process:	C:\Users\user\AppData\Local\Temp\svchost015.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.037963276276857943
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
MD5:	C0FDF21AE11A6D1FA1201D502614B622
SHA1:	11724034A1CC915B061316A96E79E9DA6A00ADE8
SHA-256:	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
SHA-512:	A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\HIIIJDAAAAAAKECBFBAEBKJJJJ

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.037963276276857943
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
MD5:	C0FDF21AE11A6D1FA1201D502614B622
SHA1:	11724034A1CC915B061316A96E79E9DA6A00ADE8
SHA-256:	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
SHA-512:	A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\HJDAKFBF

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\IIDHJKFBGIIJJKFIJDBG

Download File

Process:	C:\Users\user\AppData\Local\Temp\svchost015.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\IJKFCFHJ

Download File

Process:	C:\Users\user\AppData\Local\Temp\svchost015.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\JJKJDAEBFCBKECBGDBFCFBKKKF

Download File

Process:	C:\Users\user\AppData\Local\Temp\svchost015.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\KEHCAFHIJECGCAKFCGDBKEGIDH

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\KFBFCAFCBKFIEBFHIDBA

Download File

Process:	C:\Users\user\AppData\Local\Temp\svchost015.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\KJJECGHJDBFIJJJKEHCB

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\freebl3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\mozglue.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\msvcp140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\ProgramData\nss3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\softokn3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\vcruntime140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\Desktop\Google Chrome.lnk

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Wed Oct 4 11:02:31 2023, atime=Wed Sep 27 04:28:27 2023, length=3242272, window=hide
Category:	dropped
Size (bytes):	2104
Entropy (8bit):	3.451301765168081
Encrypted:	false
SSDEEP:	48:8SUPRdATkoGRYrnvPdAKRkdAGdAKRFdAKR/U:8SUMt
MD5:	49E67C11658899CF4DD875B19291D579
SHA1:	E9D1CC9293CB04C1D81B0B2A5C226CB80A150A4C
SHA-256:	28F5B0921182B88D66C7B337AF1336FEF66F69D9BAB3061C595567AED9CE2EF7
SHA-512:	2E43173AC4C31825D87818D808E46B9CF2F697CA59DA52611402D5AEC083CF6343631229100755D5CA69A10ABDA285B7F004D74D61B9CF2912BD6E14DFDFE6BF
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ......,....1.P........q.... y1.....................#....P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.IDW5`....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VDWP`....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VDWP`....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VDWP`..........................."&.A.p.p.l.i.c.a.t.i.o.n.....`.2. y1.;W.+ .chrome.exe..F......CW.VDWI`..........................,.6.c.h.r.o.m.e...e.x.e.......d...............-.......c............F.......C:\Program Files\Google\Chrome\Application\chrome.exe....A.c.c.e.s.s. .t.h.e. .I.n.t.e.r.n.e.t.;.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.!.-.-.p.r.o.x.y.-.s.e.r.v.e.r

C:\Users\user\1000238002\Amadeus.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5562368
Entropy (8bit):	6.39372886031857
Encrypted:	false
SSDEEP:	49152:NXJxAIQfc7wXnJu1U30/jo5UJZUntHvVkgKJswamhqp1ROjyj/2wW0j94lNI/pB+:BAIdik7/junt/2wr3/
MD5:	36A627B26FAE167E6009B4950FF15805
SHA1:	F3CB255AB3A524EE05C8BAB7B4C01C202906B801
SHA-256:	A2389DE50F83A11D6FE99639FC5C644F6D4DCEA6834ECBF90A4EAD3D5F36274A
SHA-512:	2133ABA3E2A41475B2694C23A9532C238ABAB0CBAE7771DE83F9D14A8B2C0905D44B1BA0B1F7AAE501052F4EBA0B6C74018D66C3CBC8E8E3443158438A621094
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 62%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.........R...............$..l....... ........J...@...........................W.......U...@...................................R.L.....T.......................R......................................................J..............................text...x.$.......$................. ..`.rdata..d.%...$...%...$.............@..@.data...`.....J.......J.............@....idata..L.....R.......P.............@....reloc........R......$P.............@..B.symtab.......T.......R................B.rsrc.........T.......R.............@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3274
Entropy (8bit):	5.3318368586986695
Encrypted:	false
SSDEEP:	96:Pq5qHwCYqh3oPtI6eqzxP0aymRLKTqdqlq7qqjqc85VD:Pq5qHwCYqh3qtI6eqzxP0at9KTqdqlq0
MD5:	0C1110E9B7BBBCB651A0B7568D796468
SHA1:	7AEE00407EE27655FFF0ADFBC96CF7FAD9610AAA
SHA-256:	112E21404A85963FB5DF8388F97429D6A46E9D4663435CC86267C563C0951FA2
SHA-512:	46E37552764B4E61006AB99F8C542D55B2418668B097D3C6647D306604C3D7CA3FAF34F8B4121D94B0E7168295B2ABEB7C21C3B96F37208943537B887BC81590
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bundle.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3274
Entropy (8bit):	5.3318368586986695
Encrypted:	false
SSDEEP:	96:Pq5qHwCYqh3oPtI6eqzxP0aymRLKTqdqlq7qqjqc85VD:Pq5qHwCYqh3qtI6eqzxP0at9KTqdqlq0
MD5:	0C1110E9B7BBBCB651A0B7568D796468
SHA1:	7AEE00407EE27655FFF0ADFBC96CF7FAD9610AAA
SHA-256:	112E21404A85963FB5DF8388F97429D6A46E9D4663435CC86267C563C0951FA2
SHA-512:	46E37552764B4E61006AB99F8C542D55B2418668B097D3C6647D306604C3D7CA3FAF34F8B4121D94B0E7168295B2ABEB7C21C3B96F37208943537B887BC81590
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\c4W13ZFj1P.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1119
Entropy (8bit):	5.345080863654519
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0Hj
MD5:	88593431AEF401417595E7A00FE86E5F
SHA1:	1714B8F6F6DCAAB3F3853EDABA7687F16DD331F4
SHA-256:	ED5E60336FB00579E0867B9615CBD0C560BB667FE3CEE0674F690766579F1032
SHA-512:	1D442441F96E69D8A6D5FB7E8CF01F13AF88CA2C2D0960120151B15505DD1CADC607EF9983373BA8E422C65FADAB04A615968F335A875B5C075BB9A6D0F346C9
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\crypteda.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.0050635535766075
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUy:Q3La/xwQ
MD5:	84CFDB4B995B1DBF543B26B86C863ADC
SHA1:	D2F47764908BF30036CF8248B9FF5541E2711FA2
SHA-256:	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
SHA-512:	485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gold.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000002001\gold.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\penis.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000254001\penis.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1119
Entropy (8bit):	5.345080863654519
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0Hj
MD5:	88593431AEF401417595E7A00FE86E5F
SHA1:	1714B8F6F6DCAAB3F3853EDABA7687F16DD331F4
SHA-256:	ED5E60336FB00579E0867B9615CBD0C560BB667FE3CEE0674F690766579F1032
SHA-512:	1D442441F96E69D8A6D5FB7E8CF01F13AF88CA2C2D0960120151B15505DD1CADC607EF9983373BA8E422C65FADAB04A615968F335A875B5C075BB9A6D0F346C9
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vzVy6ZevhK.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3274
Entropy (8bit):	5.3318368586986695
Encrypted:	false
SSDEEP:	96:Pq5qHwCYqh3oPtI6eqzxP0aymRLKTqdqlq7qqjqcEZ5D:Pq5qHwCYqh3qtI6eqzxP0at9KTqdqlqY
MD5:	0B2E58EF6402AD69025B36C36D16B67F
SHA1:	5ECC642327EF5E6A54B7918A4BD7B46A512BF926
SHA-256:	4B0FB8EECEAD6C835CED9E06F47D9021C2BCDB196F2D60A96FEE09391752C2D7
SHA-512:	1464106CEC5E264F8CEA7B7FF03C887DA5192A976FBC9369FC60A480A7B9DB0ED1956EFCE6FFAD2E40A790BD51FD27BB037256964BC7B4B2DA6D4D5C6B267FA1
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\5KNCHALAH[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1662464
Entropy (8bit):	7.652895099580909
Encrypted:	false
SSDEEP:	24576:3ZAYdRMHkss0gfe4GCfB375jh9WBSI5RyDv/5m0mMra4kpYrK:pAaMH00glBf9UZMgLpY
MD5:	3F99C2698FC247D19DD7F42223025252
SHA1:	043644883191079350B2F2FFBEFEF5431D768F99
SHA-256:	BA8561BF19251875A15471812042ADAC49F825C69C3087054889F6107297C6F3
SHA-512:	6A88D1049059BBA8F0C9498762502E055107D9F82DBC0AACFDD1E1C138BDB875CF68C2B7998408F8235E53B2BB864BA6F43C249395640B62AF305A62B9BFCD67
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 29%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....].f.................V............... ....@...... ....................................`...@......@............... ..................................p............................................................................................ ..H............text....T... ...V.................. ..`.rsrc...p............X..............@..@........................................H...................Y...(...hy..............................................(.......(.....0..s........ .... ....s....}....8.......s....}....8..... u..7(....(.... ....~....{....:....& ....8....8........E........8......0..u........ .... ....s....}....8.......s....}....8..... u..7(....(.... ....~....{....9....& ....8....8........E....2...........6.......z...z...g...........O...........8-..... ...7(.....\|....(....(....(...... ....8..... ...7(.....s#...(.... ....~....{....:k...& ....8

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Channel3[1].exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6658743
Entropy (8bit):	6.6286600350884886
Encrypted:	false
SSDEEP:	98304:6eZyvLAWn165UTJbRIQT/diMjl1jWQsznI7:6eZyvLAoLtRnzl1jWbI7
MD5:	931C65C2ABF6031D6520F1A48A0F5E34
SHA1:	E5034AA393E00A2B217AD7D60AA49362B6BA5FCE
SHA-256:	ED19EA12EE52A2DD4808B6956B9E65524FE0307659E685253AD3B28DF0EF89E5
SHA-512:	F8DEB851B0C4E405D116CB8FE75E952716FADEE1FAC63DC38FF2F02FD6590A3DBE0AAB74022FC2660874EF9C5950C7BFE113672B61F419B62E865DB8DA55B415
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 54%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(r.f.(_.8&.........#..G..zZ...f...........G...@...................................e....... ......................`..B....p..................................x#............................H......................q...............................text.....G.......G.................`.P`.data.........G.......G.............@.`..rdata..8.....H.......G.............@.`@/4............H.......H.............@.0@.bss....T.f..pL.......................`..edata..B....`.......LL.............@.0@.idata.......p.......NL.............@.0..CRT....4............XL.............@.0..tls.................ZL.............@.0..reloc..x#.......$...\L.............@.0B/14...................Z.............@..B/29..................Z.............@..B/41.....XL.......N...0\.............@..B/55.....B............~\.............@..B/67.....T............b].............@.0B/80.....a.............].

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\S?tup[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6634402
Entropy (8bit):	6.631555996365599
Encrypted:	false
SSDEEP:	49152:iBEVDqd3DizOb6U0fwlu6560pvxbm4QOdap+T+00kwsKRns+L2TX4n4heFIhz3jP:iEdqLSoap+T+9FsKRnkEuEcuZOi+R
MD5:	A2EAD3670D2D61E86C0F6D8DF5C4392A
SHA1:	4A46E64C70897504C28B94B645488D3A71D25DC5
SHA-256:	2CA7F5DFCD3F7664C8C6F02BB23203D0A9F032F5197B303C2ACA00830E175501
SHA-512:	84DDE0F2B584076C59B55A357DF9050F79570252D9BED7BC034F09A653463A57CB3A0E435367953A9C86F03E2405060520A2D87B97937BF369900874DB083892
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 49%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.._.A%.........#..G..fZ...f...........H...@...................................e....... ......................@..B....P..................................@&............................H......................Q...............................text...4.G.......G.................`.P`.data...(.....H.......G.............@.`..rdata...... H.......H.............@.`@/4............H.......H.............@.0@.bss....T.f..PL.......................`..edata..B....@.......4L.............@.0@.idata.......P.......6L.............@.0..CRT....4....`.......@L.............@.0..tls.........p.......BL.............@.0..reloc..@&.......(...DL.............@.0B/14..................lZ.............@..B/29.................tZ.............@..B/41.....XL...p...N....\.............@..B/55.....B............j\.............@..B/67.....T............N].............@.0B/80.....a............l].

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\gold[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	320512
Entropy (8bit):	7.987284635350729
Encrypted:	false
SSDEEP:	6144:neVh7D3iwjO1cYQMQ7P+iGbYwOf+eQIGE9o+3XOxyI645cMcxUPGuNhlF:OlNYQMQ7P+TOfJTo+3+xygcM2kN
MD5:	2D647CF43622ED10B6D733BB5F048FC3
SHA1:	6B9C5F77A9EF064A23E5018178F982570CBC64C6
SHA-256:	41426DD54FCABBF30A68B2AA11AA4F61F3862BEA83109D3E3C50CFEBED1359E6
SHA-512:	62400F1E9646268F0326AAB5B95EFACB0303F4C5879CCCF0CBB24D1F66D0DB40D0FDFEBB09BA785B5DFD54DF2D32E8AAB48C1F5F333956B606112DE68635AC3A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 88%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f................................. ........@.. .......................@...........`.....................................S............................ ......`................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......................................................................?.K.h[g;.7-.'.C....W.H0..JAsg..w....[....aQT.u.<....;s9Y..../.a.......S.aw..4.;O'0.....>.{j.".X...+,].-zt..l...6............Z...R[I.".sF\|..D...a.v.>.i.<.?......xN=..W..'o..79..........t..C.._;.hP.....Y.6m...8]=..=1.=..M..a...}..'.u..?....9E.+$..&..S......%.Q..3...Q......o"....z..d..%.e*2A.&Z.p.{=P.L....".J..UO.-...A..x...T../.D....].Lj.F.ax.`ck...#..5..`.@.x.......[$..,F.}..7F.l..\|.\|...:.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\Amadeus[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5562368
Entropy (8bit):	6.39372886031857
Encrypted:	false
SSDEEP:	49152:NXJxAIQfc7wXnJu1U30/jo5UJZUntHvVkgKJswamhqp1ROjyj/2wW0j94lNI/pB+:BAIdik7/junt/2wr3/
MD5:	36A627B26FAE167E6009B4950FF15805
SHA1:	F3CB255AB3A524EE05C8BAB7B4C01C202906B801
SHA-256:	A2389DE50F83A11D6FE99639FC5C644F6D4DCEA6834ECBF90A4EAD3D5F36274A
SHA-512:	2133ABA3E2A41475B2694C23A9532C238ABAB0CBAE7771DE83F9D14A8B2C0905D44B1BA0B1F7AAE501052F4EBA0B6C74018D66C3CBC8E8E3443158438A621094
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 62%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.........R...............$..l....... ........J...@...........................W.......U...@...................................R.L.....T.......................R......................................................J..............................text...x.$.......$................. ..`.rdata..d.%...$...%...$.............@..@.data...`.....J.......J.............@....idata..L.....R.......P.............@....reloc........R......$P.............@..B.symtab.......T.......R................B.rsrc.........T.......R.............@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\Nework[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	425984
Entropy (8bit):	6.513416731775012
Encrypted:	false
SSDEEP:	12288:ISqMakU3v+GYLWIjD9dSbvBG5u2uQjdQco:jq53v+G4Wwub8Ljaco
MD5:	F5D7B79EE6B6DA6B50E536030BCC3B59
SHA1:	751B555A8EEDE96D55395290F60ADC43B28BA5E2
SHA-256:	2F1AFF28961BA0CE85EA0E35B8936BC387F84F459A4A1D63D964CE79E34B8459
SHA-512:	532B17CD2A6AC5172B1DDBA1E63EDD51AB53A4527204415241E3A78E8FFEB9728071BDE5AE1EEFABEFD2627F00963F8A5458668CD7B8DF041C8683252FF56B46
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\Nework[1].exe, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>.................PE..L......f............................E.............@.......................................@.................................D...................................<L......8...............................@............................................text............................... ..`.rdata..8...........................@..@.data...\|f... ...4..................@....rsrc................0..............@..@.reloc..<L.......N...2..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\bundle[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	311296
Entropy (8bit):	5.082149053952267
Encrypted:	false
SSDEEP:	3072:Gq6EgY6iwrUjpgcDwPddU3417TAYtAliUpcZqf7D349eqiOLibBOp:dqY6inwPwo17TAkA1pcZqf7DIHL
MD5:	30DAA686C1F31CC4833BD3D7283D8CDC
SHA1:	70F74571FAFE1B359CFE9CE739C3752E35D16CF5
SHA-256:	504518E3B4F3ABC7F1AE1BF205FDC4A9F739E05B5E84618BAE9C7E66BDC19822
SHA-512:	9F6C0EEA9F03F9AA35EBF27CE8264E41D9072D273D1B8A35415AE4666D31013D895D1108DD67E36910200E2AC4FC45A4A9D761A1AADF02B0FD29EF93CD20A4D9
Malicious:	true
Yara Hits:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\bundle[1].exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 66%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...1.7...............0................. ... ....@.. ....................... ............@.................................p...O.... ..............................T................................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\runtime[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	45056
Entropy (8bit):	6.216673519026734
Encrypted:	false
SSDEEP:	768:fcbuPx+zgDwfIH/335cJX2om4VQRIEvmg5+FOKo5h:flxT1H/335C2ozVQRItgMF4h
MD5:	B73CF29C0EA647C353E4771F0697C41F
SHA1:	3E5339B80DCFBDC80D946FC630C657654EF58DE7
SHA-256:	EDD76F144BBDBFC060F7CB7E19863F89EB55863EFC1A913561D812083B6306CD
SHA-512:	2274D4C1E0EF72DC7E73B977E315DDD5472EC35A52E3449B1F6B87336EE18FF8966FED0451D19D24293FDE101E0C231A3CAA08B7BD0047A18A41466C2525E2E8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....I..........."...0.................. ........@.. ....................... ............@.................................:...O.......................................8............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................n.......H........1..............xJ.. y............................................~....}.....~....}.....~....}.....(.....(......{....t....}....6..s....(.......0..>........{....r...po...........o....&..{........(....(....}.....(.......0..!.........{........(....(....}.....(........0..!.........{........(....(....}.....(........0..!.........{........(....(....}.....(........0..!.........{........(....(....}.....(........0..!.........{........(....(....}.....(........0..!.......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\stealc_default2[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	192000
Entropy (8bit):	6.395265378509869
Encrypted:	false
SSDEEP:	3072:QJlVTFj5qDao8KaxfE54HnnGSail+bOX8bX60UFHJKa:QJP5j5Ka2aOanGSabY860UFpKa
MD5:	7A02AA17200AEAC25A375F290A4B4C95
SHA1:	7CC94CA64268A9A9451FB6B682BE42374AFC22FD
SHA-256:	836799FD760EBA25E15A55C75C50B977945C557065A708317E00F2C8F965339E
SHA-512:	F6EBFE7E087AA354722CEA3FDDD99B1883A862FB92BB5A5A86782EA846A1BFF022AB7DB4397930BCABAA05CB3D817DE3A89331D41A565BC1DA737F2C5E3720B6
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\stealc_default2[1].exe, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b...............u^......uk......u_......{v.....fz.......{f..............uZ......uh.....Rich............PE..L......f.....................B"......d............@..........................0$...........@....................................<.............................#..$...................................................................................text...J........................... ....rdata..............................@..@.data....+!.........................@....reloc..*D....#..F..................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\crypteda[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1104936
Entropy (8bit):	7.998181628509962
Encrypted:	true
SSDEEP:	24576:lxaesWtTVxFP96Hu0jjjfQNggJRhc2BIVTit:3FsWTzqjjW/BV
MD5:	8E74497AFF3B9D2DDB7E7F819DFC69BA
SHA1:	1D18154C206083EAD2D30995CE2847CBEB6CDBC1
SHA-256:	D8E81D9E336EF37A37CAE212E72B6F4EF915DB4B0F2A8DF73EB584BD25F21E66
SHA-512:	9AACC5C130290A72F1087DAA9E79984565CCAB6DBCAD5114BFED0919812B9BA5F8DEE9C37D230EECA4DF3CCA47BA0B355FBF49353E53F10F0EBC266E93F49F97
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\..f................................. ........@.. ....................... ............`.....................................O.......................(&........................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H...........................................................................L.v.lT.p#.E..'&..@cC...tE.....% ...pr*QA.U.v6..V.=.Cx..G.H.E.....i.....(hh.q.Bf..}...gL-.S.1),p.....$.8.ij3.....7....!Ts......T.[...X..PUE.c.j...s.].E........q.X.wsS.Y....g)......7I...OK..m(..d.(.T........0`.V`...o....E.G...#.I..q.....lh9..+........>6Q..=.S ...........-....#..].......rA.R..........1?.[..}l....jqD.$....N..xE1p....x[.h~.....i..d...u.!x.o..D..yue...S../z..>.\|.!. .0.^.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\freebl3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\joffer2[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6646362
Entropy (8bit):	6.6340518240024196
Encrypted:	false
SSDEEP:	98304:tel2olgN65W+VDoKTM5NLrN8AA5mW5qV6+1AKBtWxNHXw:tel2jmDo+MbvGbxW6+e0tCRXw
MD5:	0857E05E60F7043CC225770FBFBD9813
SHA1:	EA62C4E5470DF8D3703FE2C345AECD5692B51A56
SHA-256:	8F6A80DB2B88528AFD90D1BD38860A69573D0127B069983EF89E46C495C57543
SHA-512:	FE7C9ABC314E286265F4AEC24A1919A06C30CB53B447EAF69F34DD9281D816C06228019643163E9224CC1A399D4BB2683225AC6E47AD41FA0B3126473713F369
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\|..f.._..%.........#..G..pZ...f...........H...@...................................f....... ......................P..B....`..................................4$..........................D.H......................a...............................text...$.G.......G.................`.P`.data...(.....H.......G.............@.`..rdata..X.... H.......H.............@.`@/4......0.....H.......H.............@.0@.bss....T.f..`L.......................`..edata..B....P.......@L.............@.0@.idata.......`.......BL.............@.0..CRT....4....p.......LL.............@.0..tls.................NL.............@.0..reloc..4$.......&...PL.............@.0B/14..................vZ.............@..B/29.................~Z.............@..B/41.....XL.......N...&\.............@..B/55.....B............t\.............@..B/67.....T............X].............@.0B/80.....a............v].

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\mozglue[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\msvcp140[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\needmoney[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3766272
Entropy (8bit):	7.38258216504181
Encrypted:	false
SSDEEP:	98304:epy65+/t4BT7/Z/U6NVQFamv1oOgEoYYkTZ:ec6Ot4x7RcsmFxv+OgEoYvTZ
MD5:	7E6A519688246FE1180F35FE0D25D370
SHA1:	8E8719AC897DFEF7305311DC216F570AF40709AF
SHA-256:	32A927E9B33371B82BAE9F02B5EBF07C19AE5A3A7E3C0CD3FCBEE7CFFF7F257A
SHA-512:	A751E911EB254749A3C8C98740F455A5BE32CE1AF94DC90EBA8FC677D6D7379303F80247748DFCFE9C8570EDB3488A5AF97FA7FF29C815BEC6824DD491E27972
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 58%
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F2......=.......@....@...........................9..................@...........................p...#...P....1..................... ...................................................................................CODE....d-.......................... ..`DATA.........@.......2..............@...BSS..........`.......P...................idata...#...p...$...P..............@....tls.................t...................rdata...............t..............@..P.reloc.. ............v..............@..P.rsrc.....1..P....1.................@..P..............9......x9.............@..P........................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\nss3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\penis[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	565760
Entropy (8bit):	6.027563585335799
Encrypted:	false
SSDEEP:	6144:D9ZTacgcC0MvpRumxRzZhM6O7G8imHV7GcCG5CrscFS6A1yNF2qm+Dpy4Z+hPx:JZTyfvjuQzZq7G8ivcCG5CHFBjz1WhZ
MD5:	03CF06E01384018AC325DE8BC160B4B2
SHA1:	1853505E502B392FD556A9CE6050207230CC70CD
SHA-256:	5AB3785B2B72EAF7EDFF8961EB8FF8DD3DC6CC7031BC96CEB06A899B6FB3BBBC
SHA-512:	BE1F2CF898DB93E96E8817BF2D0AB0EF0F49D5BBA4EFBA2DE4046F6B381E8EDA6FF5FCFDC057B6CBC4DE5B3A7B096612C1E0D6B0D395EE685B3844BA5DC0E1B6
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\penis[1].exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\penis[1].exe, Author: Joe Security Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\penis[1].exe, Author: ditekSHen
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 63%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...m.................0..B...^.......a... ........@.. ....................................@.................................pa..K........Z........................................................................... ............... ..H............text....A... ...B.................. ..`.rsrc....Z.......\...D..............@..@.reloc..............................@..B.................a......H........Y.................................................................(....(.....0...........s........~....%:....&~......'...s....%.....(...+o.....8[....o...............%..F~ ...(.....%..G~ ...(.....%..H~ ...(.....%..e~ ...(.....~!...(.......o......8......(......s.......s........~....}....~...........s....(....o....}......{.....I~ ...(....o........9......I~ ...(.......8C........~ ...(....o....:......{....~"...(....8......{....~#...(.........(...........9........o.....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\softokn3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\vcruntime140[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	425984
Entropy (8bit):	6.513416731775012
Encrypted:	false
SSDEEP:	12288:ISqMakU3v+GYLWIjD9dSbvBG5u2uQjdQco:jq53v+G4Wwub8Ljaco
MD5:	F5D7B79EE6B6DA6B50E536030BCC3B59
SHA1:	751B555A8EEDE96D55395290F60ADC43B28BA5E2
SHA-256:	2F1AFF28961BA0CE85EA0E35B8936BC387F84F459A4A1D63D964CE79E34B8459
SHA-512:	532B17CD2A6AC5172B1DDBA1E63EDD51AB53A4527204415241E3A78E8FFEB9728071BDE5AE1EEFABEFD2627F00963F8A5458668CD7B8DF041C8683252FF56B46
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>.................PE..L......f............................E.............@.......................................@.................................D...................................<L......8...............................@............................................text............................... ..`.rdata..8...........................@..@.data...\|f... ...4..................@....rsrc................0..............@..@.reloc..<L.......N...2..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000002001\gold.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	320512
Entropy (8bit):	7.987284635350729
Encrypted:	false
SSDEEP:	6144:neVh7D3iwjO1cYQMQ7P+iGbYwOf+eQIGE9o+3XOxyI645cMcxUPGuNhlF:OlNYQMQ7P+TOfJTo+3+xygcM2kN
MD5:	2D647CF43622ED10B6D733BB5F048FC3
SHA1:	6B9C5F77A9EF064A23E5018178F982570CBC64C6
SHA-256:	41426DD54FCABBF30A68B2AA11AA4F61F3862BEA83109D3E3C50CFEBED1359E6
SHA-512:	62400F1E9646268F0326AAB5B95EFACB0303F4C5879CCCF0CBB24D1F66D0DB40D0FDFEBB09BA785B5DFD54DF2D32E8AAB48C1F5F333956B606112DE68635AC3A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 88%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....f................................. ........@.. .......................@...........`.....................................S............................ ......`................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......................................................................?.K.h[g;.7-.'.C....W.H0..JAsg..w....[....aQT.u.<....;s9Y..../.a.......S.aw..4.;O'0.....>.{j.".X...+,].-zt..l...6............Z...R[I.".sF\|..D...a.v.>.i.<.?......xN=..W..'o..79..........t..C.._;.hP.....Y.6m...8]=..=1.=..M..a...}..'.u..?....9E.+$..&..S......%.Q..3...Q......o"....z..d..%.e*2A.&Z.p.{=P.L....".J..UO.-...A..x...T../.D....].Lj.F.ax.`ck...#..5..`.@.x.......[$..,F.}..7F.l..\|.\|...:.

C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1104936
Entropy (8bit):	7.998181628509962
Encrypted:	true
SSDEEP:	24576:lxaesWtTVxFP96Hu0jjjfQNggJRhc2BIVTit:3FsWTzqjjW/BV
MD5:	8E74497AFF3B9D2DDB7E7F819DFC69BA
SHA1:	1D18154C206083EAD2D30995CE2847CBEB6CDBC1
SHA-256:	D8E81D9E336EF37A37CAE212E72B6F4EF915DB4B0F2A8DF73EB584BD25F21E66
SHA-512:	9AACC5C130290A72F1087DAA9E79984565CCAB6DBCAD5114BFED0919812B9BA5F8DEE9C37D230EECA4DF3CCA47BA0B355FBF49353E53F10F0EBC266E93F49F97
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\..f................................. ........@.. ....................... ............`.....................................O.......................(&........................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H...........................................................................L.v.lT.p#.E..'&..@cC...tE.....% ...pr*QA.U.v6..V.=.Cx..G.H.E.....i.....(hh.q.Bf..}...gL-.S.1),p.....$.8.ij3.....7....!Ts......T.[...X..PUE.c.j...s.].E........q.X.wsS.Y....g)......7I...OK..m(..d.(.T........0`.V`...o....E.G...#.I..q.....lh9..+........>6Q..=.S ...........-....#..].......rA.R..........1?.[..}l....jqD.$....N..xE1p....x[.h~.....i..d...u.!x.o..D..yue...S../z..>.\|.!. .0.^.

C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	425984
Entropy (8bit):	6.513416731775012
Encrypted:	false
SSDEEP:	12288:ISqMakU3v+GYLWIjD9dSbvBG5u2uQjdQco:jq53v+G4Wwub8Ljaco
MD5:	F5D7B79EE6B6DA6B50E536030BCC3B59
SHA1:	751B555A8EEDE96D55395290F60ADC43B28BA5E2
SHA-256:	2F1AFF28961BA0CE85EA0E35B8936BC387F84F459A4A1D63D964CE79E34B8459
SHA-512:	532B17CD2A6AC5172B1DDBA1E63EDD51AB53A4527204415241E3A78E8FFEB9728071BDE5AE1EEFABEFD2627F00963F8A5458668CD7B8DF041C8683252FF56B46
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>.................PE..L......f............................E.............@.......................................@.................................D...................................<L......8...............................@............................................text............................... ..`.rdata..8...........................@..@.data...\|f... ...4..................@....rsrc................0..............@..@.reloc..<L.......N...2..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000019001\joffer2.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6646362
Entropy (8bit):	6.6340518240024196
Encrypted:	false
SSDEEP:	98304:tel2olgN65W+VDoKTM5NLrN8AA5mW5qV6+1AKBtWxNHXw:tel2jmDo+MbvGbxW6+e0tCRXw
MD5:	0857E05E60F7043CC225770FBFBD9813
SHA1:	EA62C4E5470DF8D3703FE2C345AECD5692B51A56
SHA-256:	8F6A80DB2B88528AFD90D1BD38860A69573D0127B069983EF89E46C495C57543
SHA-512:	FE7C9ABC314E286265F4AEC24A1919A06C30CB53B447EAF69F34DD9281D816C06228019643163E9224CC1A399D4BB2683225AC6E47AD41FA0B3126473713F369
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\|..f.._..%.........#..G..pZ...f...........H...@...................................f....... ......................P..B....`..................................4$..........................D.H......................a...............................text...$.G.......G.................`.P`.data...(.....H.......G.............@.`..rdata..X.... H.......H.............@.`@/4......0.....H.......H.............@.0@.bss....T.f..`L.......................`..edata..B....P.......@L.............@.0@.idata.......`.......BL.............@.0..CRT....4....p.......LL.............@.0..tls.................NL.............@.0..reloc..4$.......&...PL.............@.0B/14..................vZ.............@..B/29.................~Z.............@..B/41.....XL.......N...&\.............@..B/55.....B............t\.............@..B/67.....T............X].............@.0B/80.....a............v].

C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	192000
Entropy (8bit):	6.395265378509869
Encrypted:	false
SSDEEP:	3072:QJlVTFj5qDao8KaxfE54HnnGSail+bOX8bX60UFHJKa:QJP5j5Ka2aOanGSabY860UFpKa
MD5:	7A02AA17200AEAC25A375F290A4B4C95
SHA1:	7CC94CA64268A9A9451FB6B682BE42374AFC22FD
SHA-256:	836799FD760EBA25E15A55C75C50B977945C557065A708317E00F2C8F965339E
SHA-512:	F6EBFE7E087AA354722CEA3FDDD99B1883A862FB92BB5A5A86782EA846A1BFF022AB7DB4397930BCABAA05CB3D817DE3A89331D41A565BC1DA737F2C5E3720B6
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b...............u^......uk......u_......{v.....fz.......{f..............uZ......uh.....Rich............PE..L......f.....................B"......d............@..........................0$...........@....................................<.............................#..$...................................................................................text...J........................... ....rdata..............................@..@.data....+!.........................@....reloc..*D....#..F..................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000129001\S tup.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6634402
Entropy (8bit):	6.631555996365599
Encrypted:	false
SSDEEP:	49152:iBEVDqd3DizOb6U0fwlu6560pvxbm4QOdap+T+00kwsKRns+L2TX4n4heFIhz3jP:iEdqLSoap+T+9FsKRnkEuEcuZOi+R
MD5:	A2EAD3670D2D61E86C0F6D8DF5C4392A
SHA1:	4A46E64C70897504C28B94B645488D3A71D25DC5
SHA-256:	2CA7F5DFCD3F7664C8C6F02BB23203D0A9F032F5197B303C2ACA00830E175501
SHA-512:	84DDE0F2B584076C59B55A357DF9050F79570252D9BED7BC034F09A653463A57CB3A0E435367953A9C86F03E2405060520A2D87B97937BF369900874DB083892
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 49%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f.._.A%.........#..G..fZ...f...........H...@...................................e....... ......................@..B....P..................................@&............................H......................Q...............................text...4.G.......G.................`.P`.data...(.....H.......G.............@.`..rdata...... H.......H.............@.`@/4............H.......H.............@.0@.bss....T.f..PL.......................`..edata..B....@.......4L.............@.0@.idata.......P.......6L.............@.0..CRT....4....`.......@L.............@.0..tls.........p.......BL.............@.0..reloc..@&.......(...DL.............@.0B/14..................lZ.............@..B/29.................tZ.............@..B/41.....XL...p...N....\.............@..B/55.....B............j\.............@..B/67.....T............N].............@.0B/80.....a............l].

C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3766272
Entropy (8bit):	7.38258216504181
Encrypted:	false
SSDEEP:	98304:epy65+/t4BT7/Z/U6NVQFamv1oOgEoYYkTZ:ec6Ot4x7RcsmFxv+OgEoYvTZ
MD5:	7E6A519688246FE1180F35FE0D25D370
SHA1:	8E8719AC897DFEF7305311DC216F570AF40709AF
SHA-256:	32A927E9B33371B82BAE9F02B5EBF07C19AE5A3A7E3C0CD3FCBEE7CFFF7F257A
SHA-512:	A751E911EB254749A3C8C98740F455A5BE32CE1AF94DC90EBA8FC677D6D7379303F80247748DFCFE9C8570EDB3488A5AF97FA7FF29C815BEC6824DD491E27972
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 58%
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F2......=.......@....@...........................9..................@...........................p...#...P....1..................... ...................................................................................CODE....d-.......................... ..`DATA.........@.......2..............@...BSS..........`.......P...................idata...#...p...$...P..............@....tls.................t...................rdata...............t..............@..P.reloc.. ............v..............@..P.rsrc.....1..P....1.................@..P..............9......x9.............@..P........................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	45056
Entropy (8bit):	6.216673519026734
Encrypted:	false
SSDEEP:	768:fcbuPx+zgDwfIH/335cJX2om4VQRIEvmg5+FOKo5h:flxT1H/335C2ozVQRItgMF4h
MD5:	B73CF29C0EA647C353E4771F0697C41F
SHA1:	3E5339B80DCFBDC80D946FC630C657654EF58DE7
SHA-256:	EDD76F144BBDBFC060F7CB7E19863F89EB55863EFC1A913561D812083B6306CD
SHA-512:	2274D4C1E0EF72DC7E73B977E315DDD5472EC35A52E3449B1F6B87336EE18FF8966FED0451D19D24293FDE101E0C231A3CAA08B7BD0047A18A41466C2525E2E8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....I..........."...0.................. ........@.. ....................... ............@.................................:...O.......................................8............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................n.......H........1..............xJ.. y............................................~....}.....~....}.....~....}.....(.....(......{....t....}....6..s....(.......0..>........{....r...po...........o....&..{........(....(....}.....(.......0..!.........{........(....(....}.....(........0..!.........{........(....(....}.....(........0..!.........{........(....(....}.....(........0..!.........{........(....(....}.....(........0..!.........{........(....(....}.....(........0..!.......

C:\Users\user\AppData\Local\Temp\1000254001\penis.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	565760
Entropy (8bit):	6.027563585335799
Encrypted:	false
SSDEEP:	6144:D9ZTacgcC0MvpRumxRzZhM6O7G8imHV7GcCG5CrscFS6A1yNF2qm+Dpy4Z+hPx:JZTyfvjuQzZq7G8ivcCG5CHFBjz1WhZ
MD5:	03CF06E01384018AC325DE8BC160B4B2
SHA1:	1853505E502B392FD556A9CE6050207230CC70CD
SHA-256:	5AB3785B2B72EAF7EDFF8961EB8FF8DD3DC6CC7031BC96CEB06A899B6FB3BBBC
SHA-512:	BE1F2CF898DB93E96E8817BF2D0AB0EF0F49D5BBA4EFBA2DE4046F6B381E8EDA6FF5FCFDC057B6CBC4DE5B3A7B096612C1E0D6B0D395EE685B3844BA5DC0E1B6
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe, Author: Joe Security Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 63%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...m.................0..B...^.......a... ........@.. ....................................@.................................pa..K........Z........................................................................... ............... ..H............text....A... ...B.................. ..`.rsrc....Z.......\...D..............@..@.reloc..............................@..B.................a......H........Y.................................................................(....(.....0...........s........~....%:....&~......'...s....%.....(...+o.....8[....o...............%..F~ ...(.....%..G~ ...(.....%..H~ ...(.....%..e~ ...(.....~!...(.......o......8......(......s.......s........~....}....~...........s....(....o....}......{.....I~ ...(....o........9......I~ ...(.......8C........~ ...(....o....:......{....~"...(....8......{....~#...(.........(...........9........o.....

C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	311296
Entropy (8bit):	5.082149053952267
Encrypted:	false
SSDEEP:	3072:Gq6EgY6iwrUjpgcDwPddU3417TAYtAliUpcZqf7D349eqiOLibBOp:dqY6inwPwo17TAkA1pcZqf7DIHL
MD5:	30DAA686C1F31CC4833BD3D7283D8CDC
SHA1:	70F74571FAFE1B359CFE9CE739C3752E35D16CF5
SHA-256:	504518E3B4F3ABC7F1AE1BF205FDC4A9F739E05B5E84618BAE9C7E66BDC19822
SHA-512:	9F6C0EEA9F03F9AA35EBF27CE8264E41D9072D273D1B8A35415AE4666D31013D895D1108DD67E36910200E2AC4FC45A4A9D761A1AADF02B0FD29EF93CD20A4D9
Malicious:	true
Yara Hits:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 66%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...1.7...............0................. ... ....@.. ....................... ............@.................................p...O.... ..............................T................................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1662464
Entropy (8bit):	7.652895099580909
Encrypted:	false
SSDEEP:	24576:3ZAYdRMHkss0gfe4GCfB375jh9WBSI5RyDv/5m0mMra4kpYrK:pAaMH00glBf9UZMgLpY
MD5:	3F99C2698FC247D19DD7F42223025252
SHA1:	043644883191079350B2F2FFBEFEF5431D768F99
SHA-256:	BA8561BF19251875A15471812042ADAC49F825C69C3087054889F6107297C6F3
SHA-512:	6A88D1049059BBA8F0C9498762502E055107D9F82DBC0AACFDD1E1C138BDB875CF68C2B7998408F8235E53B2BB864BA6F43C249395640B62AF305A62B9BFCD67
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 29%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....].f.................V............... ....@...... ....................................`...@......@............... ..................................p............................................................................................ ..H............text....T... ...V.................. ..`.rsrc...p............X..............@..@........................................H...................Y...(...hy..............................................(.......(.....0..s........ .... ....s....}....8.......s....}....8..... u..7(....(.... ....~....{....:....& ....8....8........E........8......0..u........ .... ....s....}....8.......s....}....8..... u..7(....(.... ....~....{....9....& ....8....8........E....2...........6.......z...z...g...........O...........8-..... ...7(.....\|....(....(....(...... ....8..... ...7(.....s#...(.... ....~....{....:k...& ....8

C:\Users\user\AppData\Local\Temp\1000296001\Channel3.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6658743
Entropy (8bit):	6.6286600350884886
Encrypted:	false
SSDEEP:	98304:6eZyvLAWn165UTJbRIQT/diMjl1jWQsznI7:6eZyvLAoLtRnzl1jWbI7
MD5:	931C65C2ABF6031D6520F1A48A0F5E34
SHA1:	E5034AA393E00A2B217AD7D60AA49362B6BA5FCE
SHA-256:	ED19EA12EE52A2DD4808B6956B9E65524FE0307659E685253AD3B28DF0EF89E5
SHA-512:	F8DEB851B0C4E405D116CB8FE75E952716FADEE1FAC63DC38FF2F02FD6590A3DBE0AAB74022FC2660874EF9C5950C7BFE113672B61F419B62E865DB8DA55B415
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 54%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(r.f.(_.8&.........#..G..zZ...f...........G...@...................................e....... ......................`..B....p..................................x#............................H......................q...............................text.....G.......G.................`.P`.data.........G.......G.............@.`..rdata..8.....H.......G.............@.`@/4............H.......H.............@.0@.bss....T.f..pL.......................`..edata..B....`.......LL.............@.0@.idata.......p.......NL.............@.0..CRT....4............XL.............@.0..tls.................ZL.............@.0..reloc..x#.......$...\L.............@.0B/14...................Z.............@..B/29..................Z.............@..B/41.....XL.......N...0\.............@..B/55.....B............~\.............@..B/67.....T............b].............@.0B/80.....a.............].

C:\Users\user\AppData\Local\Temp\246122658369

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
Category:	dropped
Size (bytes):	85360
Entropy (8bit):	7.847841007460728
Encrypted:	false
SSDEEP:	1536:CHbFdHoMZqaX7eNynJMPieGcvbrYcrb2AGOZtg5OW:+nolNynaitSbscf2AvMP
MD5:	9C6978071E0BF2C1ADFFF4B341B01E4C
SHA1:	BB5E7998DE421926A1B0953DA3499CD0761CCFA0
SHA-256:	EA149434E0DAD8B33DD7180BFEE63046FBE579C9689D6A8D40ADE6165808A386
SHA-512:	01B2290F0317D435AE1C934D58D52F94F0025FBF2571F68BD815FA4894C44A26649456085007E07764C624EBD712885D43BCE2C3026CF5EA3213FCCA3CFDE65D
Malicious:	false
Reputation:	unknown
Preview:	......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...(..?3...m..,.X.c.#....O..i.....w...._.#.*bi.F.xJ.5KC"...N...m.g....Uf.....?.2......Q.]9o..s......T..W6.y.:.....CPWJi......%-....Z(.(..o.<-...OF.....j.#?........x..........#..........9.+..........e\.../n-.n.dh.c...k....1.q...y5..r..N.)W...O.d.QEw.!E.P11E-v.....Z..tN.Lo..?.Xb1....Oc....&...W.8.+.?.]._.....G.R....n..............z...........w..#.......`..

C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Download File

Process:	C:\Users\user\Desktop\g082Q9DajU.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1873408
Entropy (8bit):	7.95027498025101
Encrypted:	false
SSDEEP:	49152:r49w1qMB2mWX1R3Bk0b2wZ+SE+UgUfjOmxiAr0o8PjFO0/F:rQC2lX1R3B3b2u+SE+UlfjPiAIompz
MD5:	6E66AEA8D0D6A8E404CCC60BB32A99F3
SHA1:	651A6272114A9EF6ED3039A5DA41A1F0BFB03E9E
SHA-256:	C1FBE1E578D32BF34B6C29B06D012F542AAC34CDF3AF35362E18EA8714716982
SHA-512:	30DA1A78654A2A11EC5390AEC622405535270E3304BDEF94E3FE84ACFC0CA1B02F8754D21B89DCD69AF126DE0E8B60CF4336707CC297F4C3BDBF257390D7FFE4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 76%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>.................PE..L....@.f.............................0J...........@..........................`J.....:\|....@.................................W...k.............................J...............................J..................................................... . ............................@....rsrc...............................@....idata ............................@... ..).........................@...ckpyoeob......0..\|..................@...nhhoofat..... J......p..............@....taggant.0...0J.."...t..............@...........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\g082Q9DajU.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	unknown
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\Tmp5ECB.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	2662
Entropy (8bit):	7.8230547059446645
Encrypted:	false
SSDEEP:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
MD5:	1420D30F964EAC2C85B2CCFE968EEBCE
SHA1:	BDF9A6876578A3E38079C4F8CF5D6C79687AD750
SHA-256:	F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
SHA-512:	6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
Malicious:	false
Reputation:	unknown
Preview:	0..b...0.."...H..............0...0......H..............0...0......H............0...0....H.......0...p.,\|.(.............mW.....$\|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%...X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...\|B.d..kr.=G.g.v..f.d.C.?...0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..\|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....\|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

C:\Users\user\AppData\Local\Temp\Tmp5EDC.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	2662
Entropy (8bit):	7.8230547059446645
Encrypted:	false
SSDEEP:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
MD5:	1420D30F964EAC2C85B2CCFE968EEBCE
SHA1:	BDF9A6876578A3E38079C4F8CF5D6C79687AD750
SHA-256:	F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
SHA-512:	6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
Malicious:	false
Reputation:	unknown
Preview:	0..b...0.."...H..............0...0......H..............0...0......H............0...0....H.......0...p.,\|.(.............mW.....$\|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%...X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...\|B.d..kr.=G.g.v..f.d.C.?...0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..\|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....\|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

C:\Users\user\AppData\Local\Temp\Tmp6CD5.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe
File Type:	data
Category:	dropped
Size (bytes):	2662
Entropy (8bit):	7.8230547059446645
Encrypted:	false
SSDEEP:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
MD5:	1420D30F964EAC2C85B2CCFE968EEBCE
SHA1:	BDF9A6876578A3E38079C4F8CF5D6C79687AD750
SHA-256:	F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
SHA-512:	6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
Malicious:	false
Reputation:	unknown
Preview:	0..b...0.."...H..............0...0......H..............0...0......H............0...0....H.......0...p.,\|.(.............mW.....$\|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%...X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...\|B.d..kr.=G.g.v..f.d.C.?...0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..\|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....\|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

C:\Users\user\AppData\Local\Temp\Tmp6D24.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe
File Type:	data
Category:	dropped
Size (bytes):	2662
Entropy (8bit):	7.8230547059446645
Encrypted:	false
SSDEEP:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
MD5:	1420D30F964EAC2C85B2CCFE968EEBCE
SHA1:	BDF9A6876578A3E38079C4F8CF5D6C79687AD750
SHA-256:	F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
SHA-512:	6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
Malicious:	false
Reputation:	unknown
Preview:	0..b...0.."...H..............0...0......H..............0...0......H............0...0....H.......0...p.,\|.(.............mW.....$\|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%...X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...\|B.d..kr.=G.g.v..f.d.C.?...0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..\|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....\|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

C:\Users\user\AppData\Local\Temp\TmpE30E.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe
File Type:	data
Category:	dropped
Size (bytes):	2662
Entropy (8bit):	7.8230547059446645
Encrypted:	false
SSDEEP:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
MD5:	1420D30F964EAC2C85B2CCFE968EEBCE
SHA1:	BDF9A6876578A3E38079C4F8CF5D6C79687AD750
SHA-256:	F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
SHA-512:	6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
Malicious:	false
Reputation:	unknown
Preview:	0..b...0.."...H..............0...0......H..............0...0......H............0...0....H.......0...p.,\|.(.............mW.....$\|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%...X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...\|B.d..kr.=G.g.v..f.d.C.?...0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..\|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....\|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

C:\Users\user\AppData\Local\Temp\TmpE31F.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe
File Type:	data
Category:	dropped
Size (bytes):	2662
Entropy (8bit):	7.8230547059446645
Encrypted:	false
SSDEEP:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
MD5:	1420D30F964EAC2C85B2CCFE968EEBCE
SHA1:	BDF9A6876578A3E38079C4F8CF5D6C79687AD750
SHA-256:	F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
SHA-512:	6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
Malicious:	false
Reputation:	unknown
Preview:	0..b...0.."...H..............0...0......H..............0...0......H............0...0....H.......0...p.,\|.(.............mW.....$\|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%...X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...\|B.d..kr.=G.g.v..f.d.C.?...0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..\|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....\|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

C:\Users\user\AppData\Local\Temp\rgqzVBZOCfumjeaMDHRm.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000129001\S tup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	315835392
Entropy (8bit):	0.055761817713950085
Encrypted:	false
SSDEEP:	24576:zKuCaYD+NcCxKgdqUxd4ReQ9mEr1Ko2kJzeDlBOX:zKuJUUxd4TzYRL
MD5:	D03AE9544594FBC900750C04C264EB4F
SHA1:	A7277ADE84F81F569B1E69F47956B786BCF987DA
SHA-256:	8137C0165F2A45463EC648891530432566DE8B8B4D41CACE3A5A41EB32B8830D
SHA-512:	6EE8CC681603313CCF18842FA1A778342B575C3614D5ED232A7A3BC35439B7983093F030E79453190419E7242591CF714EFCCFF42B87864E585BB89107859FE3
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f...........#...#.H...@...............`.....c......................................@... .........................`....................................0..........................................................t............................text...LF.......H..................`.P`.data........`.......L..............@.`..rdata..@............b..............@.`@.eh_fram.....P.......&..............@.0@.bss....t.............................`..edata..`...........................@.0@.idata..............................@.0..CRT....,...........................@.0..tls......... ......................@.0..reloc.......0......................@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\service123.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000129001\S tup.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	314613760
Entropy (8bit):	0.002153594107399314
Encrypted:	false
SSDEEP:
MD5:	BB25CD7CC9659E1726129BFE8DA686F1
SHA1:	DE9D87540232DB267D415C182E8991057734A663
SHA-256:	334C2E38A1191054E649746D23C7DF1586969FA59BC759C7443E6C64FF868C8F
SHA-512:	1DD9878F3C2C0B9B8781D440ADBF8B8AA614038712A40F1A61D8BAD7E2AD74DBC4ED200E7AB9BE9BFF0CCBA955052B6A45439F9643D15ED812E5052C66F08870
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f...............#.v........................@.......................................@... .................................................................h...................................................X................................text....u.......v..................`.P`.data...X............z..............@.0..rdata..X............\|..............@.`@.eh_fram............................@.0@.bss..................................`..idata..............................@.0..CRT....4...........................@.0..tls................................@.0..reloc..h...........................@.0B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\svchost015.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2990472
Entropy (8bit):	6.459856200541649
Encrypted:	false
SSDEEP:
MD5:	B826DD92D78EA2526E465A34324EBEEA
SHA1:	BF8A0093ACFD2EB93C102E1A5745FB080575372E
SHA-256:	7824B50ACDD144764DAC7445A4067B35CF0FEF619E451045AB6C1F54F5653A5B
SHA-512:	1AC4B731B9B31CABF3B1C43AEE37206AEE5326C8E786ABE2AB38E031633B778F97F2D6545CF745C3066F3BD47B7AAF2DED2F9955475428100EAF271DD9AEEF17
Malicious:	true
Reputation:	unknown
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....\"f..................#.........l.#.......#...@..........................p1.....?.-...`...(..@...........................p&.l3....(...............-..!....................................&.....................................................CODE......#.......#................. ..`DATA....0.....#.......#.............@...BSS...........$......\$..................idata..l3...p&..4...\$.............@....tls....\|.....&.......$..................rdata........&.......$.............@..P.reloc.......&.......$.............@..P.rsrc.........(.......$.............@..P.............p1......,/.............@..P........................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	data
Category:	dropped
Size (bytes):	2251
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	0158FE9CEAD91D1B027B795984737614
SHA1:	B41A11F909A7BDF1115088790A5680AC4E23031B
SHA-256:	513257326E783A862909A2A0F0941D6FF899C403E104FBD1DBC10443C41D9F9A
SHA-512:	C48A55CC7A92CEFCEFE5FB2382CCD8EF651FC8E0885E88A256CD2F5D83B824B7D910F755180B29ECCB54D9361D6AF82F9CC741BD7E6752122949B657DA973676
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1002\e3ddfdedd8e0686c5f49619bcce946c2_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe
File Type:	data
Category:	dropped
Size (bytes):	2251
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	0158FE9CEAD91D1B027B795984737614
SHA1:	B41A11F909A7BDF1115088790A5680AC4E23031B
SHA-256:	513257326E783A862909A2A0F0941D6FF899C403E104FBD1DBC10443C41D9F9A
SHA-512:	C48A55CC7A92CEFCEFE5FB2382CCD8EF651FC8E0885E88A256CD2F5D83B824B7D910F755180B29ECCB54D9361D6AF82F9CC741BD7E6752122949B657DA973676
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Reputation:	unknown
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Reputation:	unknown
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	557056
Entropy (8bit):	6.311657384729558
Encrypted:	false
SSDEEP:
MD5:	88367533C12315805C059E688E7CDFE9
SHA1:	64A107ADCBAC381C10BD9C5271C2087B7AA369EC
SHA-256:	C6FC5C06AD442526A787989BAE6CE0D32A2B15A12A41F78BACA336B6560997A9
SHA-512:	7A8C3D767D19395CE9FFEF964B0347A148E517982AFCF2FC5E45B4C524FD44EC20857F6BE722F57FF57722B952EF7B88F6249339551949B9E89CF60260F0A714
Malicious:	true
Yara Hits:	Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe, Author: Joe Security Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe, Author: ditekSHen
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A/................0..,...R......^J... ...`....@.. ....................................@..................................J..K....`...O........................................................................... ............... ..H............text...d... ...,.................. ..`.rsrc....O...`...P..................@..@.reloc...............~..............@..B................@J......H.......\|Z...x......<...X....)..............................................(....*..0...........s........~....%:....&~......!...s....%.....(...+o.....8[....o...............%..F~s...(.....%..G~s...(.....%..H~s...(.....%..e~s...(.....~t...(.......o......8......(......s.......sK.......~....}....~...........s....(....o....}......{.....I~s...(....o........9......I~s...(.......8C........~s...(....o....:......{....~u...(....8......{....~v...(.........(...........9........o........(

C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	311296
Entropy (8bit):	5.082156492931411
Encrypted:	false
SSDEEP:
MD5:	30F46F4476CDC27691C7FDAD1C255037
SHA1:	B53415AF5D01F8500881C06867A49A5825172E36
SHA-256:	3A8F5F6951DAD3BA415B23B35422D3C93F865146DA3CCF7849B75806E0B67CE0
SHA-512:	271AADB524E94ED1019656868A133C9E490CC6F8E4608C8A41C29EFF7C12DE972895A01F171E8F625D07994FF3B723BB308D362266F96CB20DFF82689454C78F
Malicious:	true
Yara Hits:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe, Author: Joe Security
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...d.9...............0................. ... ....@.. ....................... ............@.................................t...O.... ..............................X................................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Pictures\Lighter Tech\runtime.exe

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	45056
Entropy (8bit):	6.216673519026734
Encrypted:	false
SSDEEP:
MD5:	B73CF29C0EA647C353E4771F0697C41F
SHA1:	3E5339B80DCFBDC80D946FC630C657654EF58DE7
SHA-256:	EDD76F144BBDBFC060F7CB7E19863F89EB55863EFC1A913561D812083B6306CD
SHA-512:	2274D4C1E0EF72DC7E73B977E315DDD5472EC35A52E3449B1F6B87336EE18FF8966FED0451D19D24293FDE101E0C231A3CAA08B7BD0047A18A41466C2525E2E8
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....I..........."...0.................. ........@.. ....................... ............@.................................:...O.......................................8............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................n.......H........1..............xJ.. y............................................~....}.....~....}.....~....}.....(.....(......{....t....}....6..s....(.......0..>........{....r...po...........o....&..{........(....(....}.....(.......0..!.........{........(....(....}.....(........0..!.........{........(....(....}.....(........0..!.........{........(....(....}.....(........0..!.........{........(....(....}.....(........0..!.........{........(....(....}.....(........0..!.......

C:\Windows\Tasks\Hkbsse.job

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe
File Type:	data
Category:	dropped
Size (bytes):	284
Entropy (8bit):	3.4249059199821237
Encrypted:	false
SSDEEP:
MD5:	74AEB8E0159274F10E9122B0B925922C
SHA1:	0CD12E5AD53BC93DE0863EB2A3733316DE6B03FC
SHA-256:	292046026A51F76783F8992F9083029D83E27D26EBF24EF7FF9A542EB6570A65
SHA-512:	DD4BFA8422FC87E1D164B2D79F2E5C6BF82B9DE6A592341F9871275FE5C0CAAD3C3795F004DC1E45EFF2CB69D235CF0F9FB88B690D4B1E94FA252007D7FB4CCE
Malicious:	false
Reputation:	unknown
Preview:	......@k.yH.\......F.......<... .....s.......... ....................8.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.0.5.4.f.d.c.5.f.7.0.\.H.k.b.s.s.e...e.x.e.........J.O.N.E.S.-.P.C.\.j.o.n.e.s...................0.................&.@3P.........................

C:\Windows\Tasks\axplong.job

Download File

Process:	C:\Users\user\Desktop\g082Q9DajU.exe
File Type:	data
Category:	dropped
Size (bytes):	286
Entropy (8bit):	3.4257921101539894
Encrypted:	false
SSDEEP:
MD5:	418ADC863771F32FF068782F9AAC29BB
SHA1:	0BB469A8647AC88420BC3BB19DDF53200F1AD4BC
SHA-256:	E9EBAAF79C432DAC4235CD34FD4B7B399E75020D895D19B637182DA76936B4AE
SHA-512:	6F4D4CB529E04CDFF1BBC32FB074D03F19AB760429DC86D62A55460E50F05F3EC790D14EF0352FB8E9C176953FA4142E8E3E8FCA9725FCA31208A116113CBB73
Malicious:	false
Reputation:	unknown
Preview:	....!./..8.O.L......F.......<... .....s.......... ....................9.C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.4.4.1.1.1.d.b.c.4.9.\.a.x.p.l.o.n.g...e.x.e.........J.O.N.E.S.-.P.C.\.j.o.n.e.s...................0.................%.@3P.........................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.95027498025101
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	g082Q9DajU.exe
File size:	1'873'408 bytes
MD5:	6e66aea8d0d6a8e404ccc60bb32a99f3
SHA1:	651a6272114a9ef6ed3039a5da41a1f0bfb03e9e
SHA256:	c1fbe1e578d32bf34b6c29b06d012f542aac34cdf3af35362e18ea8714716982
SHA512:	30da1a78654a2a11ec5390aec622405535270e3304bdef94e3fe84acfc0ca1b02f8754d21b89dcd69af126de0e8b60cf4336707cc297f4c3bdbf257390d7ffe4
SSDEEP:	49152:r49w1qMB2mWX1R3Bk0b2wZ+SE+UgUfjOmxiAr0o8PjFO0/F:rQC2lX1R3B3b2u+SE+UlfjPiAIompz
TLSH:	7285331ABD74B331CA9E38B66DCF0BB32C253AF3535C109AD1240675731727AFAA9491
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x8a3000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66A240BE [Thu Jul 25 12:10:38 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F9D94F2876Ah
pcmpeqb mm3, qword ptr [eax+eax]
add byte ptr [eax], al
add byte ptr [eax], al
jmp 00007F9D94F2A765h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx+ecx], al
add byte ptr [eax], al
or ecx, dword ptr [edx]
add byte ptr [eax], al
pop es
or al, byte ptr [eax]
add byte ptr [0200000Ah], al
or al, byte ptr [eax]
add byte ptr [ecx], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [0000000Ah], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add eax, 0000000Ah
add byte ptr [eax], al
add byte ptr [eax], dl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6a057	0x6b	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x69000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4a18ec	0x10	ckpyoeob
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x4a189c	0x18	ckpyoeob
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x68000	0x2de00	6613217c99983c5218d958e8c549cb4b	False	0.997291169959128	OpenPGP Public Key	7.981188062174272	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x69000	0x1e0	0x200	fc374214cc29bda86ec59f2951371fa1	False	0.580078125	data	4.502009168723062	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x6a000	0x1000	0x200	cc76e3822efdc911f469a3e3cc9ce9fe	False	0.1484375	data	1.0428145631430756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x6b000	0x29f000	0x200	3601f27fae07e5368cb3d28384d8f2a5	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
ckpyoeob	0x30a000	0x198000	0x197c00	26b8f9190472288f0d1c603e093b920f	False	0.9946028605916616	data	7.953465161442263	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
nhhoofat	0x4a2000	0x1000	0x400	8a5ce07744778b960f5a3bc8cbc9c83a	False	0.783203125	data	6.079691715838151	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x4a3000	0x3000	0x2200	cb35469bcbf62919d201db8b16a05d04	False	0.09340533088235294	DOS executable (COM)	1.0726701598296609	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x4a18fc	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
kernel32.dll	lstrcpy

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	03:36:47
Start date:	06/09/2024
Path:	C:\Users\user\Desktop\g082Q9DajU.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\g082Q9DajU.exe"
Imagebase:	0x260000
File size:	1'873'408 bytes
MD5 hash:	6E66AEA8D0D6A8E404CCC60BB32A99F3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000003.1683484955.0000000004A20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.1723667142.0000000000261000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	03:36:49
Start date:	06/09/2024
Path:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
Imagebase:	0xe10000
File size:	1'873'408 bytes
MD5 hash:	6E66AEA8D0D6A8E404CCC60BB32A99F3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000001.00000002.1748418353.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000001.00000003.1707837826.0000000004FD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 76%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:36:49
Start date:	06/09/2024
Path:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Imagebase:	0xe10000
File size:	1'873'408 bytes
MD5 hash:	6E66AEA8D0D6A8E404CCC60BB32A99F3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000002.1749444823.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000003.1709099923.00000000055F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:37:00
Start date:	06/09/2024
Path:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Imagebase:	0xe10000
File size:	1'873'408 bytes
MD5 hash:	6E66AEA8D0D6A8E404CCC60BB32A99F3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000003.00000003.1812249339.0000000004A50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	03:37:04
Start date:	06/09/2024
Path:	C:\Users\user\AppData\Local\Temp\1000002001\gold.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000002001\gold.exe"
Imagebase:	0x520000
File size:	320'512 bytes
MD5 hash:	2D647CF43622ED10B6D733BB5F048FC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000005.00000002.1851600707.0000000003A05000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 88%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:37:04
Start date:	06/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:37:04
Start date:	06/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x670000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000007.00000002.1997902146.0000000000421000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2002581116.0000000002A69000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2002581116.0000000002BE4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	03:37:07
Start date:	06/09/2024
Path:	C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000004001\crypteda.exe"
Imagebase:	0x770000
File size:	1'104'936 bytes
MD5 hash:	8E74497AFF3B9D2DDB7E7F819DFC69BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	03:37:07
Start date:	06/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xb70000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000A.00000002.1884009401.0000000000479000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	03:37:07
Start date:	06/09/2024
Path:	C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe"
Imagebase:	0x2d0000
File size:	557'056 bytes
MD5 hash:	88367533C12315805C059E688E7CDFE9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000000B.00000000.1882466924.00000000002D2000.00000002.00000001.01000000.0000000D.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe, Author: Joe Security Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: C:\Users\user\AppData\Roaming\c4W13ZFj1P.exe, Author: ditekSHen
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	03:37:08
Start date:	06/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	03:37:08
Start date:	06/09/2024
Path:	C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe"
Imagebase:	0x6c0000
File size:	311'296 bytes
MD5 hash:	30F46F4476CDC27691C7FDAD1C255037
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 0000000D.00000000.1883338609.00000000006C2000.00000002.00000001.01000000.0000000E.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.2029479826.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.2029479826.0000000002C94000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Roaming\vzVy6ZevhK.exe, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	03:37:10
Start date:	06/09/2024
Path:	C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe"
Imagebase:	0xc20000
File size:	425'984 bytes
MD5 hash:	F5D7B79EE6B6DA6B50E536030BCC3B59
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000000F.00000002.1915860342.0000000000C21000.00000020.00000001.01000000.00000013.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000000F.00000000.1905853574.0000000000C21000.00000020.00000001.01000000.00000013.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Temp\1000005001\Nework.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	03:37:11
Start date:	06/09/2024
Path:	C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
Imagebase:	0xa90000
File size:	425'984 bytes
MD5 hash:	F5D7B79EE6B6DA6B50E536030BCC3B59
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000012.00000002.1916812173.0000000000A91000.00000020.00000001.01000000.00000014.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000012.00000000.1913790607.0000000000A91000.00000020.00000001.01000000.00000014.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	03:37:11
Start date:	06/09/2024
Path:	C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
Imagebase:	0xa90000
File size:	425'984 bytes
MD5 hash:	F5D7B79EE6B6DA6B50E536030BCC3B59
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000013.00000002.1916345322.0000000000A91000.00000020.00000001.01000000.00000014.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000013.00000000.1914368612.0000000000A91000.00000020.00000001.01000000.00000014.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	03:37:12
Start date:	06/09/2024
Path:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe"
Imagebase:	0xf60000
File size:	192'000 bytes
MD5 hash:	7A02AA17200AEAC25A375F290A4B4C95
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000014.00000002.2122450244.00000000008AE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000002.2122450244.0000000000916000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	03:37:19
Start date:	06/09/2024
Path:	C:\Users\user\AppData\Local\Temp\1000129001\S tup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000129001\S tup.exe"
Imagebase:	0x400000
File size:	6'634'402 bytes
MD5 hash:	A2EAD3670D2D61E86C0F6D8DF5C4392A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Clipboard_Hijacker_5, Description: Yara detected Clipboard Hijacker, Source: 00000015.00000002.3079738326.0000000003F33000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 49%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	22
Start time:	03:37:24
Start date:	06/09/2024
Path:	C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000191001\needmoney.exe"
Imagebase:	0x400000
File size:	3'766'272 bytes
MD5 hash:	7E6A519688246FE1180F35FE0D25D370
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_Crypt, Description: Yara detected CryptOne packer, Source: 00000016.00000002.2122597398.0000000003139000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000016.00000002.2122597398.0000000002E30000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000016.00000002.2122597398.0000000002E30000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 58%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	03:37:30
Start date:	06/09/2024
Path:	C:\Users\user\AppData\Local\Temp\svchost015.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\svchost015.exe
Imagebase:	0x400000
File size:	2'990'472 bytes
MD5 hash:	B826DD92D78EA2526E465A34324EBEEA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000017.00000000.2107557693.0000000000401000.00000020.00000001.01000000.0000001B.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000017.00000002.2499846584.0000000000A7E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000017.00000002.2499846584.0000000000ADC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	03:37:30
Start date:	06/09/2024
Path:	C:\Users\user\1000238002\Amadeus.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\1000238002\Amadeus.exe"
Imagebase:	0xfa0000
File size:	5'562'368 bytes
MD5 hash:	36A627B26FAE167E6009B4950FF15805
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000018.00000002.2456285511.0000000001C00000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 00000018.00000002.2427689635.0000000001A80000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 62%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	03:37:32
Start date:	06/09/2024
Path:	C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe"
Imagebase:	0x900000
File size:	45'056 bytes
MD5 hash:	B73CF29C0EA647C353E4771F0697C41F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000019.00000002.2258945383.0000000012E41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000019.00000002.2319721857.000000001D580000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 71%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	03:37:35
Start date:	06/09/2024
Path:	C:\Users\user\AppData\Local\Temp\1000254001\penis.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000254001\penis.exe"
Imagebase:	0x310000
File size:	565'760 bytes
MD5 hash:	03CF06E01384018AC325DE8BC160B4B2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 0000001A.00000000.2160574126.0000000000312000.00000002.00000001.01000000.0000001E.sdmp, Author: Joe Security Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe, Author: Joe Security Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: C:\Users\user\AppData\Local\Temp\1000254001\penis.exe, Author: ditekSHen
Antivirus matches:	Detection: 63%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	03:37:35
Start date:	06/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	03:37:36
Start date:	06/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Imagebase:	0x1c0000
File size:	103'528 bytes
MD5 hash:	89D41E1CF478A3D3C2C701A27A5692B2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	03:37:36
Start date:	06/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Imagebase:	0x1c0000
File size:	103'528 bytes
MD5 hash:	89D41E1CF478A3D3C2C701A27A5692B2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	30
Start time:	03:37:37
Start date:	06/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c copy "C:\Users\user\AppData\Local\Temp\1000243001\runtime.exe" "C:\Users\user\Pictures\Lighter Tech\runtime.exe" && schtasks /Create /SC MINUTE /MO 1 /TN "runtime" /TR "C:\Users\user\Pictures\Lighter Tech\runtime.exe" /F
Imagebase:	0x7ff66d2b0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	03:37:37
Start date:	06/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	03:37:38
Start date:	06/09/2024
Path:	C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe"
Imagebase:	0x400000
File size:	311'296 bytes
MD5 hash:	30DAA686C1F31CC4833BD3D7283D8CDC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000020.00000002.2500882491.00000000028EE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000020.00000002.2500882491.0000000002858000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000020.00000000.2187298068.0000000000421000.00000002.00000001.01000000.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\1000259001\bundle.exe, Author: Joe Security
Antivirus matches:	Detection: 66%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	03:37:38
Start date:	06/09/2024
Path:	C:\Windows\System32\schtasks.exe
Wow64 process (32bit):	false
Commandline:	schtasks /Create /SC MINUTE /MO 1 /TN "runtime" /TR "C:\Users\user\Pictures\Lighter Tech\runtime.exe" /F
Imagebase:	0x7ff76f990000
File size:	235'008 bytes
MD5 hash:	76CD6626DD8834BD4A42E6A565104DC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	03:37:41
Start date:	06/09/2024
Path:	C:\Users\user\Pictures\Lighter Tech\runtime.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Pictures\Lighter Tech\runtime.exe"
Imagebase:	0x220000
File size:	45'056 bytes
MD5 hash:	B73CF29C0EA647C353E4771F0697C41F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	36
Start time:	03:37:41
Start date:	06/09/2024
Path:	C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\1000260001\5KNCHALAH.exe"
Imagebase:	0x23d569b0000
File size:	1'662'464 bytes
MD5 hash:	3F99C2698FC247D19DD7F42223025252
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000024.00000002.3290631876.0000023D71340000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000024.00000002.3071200614.0000023D58801000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 29%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	37
Start time:	03:37:43
Start date:	06/09/2024
Path:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Imagebase:	0x7d0000
File size:	231'736 bytes
MD5 hash:	A64BEAB5D4516BECA4C40B25DC0C1CD8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	03:37:46
Start date:	06/09/2024
Path:	C:\Users\user\AppData\Local\Temp\1000296001\Channel3.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000296001\Channel3.exe"
Imagebase:	0x400000
File size:	6'658'743 bytes
MD5 hash:	931C65C2ABF6031D6520F1A48A0F5E34
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 54%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	39
Start time:	03:37:46
Start date:	06/09/2024
Path:	C:\Users\user\Pictures\Lighter Tech\runtime.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Pictures\Lighter Tech\runtime.exe"
Imagebase:	0xa70000
File size:	45'056 bytes
MD5 hash:	B73CF29C0EA647C353E4771F0697C41F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	03:37:51
Start date:	06/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Imagebase:	0x1c0000
File size:	103'528 bytes
MD5 hash:	89D41E1CF478A3D3C2C701A27A5692B2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	03:37:52
Start date:	06/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
Imagebase:	0x1c0000
File size:	103'528 bytes
MD5 hash:	89D41E1CF478A3D3C2C701A27A5692B2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000029.00000002.2328370796.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	03:37:52
Start date:	06/09/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c copy "C:\Users\user\Pictures\Lighter Tech\runtime.exe" "C:\Users\user\Pictures\Lighter Tech\runtime.exe" && schtasks /Create /SC MINUTE /MO 1 /TN "runtime" /TR "C:\Users\user\Pictures\Lighter Tech\runtime.exe" /F
Imagebase:	0x7ff66d2b0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	03:37:52
Start date:	06/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	03:37:57
Start date:	06/09/2024
Path:	C:\Users\user\1000238002\Amadeus.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\1000238002\Amadeus.exe"
Imagebase:	0xfa0000
File size:	5'562'368 bytes
MD5 hash:	36A627B26FAE167E6009B4950FF15805
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Msfpayloads_msf_9, Description: Metasploit Payloads - file msf.war - contents, Source: 0000002C.00000002.2785633624.0000000001F60000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	03:38:00
Start date:	06/09/2024
Path:	C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
Imagebase:	0xa90000
File size:	425'984 bytes
MD5 hash:	F5D7B79EE6B6DA6B50E536030BCC3B59
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000002D.00000002.3044385898.0000000000A91000.00000020.00000001.01000000.00000014.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000002D.00000000.2403189499.0000000000A91000.00000020.00000001.01000000.00000014.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	46
Start time:	03:38:05
Start date:	06/09/2024
Path:	C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
Imagebase:	0x7d0000
File size:	231'736 bytes
MD5 hash:	A64BEAB5D4516BECA4C40B25DC0C1CD8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	03:38:07
Start date:	06/09/2024
Path:	C:\Users\user\Pictures\Lighter Tech\runtime.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Pictures\Lighter Tech\runtime.exe"
Imagebase:	0xfa0000
File size:	45'056 bytes
MD5 hash:	B73CF29C0EA647C353E4771F0697C41F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 04C40E1B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1725757772.0000000004C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c40000_g082Q9DajU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d3be45463ca30577db71d1bfe42c92315c7388fe0f845fee9c2e40992750d7c
Instruction ID: 7653dfcb36cd176f2e776f0d1dcabe3f1d2913f117f8202ae248e47d1715229f
Opcode Fuzzy Hash: 8d3be45463ca30577db71d1bfe42c92315c7388fe0f845fee9c2e40992750d7c
Instruction Fuzzy Hash: 48F03ABB28C011ADB211D5977B14AB7676EE4D6730339C87BF987C2202F6941B1D7130

Function 04C40E3E Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1725757772.0000000004C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c40000_g082Q9DajU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68021e5a5d48bf9aa64eb9eba5f1973e8691a8e09cdbe56c5d146b07a016e942
Instruction ID: dbf987d25b86073012ee51a12889a25efb5f2cef7c79c692a991dd4449879733
Opcode Fuzzy Hash: 68021e5a5d48bf9aa64eb9eba5f1973e8691a8e09cdbe56c5d146b07a016e942
Instruction Fuzzy Hash: 1001F9B76CC211ADA201D96767144B77B7BE5D3330335C467F582CA003F2A45F2A6230

Function 04C40DC4 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1725757772.0000000004C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c40000_g082Q9DajU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c180636f9fffd7e1fee49a8dcd1f9b5f31902c50b8fb54a9990de718b8f34616
Instruction ID: 82aa75a699ff94a1b754ea011f23b8fa747f89b7c8e56400967779aa07ec9824
Opcode Fuzzy Hash: c180636f9fffd7e1fee49a8dcd1f9b5f31902c50b8fb54a9990de718b8f34616
Instruction Fuzzy Hash: 6D1182EB288101BEB10295976B14AF7676FE5D77303358466F583CA102F2D55B1E7231

Function 04C40E28 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1725757772.0000000004C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c40000_g082Q9DajU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6322714f278bc14ceb848b400dbd9afd835ccad6e2b962fe270f80592a6255bc
Instruction ID: ed478f53c6756d8cd0ae3b1839a4e5cb04f5e754ce5b8d136bd6a09282c4af93
Opcode Fuzzy Hash: 6322714f278bc14ceb848b400dbd9afd835ccad6e2b962fe270f80592a6255bc
Instruction Fuzzy Hash: A211BFAB28C011BDB101C5976B14AF76B7EE5C6B30338846BF582CA102F2955B1E3230

Function 04C40DF5 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1725757772.0000000004C40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4c40000_g082Q9DajU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d01181881be1bebde9aa63aedd4bc16ea85f1469f9d2442decdb435f80a01b4
Instruction ID: 2f3777bb899e8c79c124490ef538d6d82eb03ace4578661f71c2db3e3dac2430
Opcode Fuzzy Hash: 1d01181881be1bebde9aa63aedd4bc16ea85f1469f9d2442decdb435f80a01b4
Instruction Fuzzy Hash: 0501F9A728C101AEE201C55767186B67B7BE5D7630339846BF586CA102F6951B1AB170

Analysis Process: axplong.exePID: 7860, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	7.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.7%
Total number of Nodes:	355
Total number of Limit Nodes:	28

Executed Functions

Function 00E1E440 Relevance: 16.0, Strings: 12, Instructions: 982
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

MT==, xrefs: 00E1E4A5
MJB+, xrefs: 00E1E734
UD==, xrefs: 00E1EA1F, 00E1EC66
fed3aa, xrefs: 00E1FA9E
GqKudSO2, xrefs: 00E1E47F
d4, xrefs: 00E1F6D5
WWt=, xrefs: 00E2088D
WWp=, xrefs: 00E204DA
#, xrefs: 00E20534
111, xrefs: 00E1F6B0
WGt=, xrefs: 00E1F62D, 00E1F90A
246122658369, xrefs: 00E1F647, 00E1F924, 00E204F7, 00E208AA

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: #$111$246122658369$GqKudSO2$MJB+$MT==$UD==$WGt=$WWp=$WWt=$d4$fed3aa
API String ID: 0-1922622457
Opcode ID: d3f68f50cf82a624fe633d31a4383fa8ffc3b5a1e11dd4f76f1bc3f1c781d575
Instruction ID: f99741a199656fc422058cc06af049753d67a121257a21bab5fb2b8295404394
Opcode Fuzzy Hash: d3f68f50cf82a624fe633d31a4383fa8ffc3b5a1e11dd4f76f1bc3f1c781d575
Instruction Fuzzy Hash: 8482E270A04258DBEF18EF68C94A7DD7BB6EB46304F509188E805373C2D7759A88CBD2

Function 00E2D312 Relevance: .2, Instructions: 172
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00E1247E

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID:
API String ID: 2659868963-0
Opcode ID: 071e0528b3973e209b11c1d432f911036e9e9277db6b4a73836a0e1cf8fb1527
Instruction ID: 126a0fa22ef95f38e6314f4a3ad22d51d7904d534dfdaab4c1166154bf085d91
Opcode Fuzzy Hash: 071e0528b3973e209b11c1d432f911036e9e9277db6b4a73836a0e1cf8fb1527
Instruction Fuzzy Hash: E9519CB2904A198FEB15CF65EC817A9B7F0FB08314F24962AD618FB290D770A984CF50

Function 00E23550 Relevance: 53.3, APIs: 1, Strings: 29, Instructions: 761
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00E2425F

Part of subcall function 00E27870: __Cnd_unregister_at_thread_exit.LIBCPMT ref: 00E2795C
Part of subcall function 00E27870: __Cnd_destroy_in_situ.LIBCPMT ref: 00E27968
Part of subcall function 00E27870: __Mtx_destroy_in_situ.LIBCPMT ref: 00E27971

Strings

JB6, xrefs: 00E253F5
-, xrefs: 00E24F3A
fed3aa, xrefs: 00E25489
aqB6, xrefs: 00E254DB
WJms, xrefs: 00E23BD9
W07l, xrefs: 00E23AEE
MJF+, xrefs: 00E247BD, 00E248EC, 00E24ADC, 00E24C0B
V5Qk, xrefs: 00E23DC0
9526, xrefs: 00E2531D
V0N6, xrefs: 00E2537A
invalid stoi argument, xrefs: 00E22DE9, 00E22DF8, 00E2425A, 00E24E9D
Vp 6, xrefs: 00E25447
KFT0PL==, xrefs: 00E254B9
aZT6, xrefs: 00E253CC
246122658369, xrefs: 00E21EA5, 00E227EE, 00E22A43, 00E22AB0, 00E22E88, 00E23373, 00E233D4, 00E24F4D, 00E24F8F, 00E24F99, 00E254F4
96B6, xrefs: 00E25470
Fz==, xrefs: 00E2369E, 00E24D2D
stoi argument out of range, xrefs: 00E22E02, 00E24269, 00E24EAC
MJB+, xrefs: 00E24776, 00E247ED, 00E24A95, 00E24B0C
mP=, xrefs: 00E26383
5120, xrefs: 00E23ABF, 00E23BAA
9KN6, xrefs: 00E25351
8ZF6, xrefs: 00E25502
HBhr, xrefs: 00E2378F
5F6, xrefs: 00E25497
V0x6, xrefs: 00E2541E
WJP6, xrefs: 00E253A3
6F9fr==, xrefs: 00E24712
", xrefs: 00E23E99

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID: Cnd_destroy_in_situCnd_unregister_at_thread_exitMtx_destroy_in_situXinvalid_argumentstd::_
String ID: 5F6$ 6F9fr==$ JB6$ mP=$"$246122658369$5120$8ZF6$9526$96B6$9KN6$Fz==$HBhr$KFT0PL==$MJB+$MJF+$V0N6$V0x6$V5Qk$Vp 6$W07l$WJP6$WJms$aZT6$aqB6$fed3aa$invalid stoi argument$stoi argument out of range$-
API String ID: 4234742559-1530626100
Opcode ID: 32f1106c71f4883b98bce1958bac239480124741a64a20ef1e596b2a21d1e73e
Instruction ID: d4cdba015592ad1f735ba99c8998eaccd18f836264609e046f1ac2f7c1aae00b
Opcode Fuzzy Hash: 32f1106c71f4883b98bce1958bac239480124741a64a20ef1e596b2a21d1e73e
Instruction Fuzzy Hash: F0522271A00268DBEF18EF78DD4ABDDBBB5AF45300F505188E445B72C2D7749A84CBA2

Function 00E246C0 Relevance: 30.0, Strings: 22, Instructions: 2484COMMON

Download Yara Rule

APIs

Part of subcall function 00E27870: __Cnd_unregister_at_thread_exit.LIBCPMT ref: 00E2795C
Part of subcall function 00E27870: __Cnd_destroy_in_situ.LIBCPMT ref: 00E27968
Part of subcall function 00E27870: __Mtx_destroy_in_situ.LIBCPMT ref: 00E27971

std::_Xinvalid_argument.LIBCPMT ref: 00E24EA2

Strings

Fz==, xrefs: 00E2369E, 00E24D2D
JB6, xrefs: 00E253F5
stoi argument out of range, xrefs: 00E24269, 00E24EAC
MJB+, xrefs: 00E24776, 00E247ED, 00E24A95, 00E24B0C
mP=, xrefs: 00E26383, 00E26652
-, xrefs: 00E24F3A
fed3aa, xrefs: 00E25489
aqB6, xrefs: 00E254DB
MJF+, xrefs: 00E247BD, 00E248EC, 00E24ADC, 00E24C0B
9KN6, xrefs: 00E25351
9526, xrefs: 00E2531D
8ZF6, xrefs: 00E25502
V0N6, xrefs: 00E2537A
5F6, xrefs: 00E25497
V0x6, xrefs: 00E2541E
Vp 6, xrefs: 00E25447
WJP6, xrefs: 00E253A3
KFT0PL==, xrefs: 00E254B9
aZT6, xrefs: 00E253CC
6F9fr==, xrefs: 00E24712
246122658369, xrefs: 00E24F4D, 00E24F8F, 00E24F99, 00E254F4
96B6, xrefs: 00E25470

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID: Cnd_destroy_in_situCnd_unregister_at_thread_exitMtx_destroy_in_situXinvalid_argumentstd::_
String ID: 5F6$ 6F9fr==$ JB6$ mP=$246122658369$8ZF6$9526$96B6$9KN6$Fz==$KFT0PL==$MJB+$MJF+$V0N6$V0x6$Vp 6$WJP6$aZT6$aqB6$fed3aa$stoi argument out of range$-
API String ID: 4234742559-2239810561
Opcode ID: 292b70b5fd46147f29b3dd482d492d3080e8d998ec672c035311da54f09ecf25
Instruction ID: cfd7bc572097b88dba4cd5b091845e857d49acd2b9a2a479a7637fe03e68621c
Opcode Fuzzy Hash: 292b70b5fd46147f29b3dd482d492d3080e8d998ec672c035311da54f09ecf25
Instruction Fuzzy Hash: 7C232771A001648BEB19DB28DD4979DBBB6AB81304F5082DCE049BB2D2EB755FC4CF91

Function 00E158F0 Relevance: 20.3, Strings: 16, Instructions: 288
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

stoi argument out of range, xrefs: 00E17051
GVQsgL==, xrefs: 00E166F8
00000422, xrefs: 00E15FD9
IVKsgL==, xrefs: 00E167A1
(, xrefs: 00E17206
0000043f, xrefs: 00E1603B
RBPleCSm, xrefs: 00E1666C
ntdll.dll, xrefs: 00E1715D
00000423, xrefs: 00E1600A
invalid stoi argument, xrefs: 00E17060
z[, xrefs: 00E15A62
, xrefs: 00E17140
Sx, xrefs: 00E15B52, 00E15B6F, 00E15C09, 00E159C7
00000419, xrefs: 00E15FA8
NtUnmapViewOfSection, xrefs: 00E17158
Keyboard Layout\Preload, xrefs: 00E15F64

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: $($00000419$00000422$00000423$0000043f$GVQsgL==$IVKsgL==$Keyboard Layout\Preload$NtUnmapViewOfSection$RBPleCSm$Sx$invalid stoi argument$ntdll.dll$stoi argument out of range$z[
API String ID: 0-2252015383
Opcode ID: 8d236abbc468b31416892ee47a543abb944786e9a5984550e8a1e85f8be9632b
Instruction ID: 175f974c18d782cd7182140e3efb364067d70b818c22734f6f27c13306894819
Opcode Fuzzy Hash: 8d236abbc468b31416892ee47a543abb944786e9a5984550e8a1e85f8be9632b
Instruction Fuzzy Hash: A5B1F171A00654CFDB18CF68D990BEDBBB2EF89300F24566DE415BB382D7719A84CB91

Function 00E1BD60 Relevance: 9.1, Strings: 7, Instructions: 310
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8KG0fymoFx==, xrefs: 00E1C2EB, 00E1C543
stoi argument out of range, xrefs: 00E1E3FA
invalid stoi argument, xrefs: 00E1E404
d4, xrefs: 00E1E2FF
RHYTYv==, xrefs: 00E1BE33
RpKt, xrefs: 00E1D516
8KG0fCKZFzY=, xrefs: 00E1C385

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: 8KG0fCKZFzY=$8KG0fymoFx==$RHYTYv==$RpKt$d4$invalid stoi argument$stoi argument out of range
API String ID: 0-2910363358
Opcode ID: a383edc701613d272278bcf55c7b54b5ead4a6245609cd5ac080be47263393f4
Instruction ID: 958011f521323b9b2ad31d79cca67a516d259f01ec97180dcae24571c794a709
Opcode Fuzzy Hash: a383edc701613d272278bcf55c7b54b5ead4a6245609cd5ac080be47263393f4
Instruction Fuzzy Hash: AEB1E6B1640118DBEB28CF28CC85BDEBBB5EF45304F5051A9F509A7291D7719AC0CF95

Function 00E15DF0 Relevance: 7.9, Strings: 6, Instructions: 364
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

00000423, xrefs: 00E1600A
00000422, xrefs: 00E15FD9
Sx, xrefs: 00E15B52, 00E15B6F, 00E15C09, 00E159C7, 00E15C82
0000043f, xrefs: 00E1603B
00000419, xrefs: 00E15FA8
Keyboard Layout\Preload, xrefs: 00E15F64

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: 00000419$00000422$00000423$0000043f$Keyboard Layout\Preload$Sx
API String ID: 0-3161718263
Opcode ID: 333530194329246d216b09e9cdf9935ac2e86ac5290d2b676c65ec7380de23e7
Instruction ID: 7258ec1e1de9c9a1766b60d66d1f1ae1beade97dadab09bdd2f318a681bd4ad1
Opcode Fuzzy Hash: 333530194329246d216b09e9cdf9935ac2e86ac5290d2b676c65ec7380de23e7
Instruction Fuzzy Hash: 0DE17E71904228ABEB24DFA4CC89BDEB7B9EB04304F5052D9E509B7291D774AFC48F91

Function 00E17D00 Relevance: 4.1, Strings: 3, Instructions: 392
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

JmpxRL==, xrefs: 00E18062
JmpyPb==, xrefs: 00E1810A
JmpxQb==, xrefs: 00E181B2

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: JmpxQb==$JmpxRL==$JmpyPb==
API String ID: 0-2057465332
Opcode ID: 94e3b4a786bb9534aa8f2798c7e8545b822b9b8336a737fc915edbaaa6449c6e
Instruction ID: ef5a1f4b10ada48cdf26651580f4b8ec7afe549b87677bf3bdf2a5ca2211b505
Opcode Fuzzy Hash: 94e3b4a786bb9534aa8f2798c7e8545b822b9b8336a737fc915edbaaa6449c6e
Instruction Fuzzy Hash: BED11271E00614EBDB18AB28DD467DD77B2AB86320F54628CE4597B3D2DB344EC48BD2

Function 00E165B0 Relevance: 4.0, Strings: 3, Instructions: 257
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

GVQsgL==, xrefs: 00E166F8
IVKsgL==, xrefs: 00E167A1
RBPleCSm, xrefs: 00E1666C

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: GVQsgL==$IVKsgL==$RBPleCSm
API String ID: 0-3856690409
Opcode ID: e9c6dd1ffe24b19f63ecfe0a793ed125cf8054ace8f3c5965347439acc74a3e4
Instruction ID: e75508ba7e857aabaf9601c38c0129df34721424c6de29ffe4e382cd22b49fed
Opcode Fuzzy Hash: e9c6dd1ffe24b19f63ecfe0a793ed125cf8054ace8f3c5965347439acc74a3e4
Instruction Fuzzy Hash: 4A91C3B19001289BDF28DF28DC85BEDB7B9EB45304F4055E9E509A7282DA749FC4CFA4

Function 00E194B0 Relevance: 4.0, Strings: 3, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

UD==, xrefs: 00E19585
hT,, xrefs: 00E19965
$2, xrefs: 00E1A8A0

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: $2$UD==$hT,
API String ID: 0-3974828503
Opcode ID: dfd4536a2b43e8f59ddd8ac9ee093cb15462bfa22e4f42e8351fc9be283a95c3
Instruction ID: 9ca5e7fbd7b86e3aea0634709036f92ade7cd3ea339127d03afb6ca71431ebb2
Opcode Fuzzy Hash: dfd4536a2b43e8f59ddd8ac9ee093cb15462bfa22e4f42e8351fc9be283a95c3
Instruction Fuzzy Hash: 1D919071A001688BEB29CF28CD55BEDB7B6EB85304F1081E9D549B7292DB359EC4CF90

Function 00E1B920 Relevance: 3.9, Strings: 3, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8KG0fymoFx==, xrefs: 00E1C2EB, 00E1C543
RHYTYv==, xrefs: 00E1BE33
8KG0fCKZFzY=, xrefs: 00E1C385

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: 8KG0fCKZFzY=$8KG0fymoFx==$RHYTYv==
API String ID: 0-2524226959
Opcode ID: 71aefc5dc6467e9e0e5334adb62c9e815b52a81a7e9f9f06adb66a67a566ecc7
Instruction ID: 1f3dcd760913124fc1518b302886d1dfdb1ee0650bfea84b9920f30795e1fc13
Opcode Fuzzy Hash: 71aefc5dc6467e9e0e5334adb62c9e815b52a81a7e9f9f06adb66a67a566ecc7
Instruction Fuzzy Hash: CE418C31A501199FDF08CF68CD85BEE7BB9EF49314F109618E915FB680EB75A980CB90

Function 00E46E01 Relevance: 1.6, APIs: 1, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__dosmaperr.LIBCMT ref: 00E46F12

Part of subcall function 00E47177: __dosmaperr.LIBCMT ref: 00E471AC

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID: __dosmaperr
String ID:
API String ID: 2332233096-0
Opcode ID: d97f8e4156d2c9e29f49e44284d42a52c4878e4b96439ab02a7503d0c4917e9b
Instruction ID: 12db5ba587c6124adf914d840a5c90c8644b4b9b08e465f24afbd4b5275daced
Opcode Fuzzy Hash: d97f8e4156d2c9e29f49e44284d42a52c4878e4b96439ab02a7503d0c4917e9b
Instruction Fuzzy Hash: 01416D75A00204AFDB24DFB5E8419AFBBF9EF89304B10552DF496E3611EB30A944DB61

Function 00E17780 Relevance: 1.4, Strings: 1, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

runas, xrefs: 00E172D3

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: runas
API String ID: 0-4000483414
Opcode ID: 8516da6db3a26deefe3fd3189193eef230c906bcf08a923ec43533e5a58068fd
Instruction ID: 973942b8a3bdf530676025b9b5b889977db06e58f0173f1016c1d8988379547c
Opcode Fuzzy Hash: 8516da6db3a26deefe3fd3189193eef230c906bcf08a923ec43533e5a58068fd
Instruction Fuzzy Hash: 85512571A042449BEB08EF28DD8A7DDBBB2EB85714F109218F451BB3C5DB359A84C791

Function 00E242A0 Relevance: .3, Instructions: 326
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80b50a64e15cd6a8e8ea51e1eaa69072b6bd7e3eaa416cc3d1116ea0c666c643
Instruction ID: a0b141c82e415bf784ac8b48ed4041db03de580fe48a13992603244db7efa359
Opcode Fuzzy Hash: 80b50a64e15cd6a8e8ea51e1eaa69072b6bd7e3eaa416cc3d1116ea0c666c643
Instruction Fuzzy Hash: 1AC102B1A002589BEF08DF68DD89BDDBBB5EF46304F549218F845B72C2D734DA848B91

Function 00E4D4F4 Relevance: .2, Instructions: 198
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a8ca032e6102814b9b66315d48ac727730eb38b1183d92ed23383ad695658cb
Instruction ID: 3b9ae12f1188d53c9887fba3f04350819618f6d67392c6ef2cef23b6198babf7
Opcode Fuzzy Hash: 2a8ca032e6102814b9b66315d48ac727730eb38b1183d92ed23383ad695658cb
Instruction Fuzzy Hash: A7610332D082148FDF25EFA9FC857EDB7B0EF56328F25615AE458BB251DA349C008B61

Function 00E182B0 Relevance: .2, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12ef39be3aeb58a429dca9a7a7799e11984d889545ae2586c9a1e2bca35a643f
Instruction ID: 5b1c875c68c0f31f0db484df956aa286418bb8e00ff9736d56eed6cd11267a62
Opcode Fuzzy Hash: 12ef39be3aeb58a429dca9a7a7799e11984d889545ae2586c9a1e2bca35a643f
Instruction Fuzzy Hash: 7F513970D042189BEB24EB28DE457DDB7B5EB45304F5052A9E818B72C1EF305EC4CBA1

Function 00E1C990 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f1efcd16d85718b92d6a20c5861b0eff3a82cbccf033041679faf3b45c47a47
Instruction ID: 68d77c9023cb4abc04b1cd2c76cc0c9ce05b93197a96afbb3104c8eb416038b9
Opcode Fuzzy Hash: 7f1efcd16d85718b92d6a20c5861b0eff3a82cbccf033041679faf3b45c47a47
Instruction Fuzzy Hash: A151F170A002589BDB28DF28DD45BDEBBF5EB45310F2042A9E419B7382DB755E84CBE1

Function 00E17400 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID: Cnd_destroy_in_situCnd_unregister_at_thread_exitMtx_destroy_in_situ
String ID:
API String ID: 4078500453-0
Opcode ID: 67a2c5c3d60c05d62f17fdd33dcff95eab2a6ecc23f64294225f32e42926ac30
Instruction ID: 7d8f9361abc3280a59774b066c2d32758d8363bf070f8e96270fad0344844489
Opcode Fuzzy Hash: 67a2c5c3d60c05d62f17fdd33dcff95eab2a6ecc23f64294225f32e42926ac30
Instruction Fuzzy Hash: 9F418671A04118DBDB0CEBB8CC4ABDDBBBAEB45310F50421DE441B7281EB349A84C790

Function 04C70237 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3101363509.0000000004C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4c70000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea9826cb2d417dfc034f5c597aec1d01eb2b8f049def55a993bcab19b5f56dd7
Instruction ID: 81fd027eebc62c0981020b170de7f624112426504a9954a16cd03ee1329f6653
Opcode Fuzzy Hash: ea9826cb2d417dfc034f5c597aec1d01eb2b8f049def55a993bcab19b5f56dd7
Instruction Fuzzy Hash: C611D5EB20C110AF75018193BB65AFB272FD6C2370734C426F447D5542F2996A4A3371

Function 00E46C99 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26c96719c424f1fa025370bb51a2c82610d1fdbeac2b575f77efd1a8f02d24d2
Instruction ID: acb598d99c983b26ab8962fbcd0856e2a3c24bc3e6b40a00a2a5b5efbe742515
Opcode Fuzzy Hash: 26c96719c424f1fa025370bb51a2c82610d1fdbeac2b575f77efd1a8f02d24d2
Instruction Fuzzy Hash: D721B372E052086AEB117B64BC42BAE37A99F42778F215310F9743B1D1DB709E0596A3

Function 00E46BEB Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b86810a0f44194f609563811ca0730bcbc5163a4c1176f29209ef900402eb992
Instruction ID: 50f02159035dc110e70dafba48681d608d196d0d4a574a23593c04b0c73c6dee
Opcode Fuzzy Hash: b86810a0f44194f609563811ca0730bcbc5163a4c1176f29209ef900402eb992
Instruction Fuzzy Hash: 7511C172D01218AFCF41AFB4FD0679DBBF0EF05324F249166E855B61D1DB709A449B82

Function 00E46F71 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 538e5fc49b27abda6e066836c194eb5314bba48d7bc7ee1fecfab63cdde5af58
Instruction ID: d7eb0cb747de736e6a913b51bb6a7dd12190bc1aba43afb7073ed25bf950f649
Opcode Fuzzy Hash: 538e5fc49b27abda6e066836c194eb5314bba48d7bc7ee1fecfab63cdde5af58
Instruction Fuzzy Hash: 1211EFB2A0020CAEDB10DE95E940EDFB7FDAF09314F515266E555F6180E730EB48DB62

Function 00E465A2 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113f6bb4f38b0c6bd5ff8bce6b5f3b3b7f3e45cad6bb5993c4878f19e937d378
Instruction ID: 0837a1c6d4832e649523775d0b619186e73878cc3392c6899ab51b7d0ddc8787
Opcode Fuzzy Hash: 113f6bb4f38b0c6bd5ff8bce6b5f3b3b7f3e45cad6bb5993c4878f19e937d378
Instruction Fuzzy Hash: A411C0B2D042189FDF21AFA4F8013EE7BF1AF06B24F152959E02077281D7B859409BA3

Function 00E26AE0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e6ff6b062ceb79148a67311b71e79ae0b579d5195d99e8838af8d0d5142f0fc
Instruction ID: 122004c907361392068071e3066dc1cd30a383120462aa62240fe3d468dfa413
Opcode Fuzzy Hash: 1e6ff6b062ceb79148a67311b71e79ae0b579d5195d99e8838af8d0d5142f0fc
Instruction Fuzzy Hash: 64F0F471E00624ABC704BB79EC07B5EBBB5AB46760F84175CE815772E1DA305A0487E2

Function 00E4D6EF Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 129d0d9bd1843a1390100849d13c88a4499b5bb8c10ce1187892f265d1bb8922
Instruction ID: 41b6d05902746ab778612859d7e9c91396a1d8174be68d52f7ac35b07ee446f3
Opcode Fuzzy Hash: 129d0d9bd1843a1390100849d13c88a4499b5bb8c10ce1187892f265d1bb8922
Instruction Fuzzy Hash: 06F0E93150D12566DB227B227D49B5B7B89DF817B4B197113AC04BA182CB60D81086E0

Function 04C7032A Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3101363509.0000000004C70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_4c70000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d91f928120630eaa70b2c1e33fc971ee0770562eab18c70d2fd1a1118ec61736
Instruction ID: 7d24b2ee8ee19d1c9bc11b9c4381db49a4c290e28d445439ef25c3b7c2999e84
Opcode Fuzzy Hash: d91f928120630eaa70b2c1e33fc971ee0770562eab18c70d2fd1a1118ec61736
Instruction Fuzzy Hash: 3AE0ECEB64C160AF704180C37B65ABA576EE1D2631379C827F442C1006E68D960E7231

Function 00E4AF0B Relevance: .0, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e3353d96a53ab1dab53ef04dee6127776224119c266d1349544264c6905cf53
Instruction ID: dd913fe0462c970099efa85250f9389cf1b19ab2558396cf04e04cc7c4f1d9a2
Opcode Fuzzy Hash: 9e3353d96a53ab1dab53ef04dee6127776224119c266d1349544264c6905cf53
Instruction Fuzzy Hash: 90E0E57278621156AA3172667C41B6B76899B513B5F0D3070AC14B2481CB20CC0446E3

Function 00E46FF8 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d04db639bda591a3ddb740421505592bc5672e2036e71f8235ac5b6af3761722
Instruction ID: 3c1b8780af71b4eb998493447320cec3db0854b19fe4afd6fd95baf93fa2cfa5
Opcode Fuzzy Hash: d04db639bda591a3ddb740421505592bc5672e2036e71f8235ac5b6af3761722
Instruction Fuzzy Hash: B3F022B1500219AF8B80DF89D841E7637E8AB89611B044092FC58CB261E239E9A0D770

Function 00E46659 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90da925ecaf3d9e7aa276f24fbd0b6e907afd2508885dcfe2346d6a96578493a
Instruction ID: f1793cc59992b516b260b66e7e9bc9107e4ba3bd23e8eaa8c9c955aeaccd5584
Opcode Fuzzy Hash: 90da925ecaf3d9e7aa276f24fbd0b6e907afd2508885dcfe2346d6a96578493a
Instruction Fuzzy Hash: 1EC0927254420C77DF112E83FC03E4A3F5A9BD5770F088020FB1C29561EA7BEA61968A

Non-executed Functions

Function 00E53068 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1340COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00E531E3

Strings

1#INF, xrefs: 00E5439E
1#IND, xrefs: 00E54373
1#SNAN, xrefs: 00E5437A
1#QNAN, xrefs: 00E54381

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: a8f8318e1089268bc41a6e9ec10ef227492b7e98498d0e4e91f4f2d88064ab88
Instruction ID: 8b7a88763d1f1962963c1663e4b7abecb2991f4858aa2b1c4df58e198da1cb4d
Opcode Fuzzy Hash: a8f8318e1089268bc41a6e9ec10ef227492b7e98498d0e4e91f4f2d88064ab88
Instruction Fuzzy Hash: 14C25FB1E046288FCB65CE28DD407E9B3B5EB4834AF1455EAD84DF7240E774AE898F40

Function 00E52BD0 Relevance: 3.4, APIs: 2, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bf072589c0c8c6daaa14a71d751704f1d0fc013c2abe94fbb674223392015af
Instruction ID: 0d29d79833be1f1df1dfface547a9f76eb296667bef7b42001795889bda7bc7e
Opcode Fuzzy Hash: 5bf072589c0c8c6daaa14a71d751704f1d0fc013c2abe94fbb674223392015af
Instruction Fuzzy Hash: E4F15C71E002199BDF14CFA8D8806AEB7B1FF49315F25866DE919BB380D731AE45CB90

Function 00E47D83 Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 00E47EFF

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
Instruction ID: 8e1cf369791caadd861a7acbee2b5a49ee5bd51eccf6a1ebfb46f301e66a35ad
Opcode Fuzzy Hash: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
Instruction Fuzzy Hash: F2519930A1C6085ADB388A38B9957BF67DA9F5230CF14365ED4C2F7682CB11AD49C3D1

Function 00E14AF0 Relevance: 1.4, Strings: 1, Instructions: 158COMMON

Download Yara Rule

Strings

Sx, xrefs: 00E14B0A

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: Sx
API String ID: 0-1663639726
Opcode ID: c1f44384decf9b92e1e81b21258c201338240beba0243ed12ed6f773234299ca
Instruction ID: ee2eef0be98e86fe1dfd5f173aede0815743db1a7ec9824938ab0a369ca1c90b
Opcode Fuzzy Hash: c1f44384decf9b92e1e81b21258c201338240beba0243ed12ed6f773234299ca
Instruction Fuzzy Hash: 9051B17060C3918FD319CF2D951563AFBE1AF95300F084A9EE4D697392D774DA44CBA2

Function 00E14CF0 Relevance: .7, Instructions: 701COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b237effc14c455a912c45441ca739ca153c84fe78aa3082c7016dd57a24f5307
Instruction ID: f6c4b3527b1070a214596dc746b90befac32c86f18efe32fc09a34d1d3538d1c
Opcode Fuzzy Hash: b237effc14c455a912c45441ca739ca153c84fe78aa3082c7016dd57a24f5307
Instruction Fuzzy Hash: 212250B3F515144BDB4CCB9DDCA27EDB2E3AFD8214B0E803DA40AE3345EA79D9158A44

Function 00E56F09 Relevance: .3, Instructions: 275COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7911f8c6fb2be14ecac74082cf90a1a108c747f66c15b3437335c45233e75c66
Instruction ID: 2de42a179b1098b7a050e6216754c4c34ab6f846d4311314971a2214256878f3
Opcode Fuzzy Hash: 7911f8c6fb2be14ecac74082cf90a1a108c747f66c15b3437335c45233e75c66
Instruction Fuzzy Hash: 67B18B31214608CFD714CF28D486BA57BE0FF4536AF259A58E8D9DF2A1C335E996CB40

Function 00E5777B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbf10f530ebbe10f539c0df562e140526de1c416799251fe2c94697808b5e7f1
Instruction ID: 2ad6bf006108aa9e88e085922d98ecccce36f3162df83a673c0b50e0fdc12e0e
Opcode Fuzzy Hash: dbf10f530ebbe10f539c0df562e140526de1c416799251fe2c94697808b5e7f1
Instruction Fuzzy Hash: 7921B673F204394B770CC57E8C5727DB6E1C78C541745423AE8A6EA2C1D968D917E2E4

Function 00E5765B Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaaec7e74e46cb7844e974c7979b0797a2a3fdf91d80bc23cb64b7710b0d0639
Instruction ID: 334bea918e122e3303482c64ef84550fb0aff7151089d7736c92cbdb1753ecb6
Opcode Fuzzy Hash: eaaec7e74e46cb7844e974c7979b0797a2a3fdf91d80bc23cb64b7710b0d0639
Instruction Fuzzy Hash: E2117323F30C255A675C816D8C172BAA5D6EBD825071F533AD826EB284E9A4DE23D290

Function 00E58720 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: ef24461824a4a68139b2f0f2d667631942aadcf2efb0cd97d3e3623f4d67a802
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 36113B7720014143E604862DCBF45B6A795EACD32BB3C6B77C881FB758ED22954CDA00

Function 00E4645B Relevance: .0, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 535bb5200286320e000f0ed4e8e90ae3dbfc81958002db0ccf27618e74535f13
Instruction ID: eb2c714bcb53d8b5de258f874a334c7d1e7731b94d987e045c5d4f96f6ab0ee1
Opcode Fuzzy Hash: 535bb5200286320e000f0ed4e8e90ae3dbfc81958002db0ccf27618e74535f13
Instruction Fuzzy Hash: 5CE08C301826586EDF357B28E904D483B9AFF52358F046415F854AA222CB65ED82D981

Function 00E4A1C2 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
Instruction ID: e0103efa53b27cd1b1f71fb8240c5239613c4af75807d73079bfa938a1287f81
Opcode Fuzzy Hash: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
Instruction Fuzzy Hash: 16E08C72952228EBCB15DBC8D944D8AF3ECEB48B10F1A40A6F501E3240C270DF00C7D0

Function 00E22E20 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 434COMMON

Download Yara Rule

Strings

Fz==, xrefs: 00E2369E
8KG0fymoFx==, xrefs: 00E22EC7
stoi argument out of range, xrefs: 00E24269
invalid stoi argument, xrefs: 00E2425A
WGt=, xrefs: 00E233BA
246122658369, xrefs: 00E233D4
HBhr, xrefs: 00E2378F

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: 246122658369$8KG0fymoFx==$Fz==$HBhr$WGt=$invalid stoi argument$stoi argument out of range
API String ID: 0-2390467879
Opcode ID: d42b08bee116b99c3f9a0f5b4732394b41bf090999dcd6b5b551563f5a485175
Instruction ID: 7d41f57603902eed7c01eae00d99b2047aa593be368841247371a80348d44daa
Opcode Fuzzy Hash: d42b08bee116b99c3f9a0f5b4732394b41bf090999dcd6b5b551563f5a485175
Instruction Fuzzy Hash: E502E071A00268EFEF14EFA8D845BDEBBB5EF05304F505158E805B7282D7759A84CFA2

Function 00E44770 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00E447A7
___except_validate_context_record.LIBVCRUNTIME ref: 00E447AF
_ValidateLocalCookies.LIBCMT ref: 00E44838
__IsNonwritableInCurrentImage.LIBCMT ref: 00E44863
_ValidateLocalCookies.LIBCMT ref: 00E448B8

Strings

csm, xrefs: 00E4484D

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 89135290b6c4ce0205c62d4e31c40a29e7f3e21ae3e14b3ee4ee197267f80ae1
Instruction ID: eed7cc3aa6ea0cb221f56fa4fe9ecdd872c5123709adff95fe06e00002193b55
Opcode Fuzzy Hash: 89135290b6c4ce0205c62d4e31c40a29e7f3e21ae3e14b3ee4ee197267f80ae1
Instruction Fuzzy Hash: 7B51C6B1B002499BCF14DF68E885B9E7BE5AF49318F149055F904BB392D732DA15CB90

Function 00E55942 Relevance: 8.9, Strings: 7, Instructions: 148COMMONLIBRARYCODE

Download Yara Rule

Strings

acos, xrefs: 00E55A91
sqrt, xrefs: 00E55A9A
asin, xrefs: 00E55A88
exp, xrefs: 00E559DA, 00E55A3F
log10, xrefs: 00E5599D, 00E559AC
log, xrefs: 00E559B8, 00E559C7
pow, xrefs: 00E559F9, 00E55AA3, 00E55AF0

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 0-3064271455
Opcode ID: 675b6dd38e5e61229af7a8ba1bb63208db86a7a72285bdacdc8b6b2b23d1b00e
Instruction ID: 8ff4f869f614e2266e7e0a6edc6c75724cc0accf48c3706bad677d1b082d3093
Opcode Fuzzy Hash: 675b6dd38e5e61229af7a8ba1bb63208db86a7a72285bdacdc8b6b2b23d1b00e
Instruction Fuzzy Hash: 43518072904A0ACFCF008F99E8AC1AEBBB0FF85319F116A46DC90B6265C774895DCF50

Function 00E470C9 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMON

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 00E4710B

Strings

.bat, xrefs: 00E4713A
.com, xrefs: 00E4714B
.exe, xrefs: 00E47118
.cmd, xrefs: 00E47129

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID: _wcsrchr
String ID: .bat$.cmd$.com$.exe
API String ID: 1752292252-4019086052
Opcode ID: 071f337add7bb094ccf0389189b63e99f670367f512bc79ed56961579f4d585f
Instruction ID: 7957ee006c7ea98eddd2a7d4278a7a4911e0fed00d71079764be65579182be8e
Opcode Fuzzy Hash: 071f337add7bb094ccf0389189b63e99f670367f512bc79ed56961579f4d585f
Instruction Fuzzy Hash: B601C4276597162666196419BC0263B17D89B82BF872A602FFA94F73C2EF45EC0281E0

Function 00E12E80 Relevance: 7.8, APIs: 5, Instructions: 272COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 00E12F1F
__Mtx_unlock.LIBCPMT ref: 00E12F8C
__Cnd_broadcast.LIBCPMT ref: 00E12FA3
__Mtx_unlock.LIBCPMT ref: 00E130B5
__Mtx_unlock.LIBCPMT ref: 00E1315B

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID: Mtx_unlock$Cnd_broadcast
String ID:
API String ID: 32384418-0
Opcode ID: 42b7f79ee1d084834dbf8617ed86f613e21aa2e91e95ec2cb371ec39a1e69dfb
Instruction ID: 825bcdcb0f040c09ab267bc04540531f4331a6b38709445a996247bd8fd531a7
Opcode Fuzzy Hash: 42b7f79ee1d084834dbf8617ed86f613e21aa2e91e95ec2cb371ec39a1e69dfb
Instruction Fuzzy Hash: 66A1EDB0A01215AFDB11DB74DC45BAAB7F8FF18318F109129E815F7281EB30EA94CB91

Function 00E12670 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 207COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00E12806
___std_exception_destroy.LIBVCRUNTIME ref: 00E128A0

Strings

P#, xrefs: 00E12811
P#, xrefs: 00E127BE, 00E12899

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy___std_exception_destroy
String ID: P#$P#
API String ID: 2970364248-2117210794
Opcode ID: 05164f3cb5a94a3c519a88e568d718263a4b4c805fe79757e9fd730ed55a2e26
Instruction ID: b24966e29f3977945498afa370320f6c0fcb85338dffdad8542c864ebc1e4933
Opcode Fuzzy Hash: 05164f3cb5a94a3c519a88e568d718263a4b4c805fe79757e9fd730ed55a2e26
Instruction Fuzzy Hash: AD716E71A002589BDB08CFA8DC81ADEFBB5EF49310F14511DE905B7281E774A994CBA5

Function 00E27870 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123COMMON

Download Yara Rule

APIs

__Cnd_unregister_at_thread_exit.LIBCPMT ref: 00E2795C
__Cnd_destroy_in_situ.LIBCPMT ref: 00E27968
__Mtx_destroy_in_situ.LIBCPMT ref: 00E27971

Strings

@y, xrefs: 00E2794A

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID: Cnd_destroy_in_situCnd_unregister_at_thread_exitMtx_destroy_in_situ
String ID: @y
API String ID: 4078500453-4241861273
Opcode ID: 8635a8bec2aeddfaa6c4cf8022165809f8ad6756d7f58de79e1eaee5fe5ed8f9
Instruction ID: 8228d7f3924f0211f82b03238c9f086b0638dd823fd6f48543c5a679fb3fdf89
Opcode Fuzzy Hash: 8635a8bec2aeddfaa6c4cf8022165809f8ad6756d7f58de79e1eaee5fe5ed8f9
Instruction Fuzzy Hash: 9C3128B19043249FD724DF68F846A6BB7E8EF54310F00163EE585E3201E771EA84C7A1

Function 00E12AD0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00E12B23

Strings

P#, xrefs: 00E12B2E
This function cannot be called on a default constructed task, xrefs: 00E12B03
P#, xrefs: 00E12B18

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: P#$P#$This function cannot be called on a default constructed task
API String ID: 2659868963-730510960
Opcode ID: 93c616cc8e77e2d14e9a2d3ac37600bad1f90c2144f9e1c37600a18222f9af90
Instruction ID: 9542d2508e0f79215b335e38659c58020836782e0ff67c461db61f642829c3ed
Opcode Fuzzy Hash: 93c616cc8e77e2d14e9a2d3ac37600bad1f90c2144f9e1c37600a18222f9af90
Instruction Fuzzy Hash: 77F0F670A1030C9BC710DF68F84299EB7ED9F45300F1051AEF908B7201EB70AA948B95

Function 00E4C9B0 Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00E4CA37

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 7941c91dc3c81985f55d5af0d0e5d35b4c2fcc41726f6f06d2574da038ee3747
Instruction ID: be99ed64e78ea0a8ce6218beec8f877692697e4adb6b57218537256a459f1558
Opcode Fuzzy Hash: 7941c91dc3c81985f55d5af0d0e5d35b4c2fcc41726f6f06d2574da038ee3747
Instruction Fuzzy Hash: C9B15632A022859FDB11CF28D8817FEBBE1EF45344F3495AAE949BB241D6348D41CB60

Function 00E2BAA2 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

_xtime_get.LIBCPMT ref: 00E2BAFA
__Xtime_diff_to_millis2.LIBCPMT ref: 00E2BB14
_xtime_get.LIBCPMT ref: 00E2BB37
__Xtime_diff_to_millis2.LIBCPMT ref: 00E2BB43

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID: Xtime_diff_to_millis2_xtime_get
String ID:
API String ID: 531285432-0
Opcode ID: ebece6527f705a0f3aa83f6e4832f6d10ad7270a12f8fd0ad72a54282a9e586a
Instruction ID: 110537b542a69c461921bd178b8f090e9648296a71d92b1701c40be8f4746351
Opcode Fuzzy Hash: ebece6527f705a0f3aa83f6e4832f6d10ad7270a12f8fd0ad72a54282a9e586a
Instruction Fuzzy Hash: C4211D71A011299FDF10EFA4EC419BFBBB8AF48714F101069F601B7261DB70AD419BA1

Function 00E27040 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 236COMMON

Download Yara Rule

APIs

__Mtx_init_in_situ.LIBCPMT ref: 00E2726C

Strings

@., xrefs: 00E27250
`z, xrefs: 00E27282

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID: Mtx_init_in_situ
String ID: @.$`z
API String ID: 3366076730-840869247
Opcode ID: adde0a6f85df34d263566df2921ebfe0874a06f8c7b97d09c4d96b3045aeb7fd
Instruction ID: 2a81c3ce425d0872514d30066d815a1f3cadde5fe4be2f877fafb4208ce2a147
Opcode Fuzzy Hash: adde0a6f85df34d263566df2921ebfe0874a06f8c7b97d09c4d96b3045aeb7fd
Instruction Fuzzy Hash: F8A136B0A01629CFDB21CFA8D984B9EBBF0BF48714F188159E859AB351E7759D01CF80

Function 00E28E70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 197COMMON

Download Yara Rule

Strings

P#, xrefs: 00E12486
P#, xrefs: 00E1246D

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: P#$P#
API String ID: 0-2117210794
Opcode ID: 4872812447ba3df88732f9d9ced8e5aa53df48de6c53514cc05d5b14020add9d
Instruction ID: 8dc7d4b5b57400dafa4505d49fc24af50d50ceebd46f0dc302d9c6d4e0a977f9
Opcode Fuzzy Hash: 4872812447ba3df88732f9d9ced8e5aa53df48de6c53514cc05d5b14020add9d
Instruction Fuzzy Hash: 2A513772A011299BDB14EFA8ED419AEB7E9EF44300F145669F915FB341EB30EE108BD1

Function 00E4F21F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 00E4F263

Strings

`', xrefs: 00E4F235
8", xrefs: 00E4F30B

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID: ___free_lconv_mon
String ID: 8"$`'
API String ID: 3903695350-1436819768
Opcode ID: 24a6292974874877ed305aa25cb304e5d6b5d4ef356b7f270917d7a7984f0c7f
Instruction ID: ac9ab2c32e3c14c7d3907bc2f64cd7714f7c687d97d56364852c76187be1e692
Opcode Fuzzy Hash: 24a6292974874877ed305aa25cb304e5d6b5d4ef356b7f270917d7a7984f0c7f
Instruction Fuzzy Hash: F6317E31A002059FEB21AF79F945B5AB3E9AF44724F246439E44AF7261DF71EC808B15

Function 00E13930 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__Mtx_init_in_situ.LIBCPMT ref: 00E13962
__Mtx_init_in_situ.LIBCPMT ref: 00E139A1

Strings

pB, xrefs: 00E13940

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID: Mtx_init_in_situ
String ID: pB
API String ID: 3366076730-2061397439
Opcode ID: e7ba5e2fc9b4a1e1215c76367d4bffee4137f7665daea606a72091913ecba090
Instruction ID: 7c67f74fadcc11a473a3d6493d243471e55190374de68ecf1ca3979170bad3c0
Opcode Fuzzy Hash: e7ba5e2fc9b4a1e1215c76367d4bffee4137f7665daea606a72091913ecba090
Instruction Fuzzy Hash: 394136B4501B058FD720CF28C588B9AFBF4FF84315F148619E96A9B345E7B5EA49CB80

Function 00E12440 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00E1247E

Strings

P#, xrefs: 00E12486
P#, xrefs: 00E1246D

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: P#$P#
API String ID: 2659868963-2117210794
Opcode ID: 945b41ae7c68eff34be8d036f88454795a935d22752476e3277f3cf98a9f207b
Instruction ID: b0c83e9a7676d681b4501f421f9ff27957d56af2c6d45ee81120ac3b7764b098
Opcode Fuzzy Hash: 945b41ae7c68eff34be8d036f88454795a935d22752476e3277f3cf98a9f207b
Instruction Fuzzy Hash: 89F0E5B195030D67C714EBE4EC0688AB7ECDE15350B009A26F754F7500F7B0FA548791

Function 00E12520 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00E12552

Strings

P#, xrefs: 00E1255D
P#, xrefs: 00E12547

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: P#$P#
API String ID: 2659868963-2117210794
Opcode ID: 32757a2cdec52750780c84970382a430fd7ca6941bfeed37c2a7f572b917392c
Instruction ID: e1871c5b6214d5166f42a9a29b6df9301cd2105718c71048ce244f6af621f887
Opcode Fuzzy Hash: 32757a2cdec52750780c84970382a430fd7ca6941bfeed37c2a7f572b917392c
Instruction Fuzzy Hash: 43F0A771E1121D9FC714DF68E84198EBBF4AF55300F1082AEE44577200EB705A54CB95

Function 00E142C0 Relevance: 5.1, Strings: 4, Instructions: 82COMMON

Download Yara Rule

Strings

broken promise, xrefs: 00E14403
future already retrieved, xrefs: 00E1440A
no state, xrefs: 00E14418
promise already satisfied, xrefs: 00E14411

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: broken promise$future already retrieved$no state$promise already satisfied
API String ID: 0-3399861469
Opcode ID: d89535c257074b997b3ed578df0d8f1cd71284f4f080e38a8b1a59a73ad5be00
Instruction ID: 568c7cbf02228427070068cba396ceec53769fc5ea2bf6be59cffebf771d7ba2
Opcode Fuzzy Hash: d89535c257074b997b3ed578df0d8f1cd71284f4f080e38a8b1a59a73ad5be00
Instruction Fuzzy Hash: AC21B1B16016008FD724CF19D944BAEB7E5FB84725F148A5DE45ADB790DB75AC40CB80

Function 00E4D43C Relevance: 5.0, Strings: 4, Instructions: 30COMMONLIBRARYCODE

Download Yara Rule

Strings

Lb, xrefs: 00E4D462
Hb, xrefs: 00E4D477
Tb, xrefs: 00E4D469
Pb, xrefs: 00E4D470

Memory Dump Source

Source File: 00000003.00000002.3064875261.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000003.00000002.3064506964.0000000000E10000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3064875261.0000000000E72000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3066676835.0000000000E79000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000E7B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000000FF5000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.00000000010D4000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.0000000001104000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000110B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3067326245.000000000111A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3072744121.000000000111B000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074092249.00000000012B1000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000003.00000002.3074256079.00000000012B3000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e10000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: Hb$Lb$Pb$Tb
API String ID: 0-1019809715
Opcode ID: 025e724393c5e0cfa0b69754468615814c26502672c46ed3863a61e788344e77
Instruction ID: ee36b9346ecdf1f825ae06b69c7b9dc6bb3cf59dc74c7a6cc0f03598fb3f3038
Opcode Fuzzy Hash: 025e724393c5e0cfa0b69754468615814c26502672c46ed3863a61e788344e77
Instruction Fuzzy Hash: 42E0127329844D031A6589FC3A0D8353B9CD2C232C74C61A2F46DF7E36E426FD509440

Analysis Process: gold.exePID: 8120, Parent PID: 7860COMMON

Execution Graph

Execution Coverage:	38.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	14.6%
Total number of Nodes:	41
Total number of Limit Nodes:	3

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 02A02531 Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02A024A3,02A02493), ref: 02A026A0
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 02A026B3
Wow64GetThreadContext.KERNEL32(00000308,00000000), ref: 02A026D1
ReadProcessMemory.KERNELBASE(0000030C,?,02A024E7,00000004,00000000), ref: 02A026F5
VirtualAllocEx.KERNELBASE(0000030C,?,?,00003000,00000040), ref: 02A02720
WriteProcessMemory.KERNELBASE(0000030C,00000000,?,?,00000000,?), ref: 02A02778
WriteProcessMemory.KERNELBASE(0000030C,00400000,?,?,00000000,?,00000028), ref: 02A027C3
WriteProcessMemory.KERNELBASE(0000030C,?,?,00000004,00000000), ref: 02A02801
Wow64SetThreadContext.KERNEL32(00000308,00E60000), ref: 02A0283D
ResumeThread.KERNELBASE(00000308), ref: 02A0284C

Strings

Load, xrefs: 02A0256F
WriteProcessMemory, xrefs: 02A02644
SetThreadContext, xrefs: 02A02657
VirtualAllocEx, xrefs: 02A02631
GetThreadContext, xrefs: 02A0260B
ReadProcessMemory, xrefs: 02A0261E
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 02A0269F
ress, xrefs: 02A025BB
VirtualAlloc, xrefs: 02A025F8
TerminateProcess, xrefs: 02A0272F
GetP, xrefs: 02A025B3
ResumeThread, xrefs: 02A0266D
CreateProcessA, xrefs: 02A025E5
aryA, xrefs: 02A02577

Memory Dump Source

Source File: 00000005.00000002.1850614608.0000000002A02000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A02000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2a02000_gold.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2687962208-1257834847
Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction ID: 6642a24cc62e99db43181878192e8f8e3172382913788a2c7a9d738130f6cc0d
Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction Fuzzy Hash: E0B1D47664028AAFDB60CF68CC80BDA77A5FF88714F158524EA0CAB341D774FA51CB94

Function 00CA0DB0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 158
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,03A03590,?,?,?), ref: 00CA0FA4

Strings

(bq, xrefs: 00CA0EBB

Memory Dump Source

Source File: 00000005.00000002.1850207475.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ca0000_gold.jbxd

Similarity

API ID: ProtectVirtual
String ID: (bq
API String ID: 544645111-149360118
Opcode ID: c28be3a9e77364dce12e02e88da25e4bd673136a872b86885cca855278e39786
Instruction ID: 8875593a9dd0c10e5a4d03ef3f386fa7794a4c4503436ea1314a00855e7358d1
Opcode Fuzzy Hash: c28be3a9e77364dce12e02e88da25e4bd673136a872b86885cca855278e39786
Instruction Fuzzy Hash: 4D51AA71A00259CFCB10DFA9C84479EBBF1FF89355F208569D919AB380CB759E01CBA5

Function 00CA0EBA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,03A03590,?,?,?), ref: 00CA0FA4

Strings

(bq, xrefs: 00CA0EBB

Memory Dump Source

Source File: 00000005.00000002.1850207475.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ca0000_gold.jbxd

Similarity

API ID: ProtectVirtual
String ID: (bq
API String ID: 544645111-149360118
Opcode ID: c6d644806a72717d108d2654806c74ba88f43a5682af56d575e20df2700e7163
Instruction ID: 62d5767e7d4e464d0256e3e2caef17fd32cc03b33ea87c153dac58465344e6be
Opcode Fuzzy Hash: c6d644806a72717d108d2654806c74ba88f43a5682af56d575e20df2700e7163
Instruction Fuzzy Hash: 2F314971A04259DFCB04DFAAD8406DEBFF5FF89351F208169E518AB340CB34A901CBA5

Function 00CA04FC Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,03A03590,?,?,?), ref: 00CA0FA4

Memory Dump Source

Source File: 00000005.00000002.1850207475.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ca0000_gold.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: a88d0ee9a1f9fd02a8ebf4b9317b2bb851f146cd09159109e03f69b90f40b411
Instruction ID: 0b5142d48ba2f522cfe6c22478c680b060cc43a30d26d20b7177a1cae2441a0a
Opcode Fuzzy Hash: a88d0ee9a1f9fd02a8ebf4b9317b2bb851f146cd09159109e03f69b90f40b411
Instruction Fuzzy Hash: CA2113B1900259EFCB10CF9AD884ADEFFB4FB49310F108129E918B7210C374A950CFA1

Function 00CA0A50 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleWindow.KERNELBASE ref: 00CA0AB4

Memory Dump Source

Source File: 00000005.00000002.1850207475.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ca0000_gold.jbxd

Similarity

API ID: ConsoleWindow
String ID:
API String ID: 2863861424-0
Opcode ID: 499fffa2d28ad12d6a02409252b190c69f270ad23599c2884b4b5f9aba784844
Instruction ID: e28ba445f7f1a4612c8d8e5d6ea363936c895fe4ddec3ee47d09f5d0aadd74dc
Opcode Fuzzy Hash: 499fffa2d28ad12d6a02409252b190c69f270ad23599c2884b4b5f9aba784844
Instruction Fuzzy Hash: B41125B58003498FCB20DFA9D544BDEFFF0AB49324F248459D459A7351D374A944CFA1

Function 00CA04E4 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleWindow.KERNELBASE ref: 00CA0AB4

Memory Dump Source

Source File: 00000005.00000002.1850207475.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_ca0000_gold.jbxd

Similarity

API ID: ConsoleWindow
String ID:
API String ID: 2863861424-0
Opcode ID: 35a89165bfc227d4ffa4c517ffa847f294f65121b45a521dfd3319b6d5fde980
Instruction ID: 3e0cc91100792a00f94134573e62a735c9d6c9c419478f89c732f10be3c290b3
Opcode Fuzzy Hash: 35a89165bfc227d4ffa4c517ffa847f294f65121b45a521dfd3319b6d5fde980
Instruction Fuzzy Hash: 3F112EB19003498FCB20DFAAD448BDEBBF4EB49324F208469D559A7310D778A944CFA0

Analysis Process: RegAsm.exePID: 8180, Parent PID: 8120COMMON

Execution Graph

Execution Coverage:	13.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	119
Total number of Limit Nodes:	12

Executed Functions

Function 0653C1B8 Relevance: 9.8, APIs: 1, Strings: 4, Instructions: 1098
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

k%, xrefs: 0653C2A8, 0653C2AD
+8, xrefs: 0653C88D, 0653C892
SXl^, xrefs: 0653CD89, 0653CD8E
c8, xrefs: 0653C907, 0653C90C

Memory Dump Source

Source File: 00000007.00000002.2019605399.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6530000_RegAsm.jbxd

Similarity

API ID:
String ID: +8$c8$k%$SXl^
API String ID: 0-1063293072
Opcode ID: 126b9cec4ce8abe597a0d7461f6147c3bd0d33faede2bd91d2dadea743bbc9cd
Instruction ID: 0d0ac7fafd11580395c6d88e7fbd189b8b28f8e1d8d2c6578287a5812a438d10
Opcode Fuzzy Hash: 126b9cec4ce8abe597a0d7461f6147c3bd0d33faede2bd91d2dadea743bbc9cd
Instruction Fuzzy Hash: 03C2B074A012298FDB64DF24D998B9DB7B2FB89301F1085E9D80DAB354DB31AE85CF44

Function 064FEF40 Relevance: 8.3, Strings: 6, Instructions: 780
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(bq, xrefs: 064FF01E
0oAp, xrefs: 064FF82D
(bq, xrefs: 064FEFD0
(bq, xrefs: 064FF498
DqAp, xrefs: 064FF839
LjAp, xrefs: 064FF9CE

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID: (bq$(bq$(bq$0oAp$DqAp$LjAp
API String ID: 0-3988487894
Opcode ID: 8d8ca927f6a350e923fa1ccec4ee1858f00fbdef6314be4eb62dcd8d65a18e8a
Instruction ID: 67fa7c170adf28de59d9ceb9b0aef3fe24e89a2c88a49d19ace2b3448cab4e32
Opcode Fuzzy Hash: 8d8ca927f6a350e923fa1ccec4ee1858f00fbdef6314be4eb62dcd8d65a18e8a
Instruction Fuzzy Hash: A5624A35A102049FDB85DF68D494AAEBBF6FF88310F15806AE905EB361DB31ED46CB50

Function 0653E420 Relevance: 2.9, Strings: 2, Instructions: 364
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

., xrefs: 0653E6A0
1, xrefs: 0653E725

Memory Dump Source

Source File: 00000007.00000002.2019605399.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6530000_RegAsm.jbxd

Similarity

API ID:
String ID: .$1
API String ID: 0-1839485796
Opcode ID: 0f97422ee057253c575c784685baa4b782ba8b77f29dcb8d196fac3c00482f25
Instruction ID: cc6b25ea25e906cae22211bc7e80510af9091c2c2688e01c802277e5c7638c43
Opcode Fuzzy Hash: 0f97422ee057253c575c784685baa4b782ba8b77f29dcb8d196fac3c00482f25
Instruction Fuzzy Hash: 11F1C074E01228CFDB68DF65C994B9DBBB2FF89301F1085AAD50AAB250DB315E85CF50

Function 06253F50 Relevance: 1.8, Strings: 1, Instructions: 524COMMON

Download Yara Rule

Strings

$^q, xrefs: 062541E4

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: fea46ee6a887171f7ed2dbd3881343364b8aa69990a93145986ee10cd73290b2
Instruction ID: f0f4ee610f0b4ada554d4bfd83132f02e035c740811e3f57a00b7b7c9ee0b471
Opcode Fuzzy Hash: fea46ee6a887171f7ed2dbd3881343364b8aa69990a93145986ee10cd73290b2
Instruction Fuzzy Hash: 4E125E34B102158FCB54DF69C594AAEBBF2BF88710B158169ED06EB365DB31DC81CBA0

Function 0625A688 Relevance: 1.6, Strings: 1, Instructions: 311COMMON

Download Yara Rule

Strings

filesBrowseronkeroroonly\User DataViewer, xrefs: 0625A836

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID: filesBrowseronkeroroonly\User DataViewer
API String ID: 0-3801727489
Opcode ID: 46f2491ae048d9c3613d2b6ab4bc0391a80ed86f575a0574524048000734e4f0
Instruction ID: 4c51c354e7ea4d7d57b2a05a1ccf8b95ab0eb6ce03d28a87e77eba02c38ab22a
Opcode Fuzzy Hash: 46f2491ae048d9c3613d2b6ab4bc0391a80ed86f575a0574524048000734e4f0
Instruction Fuzzy Hash: 18D11634900318CFDB58EFB4D854A9DBBB2FF8A301F108569D50AAB395DB319989CF51

Function 06537BD8 Relevance: 1.6, APIs: 1, Instructions: 60libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 06537C3D

Memory Dump Source

Source File: 00000007.00000002.2019605399.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6530000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f24b472cdad40a5768c412a25f2056e396440d02d716a92f9ca05254b4f26a69
Instruction ID: 690d5c1fba3deed1cd8c0e10367561fca610f9a856c6de04e29d92233e067968
Opcode Fuzzy Hash: f24b472cdad40a5768c412a25f2056e396440d02d716a92f9ca05254b4f26a69
Instruction Fuzzy Hash: F0219FB4E012289FDB48DFA9E484ADDBBB5BB8D720F10946AE415B7360DB305845CF68

Function 06538E40 Relevance: 1.4, Strings: 1, Instructions: 181COMMON

Download Yara Rule

Strings

$^q, xrefs: 06538FF4

Memory Dump Source

Source File: 00000007.00000002.2019605399.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6530000_RegAsm.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: ba91096377f80817295044408dbf1bd2927d9e1e1d13fd9cee0b3bbade9a2290
Instruction ID: 11ce8f911c8cf981154b6f042c00422e6f78c22f781bcc78f53b673898b662ba
Opcode Fuzzy Hash: ba91096377f80817295044408dbf1bd2927d9e1e1d13fd9cee0b3bbade9a2290
Instruction Fuzzy Hash: 8871D474E01318CFDB58DFA5D984AADBBB2BF89300F209529E415BB354DB359886CF44

Function 0653A5F0 Relevance: .4, Instructions: 426COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019605399.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6530000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a22015afb496a7a050e655c2cb797d86e9ea2cee6048025ced8c5193c1465ef
Instruction ID: a65b982fc226d7911fda53760d5d54dfba01231ec3a94cbd84f63f7ea9433ec1
Opcode Fuzzy Hash: 2a22015afb496a7a050e655c2cb797d86e9ea2cee6048025ced8c5193c1465ef
Instruction Fuzzy Hash: E2227F74D01229CFDBA5DF65C990BD9B7B2BF89300F1085EAD549AB250EB316E85CF80

Function 062567D8 Relevance: .4, Instructions: 413COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ab3eda80be293ef64c2da3a2bc429ff98a8560c41caf98d91c81a11d8a1a93a
Instruction ID: 6727b9e646e5e460c974a3fe4d26c8c79319c41356eb7e85b50fd9e92c4f1c29
Opcode Fuzzy Hash: 2ab3eda80be293ef64c2da3a2bc429ff98a8560c41caf98d91c81a11d8a1a93a
Instruction Fuzzy Hash: DBF1D130A102099FDB15DF68D984B9EBBF2EF88310F558569E805EB3A1DB31ED45CB90

Function 064F0A0C Relevance: .4, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71e666a1849364851d146c4e81ddb139c4d268c8055f212adde1be565a17ec61
Instruction ID: 49543f05e55b0b52e7dd7213bda890797c7526749d694b9931f5c289627416cb
Opcode Fuzzy Hash: 71e666a1849364851d146c4e81ddb139c4d268c8055f212adde1be565a17ec61
Instruction Fuzzy Hash: 64D18E71A002499FCB45CF69D884AAFBBF6FF89300B158569E505DB362DB30EC45CBA1

Function 0653A278 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019605399.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6530000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b66c87a84890873da963fa1dae1510565358046afcc69664d80345c25a5f7eb9
Instruction ID: 48f3925f45aed0d7295b5f3da606c0891a5277f955effa09a7629bf5a14682a3
Opcode Fuzzy Hash: b66c87a84890873da963fa1dae1510565358046afcc69664d80345c25a5f7eb9
Instruction Fuzzy Hash: E0913674D01229DFDB64DFA4D984B9DBBB2FF89300F1081A9D449AB351DB306A89CF51

Function 06230D80 Relevance: 20.6, Strings: 16, Instructions: 615
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 062313EB
$^q, xrefs: 06230FB8
$^q, xrefs: 06231336
$^q, xrefs: 06231455
$^q, xrefs: 062313AC
$^q, xrefs: 06231430
$^q, xrefs: 06230E78
$^q, xrefs: 0623137B
$^q, xrefs: 06230E02
$^q, xrefs: 06230F36
$^q, xrefs: 062313A0
$^q, xrefs: 06230FAC
$^q, xrefs: 06230E84
$^q, xrefs: 06230F86
$^q, xrefs: 06230E52
$^q, xrefs: 06231461

Memory Dump Source

Source File: 00000007.00000002.2019018663.0000000006230000.00000040.00000800.00020000.00000000.sdmp, Offset: 06230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6230000_RegAsm.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2449488485
Opcode ID: 484c60ef6f236fc7a5a806cffad6bdb15eaa6663dcd050066ad068f97fb2aeef
Instruction ID: d6c87e4596cdc7b4c74e7612393f2fb0fd3ce1bc41063285cf65fde1bec24641
Opcode Fuzzy Hash: 484c60ef6f236fc7a5a806cffad6bdb15eaa6663dcd050066ad068f97fb2aeef
Instruction Fuzzy Hash: 8122C270B202159FDB94DB69C948A6EBBF6BF88700F108859E906CB3A5CF70DC55CB91

Function 06231582 Relevance: 7.8, Strings: 6, Instructions: 334
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 062318E3
$^q, xrefs: 06231A88
$^q, xrefs: 06231A57
$^q, xrefs: 06231A7C
$^q, xrefs: 0623182E
$^q, xrefs: 06231A12

Memory Dump Source

Source File: 00000007.00000002.2019018663.0000000006230000.00000040.00000800.00020000.00000000.sdmp, Offset: 06230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6230000_RegAsm.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: ddee362d16bfaff5ef47ed1cf42cce4e57b62928ee4b8d98542403216205f117
Instruction ID: 0247a5540a8a90e790fc5c42e8b9bdefebdc853b45e2f510f1dea333705c6081
Opcode Fuzzy Hash: ddee362d16bfaff5ef47ed1cf42cce4e57b62928ee4b8d98542403216205f117
Instruction Fuzzy Hash: D4C12474B502158FEB449BA8C858A2E7BE6FF89700F10985DE9028F3A5CFB1DC55CB91

Function 00CBD0A8 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00CBD136
GetCurrentThread.KERNEL32 ref: 00CBD173
GetCurrentProcess.KERNEL32 ref: 00CBD1B0
GetCurrentThreadId.KERNEL32 ref: 00CBD209

Memory Dump Source

Source File: 00000007.00000002.1998890620.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cb0000_RegAsm.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: a8ac2510bb0ad847b7e58b7f9c2e3a7f3efb3819a35e252fd0c4f702c9a25fbc
Instruction ID: 8d411f10e2744ac17c18b51f5f93d8a57c8a5eadfa2d244996a135a6385005ea
Opcode Fuzzy Hash: a8ac2510bb0ad847b7e58b7f9c2e3a7f3efb3819a35e252fd0c4f702c9a25fbc
Instruction Fuzzy Hash: 865168B09003498FDB14DFAAD548BDEBBF1FF88314F208459E459A73A0D734A984CB66

Function 00CBD0B8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 00CBD136
GetCurrentThread.KERNEL32 ref: 00CBD173
GetCurrentProcess.KERNEL32 ref: 00CBD1B0
GetCurrentThreadId.KERNEL32 ref: 00CBD209

Memory Dump Source

Source File: 00000007.00000002.1998890620.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cb0000_RegAsm.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 9d17a3e72edbc6eb1d88414b33e8fcd0d527cf9102514c9ab5e43d059716e36d
Instruction ID: e555cddebb173cbe4b2cbc367c9b2974b83fdbc13082fe51a72e44e78f3ac3ef
Opcode Fuzzy Hash: 9d17a3e72edbc6eb1d88414b33e8fcd0d527cf9102514c9ab5e43d059716e36d
Instruction Fuzzy Hash: F15156B09003498FDB14DFAAD548BDEBBF5EF88314F208459E459A73A0D734A984CB65

Function 064FCB50 Relevance: 2.8, Strings: 2, Instructions: 286
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(bq, xrefs: 064FCE4E
(bq, xrefs: 064FCE8A

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID: (bq$(bq
API String ID: 0-4224401849
Opcode ID: 9c3de91f869e388a32a16d9a1fe4c4903b535aa663ca23aee46436db7ce38e02
Instruction ID: 412b19b1ae3d15fbbad9d4011619103bc2943e5dcf48255182593f81163fb286
Opcode Fuzzy Hash: 9c3de91f869e388a32a16d9a1fe4c4903b535aa663ca23aee46436db7ce38e02
Instruction Fuzzy Hash: 48A19134B002448FDB59AB789494A6E7BE7EFC8340F248469E906DB392DE35CC46CB91

Function 064FFB40 Relevance: 2.8, Strings: 2, Instructions: 250
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(bq, xrefs: 064FFC54
(bq, xrefs: 064FFCA2

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID: (bq$(bq
API String ID: 0-4224401849
Opcode ID: 0421215d3fe6a70d07550879c0eaeda5485a28270f39e16cf04ef1c6ab15e41f
Instruction ID: 27aa6586ea80bbb97c37730d59d5787671a0975974ad12c7329901891d31c72f
Opcode Fuzzy Hash: 0421215d3fe6a70d07550879c0eaeda5485a28270f39e16cf04ef1c6ab15e41f
Instruction Fuzzy Hash: 4391C0357102108FDB559F28C854A2F7BF6EFC9740B14846AEA06CB3A6DB30DD46CBA0

Function 064F34F8 Relevance: 2.7, Strings: 2, Instructions: 178
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(bq, xrefs: 064F3784
(bq, xrefs: 064F37DA

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID: (bq$(bq
API String ID: 0-4224401849
Opcode ID: 311752b3550668e4b8ad6fa70ca6663df7e9111e063c48f0e991a4d37bbc4109
Instruction ID: 6dcf8153aa197009a001d485f5dcac31187aeb71eb5d6b25e2f3ccf6a77e7922
Opcode Fuzzy Hash: 311752b3550668e4b8ad6fa70ca6663df7e9111e063c48f0e991a4d37bbc4109
Instruction Fuzzy Hash: 0451F334B002459FDB5AAF79845062FBBE6FFC8340B208469DA06DB386DE30DD4687E1

Function 064F3A08 Relevance: 2.7, Strings: 2, Instructions: 178
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(bq, xrefs: 064F3C94
(bq, xrefs: 064F3CEA

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID: (bq$(bq
API String ID: 0-4224401849
Opcode ID: 68ef021b268e4f33587f8f9f5a7961bf648e7bcd7c0dbb8dc88d297ce52fd597
Instruction ID: c109419c3ee959ced93fb62c3e473821c38121d99a4bfdeef6e12041e2f3e88b
Opcode Fuzzy Hash: 68ef021b268e4f33587f8f9f5a7961bf648e7bcd7c0dbb8dc88d297ce52fd597
Instruction Fuzzy Hash: 19510434B002459FCB5AAF79845062FBBE6FFC8300B108569DA06DB386DE30DD4687E1

Function 06258C78 Relevance: 2.6, Strings: 2, Instructions: 116COMMON

Download Yara Rule

Strings

(bq, xrefs: 06258D00
(bq, xrefs: 06258D2C

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID: (bq$(bq
API String ID: 0-4224401849
Opcode ID: 0506520620296cc14a41d1f710e2f71b9ab90ceeb4d031ad76140aa7c3863eda
Instruction ID: 045aa3b4f0314528aba65f9bfa036032a5ae8df9c4618239ae5d154f811ac7fe
Opcode Fuzzy Hash: 0506520620296cc14a41d1f710e2f71b9ab90ceeb4d031ad76140aa7c3863eda
Instruction Fuzzy Hash: D43124317001696BDB496E7D985476F3ADAEFD4391F208029ED09DB380DE39DC0287D6

Function 06231BA0 Relevance: 2.6, Strings: 1, Instructions: 1349COMMON

Download Yara Rule

Strings

Q, xrefs: 06232070

Memory Dump Source

Source File: 00000007.00000002.2019018663.0000000006230000.00000040.00000800.00020000.00000000.sdmp, Offset: 06230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6230000_RegAsm.jbxd

Similarity

API ID:
String ID: Q
API String ID: 0-3463352047
Opcode ID: ee089209717b67379dd229f0223b47057a589ee08b7baf9a86f203f93c20e860
Instruction ID: 6ef9adfdbdb161f47c1359e87c8e0a4449f7f2f18d8dba69df53371002fbd8eb
Opcode Fuzzy Hash: ee089209717b67379dd229f0223b47057a589ee08b7baf9a86f203f93c20e860
Instruction Fuzzy Hash: 30C25E74A401189FDB54DF64CC51A9DBBB2FF88700F109099EA06AB3A5DB71EE82CF51

Function 065379FE Relevance: 1.6, APIs: 1, Instructions: 129COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 06537B50

Memory Dump Source

Source File: 00000007.00000002.2019605399.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6530000_RegAsm.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 29f2b17dfa436a0b5870a378aef3db10aa43554e3bd89f6cc7c0308ec099f4ff
Instruction ID: b397ba3c6bbf9ec1ec5e1fe4fdcccc804549f99819e40fbebbd69e4e936aec93
Opcode Fuzzy Hash: 29f2b17dfa436a0b5870a378aef3db10aa43554e3bd89f6cc7c0308ec099f4ff
Instruction Fuzzy Hash: E05105B4E05208DFDB08EFA5D590AAEBBF6BF88300F109529E415AB354DB349946CF54

Function 00CB4248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00CB59F1

Memory Dump Source

Source File: 00000007.00000002.1998890620.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cb0000_RegAsm.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 90bdbde196712eff35b306fcbc8f7549e66a5deb7b3fe7597578b03a2f567e2f
Instruction ID: bfdf8b8c3b3558d12fd6b693c0f2a70d0e9d933d08bd72de914a5f689411135d
Opcode Fuzzy Hash: 90bdbde196712eff35b306fcbc8f7549e66a5deb7b3fe7597578b03a2f567e2f
Instruction Fuzzy Hash: 9941CFB0D00619CBDB24CFA9C884BDEBBB5BF44304F2481AAD408BB255DB756985CF91

Function 00CB593D Relevance: 1.6, APIs: 1, Instructions: 91COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 00CB59F1

Memory Dump Source

Source File: 00000007.00000002.1998890620.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cb0000_RegAsm.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 2140a4530c9d5b033b6708fdbf400992b48db944df005d7c380f8defb9361b23
Instruction ID: 8e95ec4bb5827ba31681a63aa7ea4ca0b18ce1bba846ecbee39d1350441f227a
Opcode Fuzzy Hash: 2140a4530c9d5b033b6708fdbf400992b48db944df005d7c380f8defb9361b23
Instruction Fuzzy Hash: 7E41E1B0D00619CFDB24CFA9C884BDEBBB5BF48304F2481AAD418BB255DB756985CF91

Function 00CBD2F9 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00CBD387

Memory Dump Source

Source File: 00000007.00000002.1998890620.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cb0000_RegAsm.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f18fed0c6f01cf4630b32800faee1ce828eec04c75d18504574614da7258b4c5
Instruction ID: cad7dade8c461673c3d373836924947814f090bfab0fb6da5e7d8834b224fb1e
Opcode Fuzzy Hash: f18fed0c6f01cf4630b32800faee1ce828eec04c75d18504574614da7258b4c5
Instruction Fuzzy Hash: 972114B5900258DFDB10CF9AD584ADEBFF4EB48320F14801AE958A3310D378A940CFA1

Function 00CBD300 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00CBD387

Memory Dump Source

Source File: 00000007.00000002.1998890620.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cb0000_RegAsm.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 229bccb3c0135cce73bab50e59f7aabaae74d1c9c5d5d0b01101fa6900452c28
Instruction ID: fc896cc351f2147b9cc46f19afc955d7e7fab1be47b24a17381e0696eaaf99bf
Opcode Fuzzy Hash: 229bccb3c0135cce73bab50e59f7aabaae74d1c9c5d5d0b01101fa6900452c28
Instruction Fuzzy Hash: 4021E2B59002489FDB10CFAAD984ADEBBF4EB48320F14841AE958A3310D378A944CFA5

Function 00CBA870 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00CBB101,00000800,00000000,00000000), ref: 00CBB312

Memory Dump Source

Source File: 00000007.00000002.1998890620.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cb0000_RegAsm.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b58fc96f43dec64fde639b92e5bb704bc0e66fd6ce5b9c5527f8745658561e1a
Instruction ID: 68b2d1fe238c4166d2eb2ebbdbd60124c56091d2cd06ba9530834a2098da943a
Opcode Fuzzy Hash: b58fc96f43dec64fde639b92e5bb704bc0e66fd6ce5b9c5527f8745658561e1a
Instruction Fuzzy Hash: 871114B69003499FDB10CF9AD444ADEFBF4EB48314F10842AD459A7210C7B4A944CFA5

Function 06537821 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetKeyboardLayout.USER32(00000000), ref: 06537896

Memory Dump Source

Source File: 00000007.00000002.2019605399.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6530000_RegAsm.jbxd

Similarity

API ID: KeyboardLayout
String ID:
API String ID: 194098044-0
Opcode ID: be98ed9e0bd5d8e67c4dd234d415eab99ea52d6d614f19ced85cb3e4af274112
Instruction ID: a1dd5e77353cf7c6597f01a5cc79d5776160af5dc8e7f57abdb165cbb75e457c
Opcode Fuzzy Hash: be98ed9e0bd5d8e67c4dd234d415eab99ea52d6d614f19ced85cb3e4af274112
Instruction Fuzzy Hash: 711164B0C003588FDB51DFA9D9057EEFBF4EB49220F14885AD459BB241D239A984CFA9

Function 06537928 Relevance: 1.5, APIs: 1, Instructions: 47comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06537985

Memory Dump Source

Source File: 00000007.00000002.2019605399.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6530000_RegAsm.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 945b800817f21c51eacc3ce3e704608264a5e945fe1e7260096df4cb1945fab2
Instruction ID: 6cd44baa4bd17e36d656f3c773a82eaffe0f0cddf218762de170876e98dbc66d
Opcode Fuzzy Hash: 945b800817f21c51eacc3ce3e704608264a5e945fe1e7260096df4cb1945fab2
Instruction Fuzzy Hash: 711133B18002588FDB20CF9AD844BDEFFF4EB48324F248459D458A7210C379A944CFA4

Function 00CBB020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00CBB086

Memory Dump Source

Source File: 00000007.00000002.1998890620.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_cb0000_RegAsm.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 54b7c1cdba8f2da2072ec56d7498e5f78e319888cf997f863defc403f97b4adc
Instruction ID: 2ae838ae56508bae90fb196ed645e8116b651fd55d44c3adb8a2a633973c10c3
Opcode Fuzzy Hash: 54b7c1cdba8f2da2072ec56d7498e5f78e319888cf997f863defc403f97b4adc
Instruction Fuzzy Hash: E61113B5C003498FCB20DF9AD444ADEFBF4AB48324F10841AD469B7210C3B5A945CFA1

Function 06533A54 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 06537985

Memory Dump Source

Source File: 00000007.00000002.2019605399.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6530000_RegAsm.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 31bd5a1cb95a0190d6a892ebd72fe73c2fdb1a00e2e42ac13932d964489aa6ce
Instruction ID: 91ed621ea532b8ace8c91e22b6577971621f8837e424b21041f8fe0249d5abad
Opcode Fuzzy Hash: 31bd5a1cb95a0190d6a892ebd72fe73c2fdb1a00e2e42ac13932d964489aa6ce
Instruction Fuzzy Hash: E61133B1D003589FDB60CF9AD448BDEBBF4EB48724F108559D558B7210C378A944CFA8

Function 062559D8 Relevance: 1.5, Strings: 1, Instructions: 293COMMON

Download Yara Rule

Strings

d, xrefs: 06255C29

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 09175d676be1b2bcb11a1f604631b95facc39c9ae1a6f678c459f4e91340e6aa
Instruction ID: 3ecf31f8e984252aa48cdf7a736cea6e8fe5ac51397f36165aaf6eca533f5ee3
Opcode Fuzzy Hash: 09175d676be1b2bcb11a1f604631b95facc39c9ae1a6f678c459f4e91340e6aa
Instruction Fuzzy Hash: 5EC19234600606CFC765CF29C58086ABBF2FF89310B16C999D8599B766D734FC46CB90

Function 064F00A8 Relevance: 1.4, Strings: 1, Instructions: 169COMMON

Download Yara Rule

Strings

(_^q, xrefs: 064F0168

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID: (_^q
API String ID: 0-538443824
Opcode ID: e1cd52225bcc735819add225164d43c1447c7801d690fc64dfa85360f2891344
Instruction ID: 31cf83c7d850826697996d078cd701fedbeeca9770bcb6aacc8c5d9c7ac484d2
Opcode Fuzzy Hash: e1cd52225bcc735819add225164d43c1447c7801d690fc64dfa85360f2891344
Instruction Fuzzy Hash: C551E1307043019FCB55AB28D854A6FBBEAEFC5314B14856AE906DB352DF71EC45CBA0

Function 064F2980 Relevance: 1.4, Strings: 1, Instructions: 165COMMON

Download Yara Rule

Strings

(bq, xrefs: 064F2A6D

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: 74c4c9209207e41c0332cf535ec625c55b9b4ebbcd3faf897cab7a0f7ea9f4fc
Instruction ID: 39fc46e92df375b1ba5c5db4e1b1fbf55b3743c2c5cb92c456b6a3f93cd8a63d
Opcode Fuzzy Hash: 74c4c9209207e41c0332cf535ec625c55b9b4ebbcd3faf897cab7a0f7ea9f4fc
Instruction Fuzzy Hash: 5B51BF35B003498FCB45AB79902816FBBF3FFD5351B248529D606D7385EF348A068B65

Function 064F0300 Relevance: 1.4, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

(_^q, xrefs: 064F0495

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID: (_^q
API String ID: 0-538443824
Opcode ID: 28eaf0353f551957198db25ce7135ba6b3b88fbf83a5ac32e4cedd81803c5529
Instruction ID: a01b4b5a2b73a0da35444da53889c4df031d18b68896ff9a385cf76503cb4323
Opcode Fuzzy Hash: 28eaf0353f551957198db25ce7135ba6b3b88fbf83a5ac32e4cedd81803c5529
Instruction Fuzzy Hash: 21514F34A10208DFCB45EF68D854AADBBB6FF89300F158069E506EB3A5DF309D46CB91

Function 064F8738 Relevance: 1.4, Strings: 1, Instructions: 148COMMON

Download Yara Rule

Strings

(bq, xrefs: 064F8796

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID: (bq
API String ID: 0-149360118
Opcode ID: 8413063bda5729bc3454a3ec356ee62a3d613ed08a9aebc3a5303a542a8ceb04
Instruction ID: 0442ce94359e6ca8a6f328ff073e531cc5326c70a6dbe82d34b3554c7dc2702f
Opcode Fuzzy Hash: 8413063bda5729bc3454a3ec356ee62a3d613ed08a9aebc3a5303a542a8ceb04
Instruction Fuzzy Hash: DE51B7317043049FC725EF29D844A6EBBF6EFC4310B14866AD5068B766DB70ED8ACB91

Function 064FDEE0 Relevance: 1.4, Strings: 1, Instructions: 144COMMON

Download Yara Rule

Strings

PH^q, xrefs: 064FDFE6

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 128933849f82ca803131a4817abf54d641898b57f99bf2c9df627c8dadbb7021
Instruction ID: ef5810d9ff2a074895c66c0d7b84febebe752d009ef9d77f15b0db58f3663b96
Opcode Fuzzy Hash: 128933849f82ca803131a4817abf54d641898b57f99bf2c9df627c8dadbb7021
Instruction Fuzzy Hash: 0D41F630E183559FC766CB29D804B6BBFB6AF82311F0881AFD6488B352DB71D881C791

Function 06253DE0 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

4'^q, xrefs: 06253F25

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: b559b246f497681dbe3dc91793b985d776efed7029901ddd9ed2bacf14814f1b
Instruction ID: d27af4dba4db0832839df18a0ae5d63cfa837ddbc4e42cf6fd252b8d965752dd
Opcode Fuzzy Hash: b559b246f497681dbe3dc91793b985d776efed7029901ddd9ed2bacf14814f1b
Instruction Fuzzy Hash: 263137317002144FC729A738E8946AEB7E6DFCA355705447AE849CB754DE31EC47C7A1

Function 062584C8 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

4'^q, xrefs: 062585B1

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: c1c8a4c4e73015873b6b2621355ed4935f3b7bb7edf359bc33298286edc99fc8
Instruction ID: fcdb4c83afe84caaf6d7836b087bfcbdeb8e080c5537b227d29a4b2603211004
Opcode Fuzzy Hash: c1c8a4c4e73015873b6b2621355ed4935f3b7bb7edf359bc33298286edc99fc8
Instruction Fuzzy Hash: 0931AD35B002188FDB49EB79A49416E77E3EFC8211710487DD90BCB385EE75DD868792

Function 064F5830 Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

(_^q, xrefs: 064F59F8

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID: (_^q
API String ID: 0-538443824
Opcode ID: ef8b8950f8ff4d96822e478db2fdcfc421cf6317995d7f18f98f872b60c1692f
Instruction ID: 385ac08aa0d2281d1dd41c05e8cf89a2a6bc0189fed58f90ce832a5460c09632
Opcode Fuzzy Hash: ef8b8950f8ff4d96822e478db2fdcfc421cf6317995d7f18f98f872b60c1692f
Instruction Fuzzy Hash: 4D11A1363101148FDF496FB8E41895D7BE7EB8C3157058465F60ACB761CE36DC219B84

Function 0625B6B7 Relevance: 1.3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0625B6DC

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 8c63019a8bed8e9a48a2f0030915b54cb788396ff4ac56862c7434b577573e53
Instruction ID: b40b3b9e8b7d990c00f71046975ba05009ee2af15697ca7b91242da1582b6075
Opcode Fuzzy Hash: 8c63019a8bed8e9a48a2f0030915b54cb788396ff4ac56862c7434b577573e53
Instruction Fuzzy Hash: A001283A3452044FC7449B34E8588663BE6DBC925131540A5FD0AC7361DE30DC42C760

Function 0625B628 Relevance: 1.3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0625B669

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 546fc239ed3162e57b31fcc806addfb298aebe507171bcd1902332ca531a320d
Instruction ID: d65177c5d454814dd15b4e70c79a67d7d3edb5f0ed02f86bdd892e3a2d6495ba
Opcode Fuzzy Hash: 546fc239ed3162e57b31fcc806addfb298aebe507171bcd1902332ca531a320d
Instruction Fuzzy Hash: 7501F134D1934A9FCF41EF74E59419CBFF2EB85241B0184A9D816D7351EE301E89CB21

Function 064F7D78 Relevance: 1.3, Strings: 1, Instructions: 36COMMON

Download Yara Rule

Strings

st, xrefs: 064F7DD8

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID: st
API String ID: 0-3075148684
Opcode ID: ec73c715a8c6959262676553dcb2d21489062cceb9f953b9f7f2ba93bbca42de
Instruction ID: c55d2d95fea0a98a67ff0fda529637843d355df0adda5e185613e1a36fe70f84
Opcode Fuzzy Hash: ec73c715a8c6959262676553dcb2d21489062cceb9f953b9f7f2ba93bbca42de
Instruction Fuzzy Hash: 93F08C312402045FC351EB68DA4089EFB9AEEC5350340CA3DD50A8B729DF71EA8E8BD4

Function 064F7D7A Relevance: 1.3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

Strings

st, xrefs: 064F7DD8

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID: st
API String ID: 0-3075148684
Opcode ID: bd445cd3a6babb31750439b25cbb0d4558e3fb960f02a0ea03e464d579a19189
Instruction ID: 25f92e59b81835d653de0461b03fccf2d95985fc48900a30ef8d60ff1f962518
Opcode Fuzzy Hash: bd445cd3a6babb31750439b25cbb0d4558e3fb960f02a0ea03e464d579a19189
Instruction Fuzzy Hash: C7F0AF312402005FC351EB28DA4089EFB96EEC5350340CA3DD50A8F729DF71EA8E8BD4

Function 0625B638 Relevance: 1.3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

Strings

4'^q, xrefs: 0625B669

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: fa9c271747f19b21336ce76826d2f8bdcd785b5ea62a2eb23aa4c592d19a1a78
Instruction ID: 9828e7b14cd8b598918588fd7a05cac2b2bb524e241c04b34f18d9058d9fe61e
Opcode Fuzzy Hash: fa9c271747f19b21336ce76826d2f8bdcd785b5ea62a2eb23aa4c592d19a1a78
Instruction Fuzzy Hash: C2F06934E05209AFCB04EFB8E58959CBBF2EB84200B5085A8D80AD7354EF301E99CB51

Function 062300D8 Relevance: .7, Instructions: 676COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019018663.0000000006230000.00000040.00000800.00020000.00000000.sdmp, Offset: 06230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6230000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd049ebd697f974bc35c78e86caedb3bc04312f508806197808aa97a323ccdfd
Instruction ID: cb73765e226d3e7ac15f5e154bec1343357c93ff7acd37b0e9fee859ac28bc4c
Opcode Fuzzy Hash: bd049ebd697f974bc35c78e86caedb3bc04312f508806197808aa97a323ccdfd
Instruction Fuzzy Hash: 7A42AA307406298FCB64AF68D950A2EB7E2FBC5305B10495CD9039F3A5CFB5ED068B96

Function 06230598 Relevance: .5, Instructions: 462COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019018663.0000000006230000.00000040.00000800.00020000.00000000.sdmp, Offset: 06230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6230000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 254c319847d550a90ec09e4c248433d9dc0c8cd20af62a9819e4aec12285d60b
Instruction ID: dba0ab731260bf77f6caae44f9a2b00cfd13a006dda3b4118db4462d40469a02
Opcode Fuzzy Hash: 254c319847d550a90ec09e4c248433d9dc0c8cd20af62a9819e4aec12285d60b
Instruction Fuzzy Hash: 7902BD307502158FDB54AF68C954A2EB7A2FBC9704F008968D9029F3A1CFB5EE46CB95

Function 06230610 Relevance: .4, Instructions: 445COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019018663.0000000006230000.00000040.00000800.00020000.00000000.sdmp, Offset: 06230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6230000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5b4047e0706420478ce169254488effa3225b02612919cd7f86041be5189331
Instruction ID: cf9f26fd63bc9949f61b818f780f7e3a72a6a6758894aad64895b72f65feb2d4
Opcode Fuzzy Hash: f5b4047e0706420478ce169254488effa3225b02612919cd7f86041be5189331
Instruction Fuzzy Hash: 8902BD30750215CFDB54AF64C954A2E77A2FF89704F009868D9029F3A1CFB5EE46CB95

Function 064FC588 Relevance: .4, Instructions: 435COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f0471aca369f13fbf51c7f3132c8e4bb9a2f09ce6f2d3cf6b17e8ec568c086c
Instruction ID: 4dea8742c43fe5ea0edc37768090d14590a8ad6c33ea6bc9fe7628ff2c352881
Opcode Fuzzy Hash: 1f0471aca369f13fbf51c7f3132c8e4bb9a2f09ce6f2d3cf6b17e8ec568c086c
Instruction Fuzzy Hash: 19129E30A007498FDB55DF78C884B9ABBF2EF89304F158599D949AB352DB31E985CF80

Function 064F0D20 Relevance: .4, Instructions: 413COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aef545550eaf7b1ebd586f0fb83e924d1a5c292b05426f24c56164320d948bdd
Instruction ID: 58c649d0ec99ac7e648a231bc3898b4d5f393519985bf34819475254db3b8364
Opcode Fuzzy Hash: aef545550eaf7b1ebd586f0fb83e924d1a5c292b05426f24c56164320d948bdd
Instruction Fuzzy Hash: A1F15934A10249DFDB59DFA8D554AAEBBF2EF88300F148469E906EB391DB31DC45CB50

Function 06230688 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019018663.0000000006230000.00000040.00000800.00020000.00000000.sdmp, Offset: 06230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6230000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f499fea5b4cbe8cf3ffee9982cd919f0966005ab915442efd1fa2a896afa619
Instruction ID: d04689f18e091052c6283ccb4c668e2f63052ed456d67dc6c75f882240aa7157
Opcode Fuzzy Hash: 6f499fea5b4cbe8cf3ffee9982cd919f0966005ab915442efd1fa2a896afa619
Instruction Fuzzy Hash: 83E1DF70B50215CFEB449F64C954A2E77E6FF89704F009868D9028F3A1CBB5EE46CBA1

Function 064FB920 Relevance: .4, Instructions: 381COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a641dba3fe13df8e24be24eb73ace54e3458f33507aa75947ded6e7c281552e
Instruction ID: 74dd459e97090062ec2e8968132dee7690c65677203e153a76d1ea95460aafeb
Opcode Fuzzy Hash: 6a641dba3fe13df8e24be24eb73ace54e3458f33507aa75947ded6e7c281552e
Instruction Fuzzy Hash: 9F025E35A10719DFDB15DF38C854A9AB7B1FF89310F118699E949AB361EB30E981CF80

Function 064F78B0 Relevance: .4, Instructions: 360COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac6da5b4aa167eef5cbe1becc0034e684726cd91f054445c86197a8d81a6ddba
Instruction ID: 42edbe18866207987291477ff0ca0e58d3c61156edb44b96fea2899af4c11e33
Opcode Fuzzy Hash: ac6da5b4aa167eef5cbe1becc0034e684726cd91f054445c86197a8d81a6ddba
Instruction Fuzzy Hash: 66D1CD34F102499FDB55DFB9D854AAE7BF2AF88310F148029E902EB395DB34DD428B90

Function 06230700 Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019018663.0000000006230000.00000040.00000800.00020000.00000000.sdmp, Offset: 06230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6230000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c252e79eb79c7a3f74701d7ff65f69f8ae32075943f1dddeb279f8a005c28da5
Instruction ID: c49c964ae73e8c786e07ae491fe19a4124b7554bb879ffab951ca800104715a4
Opcode Fuzzy Hash: c252e79eb79c7a3f74701d7ff65f69f8ae32075943f1dddeb279f8a005c28da5
Instruction Fuzzy Hash: 39D1CF70B10215CFEB449B64C954B2D77A6FF89704F109469EA028F3A5CBB5EE42CBA1

Function 064F6918 Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fd47cd3f3433d267ff2a5656bf695a6d8d98fd75f48cd6968337f5432b91266
Instruction ID: 24a22524f06a564252d770b741df653620bd869640744194658add7494f14fd4
Opcode Fuzzy Hash: 8fd47cd3f3433d267ff2a5656bf695a6d8d98fd75f48cd6968337f5432b91266
Instruction Fuzzy Hash: E1D1AF34B102049FCB55DF78C554A6EBBF6EF89300B15886AEA06DB3A5DB31DC49CB90

Function 062300BB Relevance: .3, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019018663.0000000006230000.00000040.00000800.00020000.00000000.sdmp, Offset: 06230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6230000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da6c82053c85b57f41193450f4b5f096e532026bafbfc14b1b6c95a0431d5f45
Instruction ID: 4c986c4c51faa8e881c14b597025abe48ee691b3e1232ef8c8c1458f3ccbdf6c
Opcode Fuzzy Hash: da6c82053c85b57f41193450f4b5f096e532026bafbfc14b1b6c95a0431d5f45
Instruction Fuzzy Hash: 8CC1C170B10215CFEB449B64C954B2D7BE6FF89704F009469EA029F3A5CBB5DE41CBA1

Function 064F7EF0 Relevance: .3, Instructions: 316COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee47694bc073f1b14d8b1030626361de2388a69553d8b6f0e2d80d16f0da2831
Instruction ID: ae7cebafa84cafbd460697dfeb6f339a4cad7293789b7d6ac9d0e96b352412d3
Opcode Fuzzy Hash: ee47694bc073f1b14d8b1030626361de2388a69553d8b6f0e2d80d16f0da2831
Instruction Fuzzy Hash: 89C1AD35B102059FDB44CF69D9449AEBBF2FF88340B058929E915EB365EB30EC46CB90

Function 06233DDD Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019018663.0000000006230000.00000040.00000800.00020000.00000000.sdmp, Offset: 06230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6230000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62dcc60acf64fdba76509b4b6cf4b212274c9537eddd3803e6e79b57e475b316
Instruction ID: 222f8f4637f3b9e5421e2a666d5e82e034c7542cc9ab153a819c7ff242712d64
Opcode Fuzzy Hash: 62dcc60acf64fdba76509b4b6cf4b212274c9537eddd3803e6e79b57e475b316
Instruction Fuzzy Hash: C0C11534B402148FCB44DF68C994EAABBF6EF88704F1180A9E506DB3A6DA71ED418B50

Function 064FC579 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb2fb27f70a53dbea24ae3720f72c152d889b24eccde1581f89916b361ba01a8
Instruction ID: 193d8a250280834f31ad7b8968afa2baa93a47ddd19e7674299338a90ff6cddd
Opcode Fuzzy Hash: cb2fb27f70a53dbea24ae3720f72c152d889b24eccde1581f89916b361ba01a8
Instruction Fuzzy Hash: CAE17A70A107498FDB61DF28C484B9ABBF1FF84304F158699D949AB352DB30E985CF90

Function 064F8B68 Relevance: .3, Instructions: 309COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ef5143d8c2a5f48303162bcb092b3c9a2b2a079b86637862e799011f869d441
Instruction ID: e7f88a27bc1b482d8d8fcaf79d2ae616132d3be2a3aa40a9af257e2a7ea129d7
Opcode Fuzzy Hash: 2ef5143d8c2a5f48303162bcb092b3c9a2b2a079b86637862e799011f869d441
Instruction Fuzzy Hash: BDC1AF3162D10DCFE788EB58EA818657BB5B7447C07026616E26B8F669C730EDD28F90

Function 06254AFF Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a849428a207a48954529224e664f34abe0c6e349cb6ce1d3aff899acebaa1b8c
Instruction ID: 0613d606882e73fd4a15d1d371fe3a1ee364c3f1e9ac661e5c8c20fb1b7f87fa
Opcode Fuzzy Hash: a849428a207a48954529224e664f34abe0c6e349cb6ce1d3aff899acebaa1b8c
Instruction Fuzzy Hash: C4C14B34B106058FCB55DF69C484AAAFBF2FF88301B1585A9E946DB366DB30EC45CB60

Function 064FB911 Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec4c2a2e1a058ec46512259c7cd723632385f9c4176fbc5d1fd7f38bf6731b94
Instruction ID: a42afcf8617ed9e5fa6a2d8eb439c5f7e4f3dde19239015032e820565a7065fa
Opcode Fuzzy Hash: ec4c2a2e1a058ec46512259c7cd723632385f9c4176fbc5d1fd7f38bf6731b94
Instruction Fuzzy Hash: FAC12C3191071ADFDB11DF78C854A9AB7B1FF49304F118699E949AB361EB30EAC5CB80

Function 064F1358 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f9f8c97097ac819eee9387f4839d77f335d5875258cb7cec3604dfd89be3928
Instruction ID: c399a6d5e75f9ee9b9c70ee10d0630ffb6c2b04b640de5b09dfabec6c6185cc0
Opcode Fuzzy Hash: 9f9f8c97097ac819eee9387f4839d77f335d5875258cb7cec3604dfd89be3928
Instruction Fuzzy Hash: 31916A34B012049FC749DF69D89495EBBF6EF89310B2585AAE915DB3B6CA30EC41CB90

Function 064F2D30 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58ed792e145c5f5f5d5771134bd200a6447f2bcec6d09775d2250adb14a7db81
Instruction ID: 1521bdd6d4392b0c18fb5e2a19b0310e8dc84c687d68a7e3e06cac2e7e802dfd
Opcode Fuzzy Hash: 58ed792e145c5f5f5d5771134bd200a6447f2bcec6d09775d2250adb14a7db81
Instruction Fuzzy Hash: E1918E70A002058FCB48EF79C85466EBBF6FFC5300B208569E916DB395DB349D46CBA1

Function 064F4EF0 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b81fc31b107fd850d5cf0484363758596726e76930158db008020e358b3c7f6
Instruction ID: ca592c64af5adb8056d85595a0a3a63dedbf4226a51d8c7ba0fb599293f4eff8
Opcode Fuzzy Hash: 0b81fc31b107fd850d5cf0484363758596726e76930158db008020e358b3c7f6
Instruction Fuzzy Hash: FF81AE71A002499FCB45EF78C844AAF7FF6EF89310F10852AE909EB351DB30D9458BA1

Function 064F5DE0 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: daf9ba1917825510982cc247d413e539fba7efdc9d7e44b14ba1021e55773cc5
Instruction ID: bd303167bc09b2d917ffb480bbd593705d9efd45a311a67088c984ed5858d530
Opcode Fuzzy Hash: daf9ba1917825510982cc247d413e539fba7efdc9d7e44b14ba1021e55773cc5
Instruction Fuzzy Hash: 32A1D335A11209DFCB45DF68D888E9ABBF2EF89320F1645A5E505DB362DB30EC85CB50

Function 064F6268 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00f92ed6b187990c9b49923b62ae90e86b2cf2e8d788bf80026a8ca7b3ae2750
Instruction ID: 570ba00ae9bcaef15d378d8170ce3180d40e9e0526e81093029cc19f4b3e6c42
Opcode Fuzzy Hash: 00f92ed6b187990c9b49923b62ae90e86b2cf2e8d788bf80026a8ca7b3ae2750
Instruction Fuzzy Hash: 31710774F04344AFD705AB78982476E7FF6EF86300F1580AAE905DB392DA319D46CBA1

Function 064FCF00 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2ac9be92df909c2a7443ff51bca5fa8704c0522d582896f9829d3fe88e3dfec
Instruction ID: 985e8fa68b648283be545e4fb96ffc0d4b1746873b3f5e6435f7b9d09d7809cb
Opcode Fuzzy Hash: e2ac9be92df909c2a7443ff51bca5fa8704c0522d582896f9829d3fe88e3dfec
Instruction Fuzzy Hash: D361DD34B043489FCB45AB78942816EBBF7FFD6301B10856AE606DB381DF348906CBA5

Function 064FDC48 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8da90967223672fa496740dab04773c8339ca23480382bea52a471bfe2cf669
Instruction ID: 5dece5899cf05a23c19893fe798cffa471571f0b1c1be51eb3960efcc3aa1f52
Opcode Fuzzy Hash: c8da90967223672fa496740dab04773c8339ca23480382bea52a471bfe2cf669
Instruction Fuzzy Hash: 1471D734E107099FDB05EB64D844BAEB7F6FF85300F00C52AE655AB351DB70A985CBA0

Function 064F0B64 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82ef6acee4a46be20460996b92457983f4218dc5741e0437ac9b37571fb8fb98
Instruction ID: fe24b95dfefecc158c36f5fe5c0ef8488bd35b5c7dd765d01bf4bb45de338254
Opcode Fuzzy Hash: 82ef6acee4a46be20460996b92457983f4218dc5741e0437ac9b37571fb8fb98
Instruction Fuzzy Hash: B7519D35B007049FCB559FBAC88486BBBF6BFC92107148A2EE546C7361DA70ED058BA1

Function 064F6908 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b078eda8669ee43b0b17f8315b0ce6f92828246bee59540b231951fe6065bdc9
Instruction ID: eda233681dd34e825e144f19e04698a0b33705acf5661ea9d136b3555795906c
Opcode Fuzzy Hash: b078eda8669ee43b0b17f8315b0ce6f92828246bee59540b231951fe6065bdc9
Instruction Fuzzy Hash: 79615934A10205AFCB55DF68C584A9EBBF6FF89300F148569E9069B3A1DB31ED49CF90

Function 064F0D11 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db04aeb7db91a81e0f3716b679d8a47134b70e99871c32f91a00b646cf6e2673
Instruction ID: faf212175c172317eebec91c4f887e12e981e7eff50cc082ced17b43e1de087b
Opcode Fuzzy Hash: db04aeb7db91a81e0f3716b679d8a47134b70e99871c32f91a00b646cf6e2673
Instruction Fuzzy Hash: 8C713774A10209DFCB55CF68D598A9EBBB2FF88310F044569E9059B3A1DB70EC85CF91

Function 064F5DCF Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d4d85e83564b11263115c78bb3922a0b5d53140aa6ef11de7e10c5b283adb50
Instruction ID: d5e6b6e4bff6bd9dc7244e8a1299d9bcf610134105fc510a55bf5613c0da580f
Opcode Fuzzy Hash: 4d4d85e83564b11263115c78bb3922a0b5d53140aa6ef11de7e10c5b283adb50
Instruction Fuzzy Hash: 0F511435A11208EFCB48CF59D884E9EBBB6FF98320F158166E5019B361C770E885CB90

Function 064F4BA8 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53d27b5931cae57edb9a814849f35fafd7b8dade63f12768630433ce3175c7a9
Instruction ID: b24e4760f12a320f3704c4b916064d1a572ad5a9775a7a102786d454352777dd
Opcode Fuzzy Hash: 53d27b5931cae57edb9a814849f35fafd7b8dade63f12768630433ce3175c7a9
Instruction Fuzzy Hash: 2F614871A00209CFCB44CFA9D8849AEBBF6FF88300B158565E915EB365DB30EC51CBA1

Function 06257D58 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 453f8db065ea1c2c91835ca0e89abe2011ab2ec1677deaa4b582326e8a0920ff
Instruction ID: 59698c8de4c9880dc172ce54e440296608dab66e3ad7a193d4971970d37d0f50
Opcode Fuzzy Hash: 453f8db065ea1c2c91835ca0e89abe2011ab2ec1677deaa4b582326e8a0920ff
Instruction Fuzzy Hash: 2F513771E20319CFDB64CFA9D881BEEBBF5AF48310F158429E815AB244DB749846CF80

Function 06257D4C Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deae2384688f95c6f8284514981283d38ec126253a9cf82b1dda2589cf1fa329
Instruction ID: e9e2982ff280e9ff9784ca51141a68317547146e44ca559eb0ce0275ef31b9d2
Opcode Fuzzy Hash: deae2384688f95c6f8284514981283d38ec126253a9cf82b1dda2589cf1fa329
Instruction Fuzzy Hash: E85149B1E20359DFDB64CFA9D885BEEBBF5AF48700F148429E815AB240DB749845CF80

Function 0625FE88 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ccf0fdf494f230faec7af0f542f1a90b6f8a7d48e35b49f4339df8f1b95933e
Instruction ID: b4231796368185ef03a5f5b63a0ea740f9af66ae42cdbcaef9d7a24358444860
Opcode Fuzzy Hash: 0ccf0fdf494f230faec7af0f542f1a90b6f8a7d48e35b49f4339df8f1b95933e
Instruction Fuzzy Hash: 19416930B093859FCB15AB78981452A7FFADF83204F1945AAED05CB393DA35CD06C7A1

Function 064FADD0 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60da15a6bd56a3dfa3c5681facda6eb0f4e65c235c56ad9ee8b13d43de244d26
Instruction ID: fe0c09213a63b9cef4f5f7702d3dedb7bda025d42c7f8a6014fffdfe03ca5742
Opcode Fuzzy Hash: 60da15a6bd56a3dfa3c5681facda6eb0f4e65c235c56ad9ee8b13d43de244d26
Instruction Fuzzy Hash: D0415E30A10305CFCB55EF78D8546AEBBB2BF88200F14456AE54AEB255EB35D886CB60

Function 062559C8 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3194d97610ac45583441ac8d5f078ce8e0443f97c0c6ac6eaf0cccb7f7623c1b
Instruction ID: ab2a056c6917378f9ec268ec9856729083f729ed550f4f42ffcb365ba51e1821
Opcode Fuzzy Hash: 3194d97610ac45583441ac8d5f078ce8e0443f97c0c6ac6eaf0cccb7f7623c1b
Instruction Fuzzy Hash: 26417C35A10606CFCB64CF59C8809AABBF6FF89310B16C959E959AB361D730F801CB90

Function 064FADE0 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80e1d1ce164ce60d10ae7f493159a1954fa84eba1cd7ac0af64da339ec1fc2c8
Instruction ID: 58de8e3feaf4826801d3229bf9d69118cdd1a0b486834c03838cf8341325d4b3
Opcode Fuzzy Hash: 80e1d1ce164ce60d10ae7f493159a1954fa84eba1cd7ac0af64da339ec1fc2c8
Instruction Fuzzy Hash: C3413D30A10305CFCB55EF79D8546AEB7B2FF88210F148569E54AAB354EB35E882CB90

Function 064F38B8 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b53c1fc44e0016bba33eec0ef84def7bc8b1c338421202d7e04e3be2af371de
Instruction ID: 4605898438be51eedbee2d2d508ca5ecdabb3ddec828059c275b507ab34863ad
Opcode Fuzzy Hash: 0b53c1fc44e0016bba33eec0ef84def7bc8b1c338421202d7e04e3be2af371de
Instruction Fuzzy Hash: 2741B2787105109FC748DF29D988D1ABBFABF8961172681D9E949CB376CB30EC40CBA0

Function 06255579 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b54bb773d7394bb08291b2278b5a4d2c34d798f6f911e5764d47aec04fba4f9
Instruction ID: 78209e5c22403758366aba61bfcea4c49148746b27e802c06148c3d36cd1219f
Opcode Fuzzy Hash: 6b54bb773d7394bb08291b2278b5a4d2c34d798f6f911e5764d47aec04fba4f9
Instruction Fuzzy Hash: 17313735B112159FCB19DF38D884AAEBBB2FF89210B508469ED05DB365DB31ED05CBA0

Function 064F38C8 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7449f84401f7d099852fe2aa28a12dfce12dcd5dcce753dc963c3fd2f896c66
Instruction ID: d460017b2c0e9b450f322264e45cbb30062e60abc53731848ae3c14c0ba06d81
Opcode Fuzzy Hash: d7449f84401f7d099852fe2aa28a12dfce12dcd5dcce753dc963c3fd2f896c66
Instruction Fuzzy Hash: 034191757205109FC748DF29D988D1ABBFABF896153268199E949CB376CB31EC40CBA0

Function 064F6A0D Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9de000c7b19fafa1edd5051a45dfcd4b27ff429cb4541e818f80f5be183ad518
Instruction ID: 72b419708f12ae1d649fcd0e577372eb7d67af4334b70ccaa9d3b9fb3b13d6fd
Opcode Fuzzy Hash: 9de000c7b19fafa1edd5051a45dfcd4b27ff429cb4541e818f80f5be183ad518
Instruction Fuzzy Hash: B641F634A00204DFDB45DFA8D584AADB7F6FF89301F14846AEA06A7390DB32AD46CB50

Function 064F2D20 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70e55df479c14791929d6e8693a2d41933e5f0cde8170cc7ba29b15d9d91a3e2
Instruction ID: d144da41cc1c2e3b28efa41e5d98ea9f2a3f03d70b0489d6076bbceed72fcdb4
Opcode Fuzzy Hash: 70e55df479c14791929d6e8693a2d41933e5f0cde8170cc7ba29b15d9d91a3e2
Instruction Fuzzy Hash: 3F316B75E10215CFCB55DFA8C894AAEBBF1FF89314B1040AAE616AB361C770AD45CB90

Function 06255588 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bb383d1aa89661294814b82fca92f7f1a8a55c5e23feaa33c37feaa62ab75df
Instruction ID: a1b486fc772a8c84e85af97ea3281b00f5506abbb6ce768061000fd9e23864a6
Opcode Fuzzy Hash: 3bb383d1aa89661294814b82fca92f7f1a8a55c5e23feaa33c37feaa62ab75df
Instruction Fuzzy Hash: E5315935B112119FCB19DF38D8849AEBBB2BF89310B008469ED06CB365DB31ED05CBA0

Function 062587A0 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38426e74ce654f356cd80604bcd478a96240d5fc72a75d3c111256544c80687a
Instruction ID: 41ba952891979fa44830a06a7a40f2829b7388cefb6cfd3aa2c1bf07aa35df73
Opcode Fuzzy Hash: 38426e74ce654f356cd80604bcd478a96240d5fc72a75d3c111256544c80687a
Instruction Fuzzy Hash: E24101B1D112189FDB64CFAAD944ADEBBB5EF88310F10802AE815B7250DB74A945CF91

Function 064F02F1 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00cc27829f1615089214cb2486fb63fe6612cc7c3026e80f060a818a6b6689e2
Instruction ID: 63d8c1cb80c93242d6343c7fbf8ebb708cf1ac97842f610fa80d1723fea76e1f
Opcode Fuzzy Hash: 00cc27829f1615089214cb2486fb63fe6612cc7c3026e80f060a818a6b6689e2
Instruction Fuzzy Hash: 94317430A10608CFCB44EF64D8589ADBBB2FF85701F148169E506AB361EF30A946CB91

Function 06232EC8 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019018663.0000000006230000.00000040.00000800.00020000.00000000.sdmp, Offset: 06230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6230000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 525112565c69452a3ac53a448db089a9717b008e6078cc4660faa6478599dd4e
Instruction ID: 6e0c284da6eb219eda2ab050c5a9ad109f00d2d35074f809207d2b44cfc52506
Opcode Fuzzy Hash: 525112565c69452a3ac53a448db089a9717b008e6078cc4660faa6478599dd4e
Instruction Fuzzy Hash: 28314975E2161A9FCB44CFA9D8808DEF7F6FF89310B10816AEC15A7320EB30A905CB50

Function 064F1D98 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de9045c1207172b9c6f984ef52eb046abde8fdd7c45db0dca5060920c95e5549
Instruction ID: 082534769b1b33de1863b30a3b572aae71bb10d10ea613cd00bb1476cb74ae97
Opcode Fuzzy Hash: de9045c1207172b9c6f984ef52eb046abde8fdd7c45db0dca5060920c95e5549
Instruction Fuzzy Hash: 67213830714204DFE742AF78E81176F7BA9DB81305F00446AE655CB681DB748905CBF2

Function 06232EC3 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019018663.0000000006230000.00000040.00000800.00020000.00000000.sdmp, Offset: 06230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6230000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67acae0e95fb8f9b53dbc51c6779accb702b584053caa5141a0144633ae45321
Instruction ID: d44fc53741c26d8242b1552c279e780622d12b46c575e377d80607a93ed18313
Opcode Fuzzy Hash: 67acae0e95fb8f9b53dbc51c6779accb702b584053caa5141a0144633ae45321
Instruction Fuzzy Hash: 34312975E2161A9FCB44CFA9D8808DEF7B6FF88210B15816AED15A7320EB70A945CB50

Function 06258796 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7889fd93193b1f96f9df65ffd05ce4ba29301155424b165114bdb4dd873573f
Instruction ID: 37c1565cee85dfa8861cdbec982e1e4a7e13bb70219db4df109816acc4a89927
Opcode Fuzzy Hash: b7889fd93193b1f96f9df65ffd05ce4ba29301155424b165114bdb4dd873573f
Instruction Fuzzy Hash: CB3122B1D102589FDB24CFAAC994BDEBFF6EF48300F14802AE805A6250DB749845CF91

Function 064F1BD8 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ab7bbf2f430913211d7c55d8a15e79176e6159d8b3b060707fac96b71a35de0
Instruction ID: 134d3354adc8fdedf2fa6ff5c365564d2ab90afab3d07b890a813d204d936138
Opcode Fuzzy Hash: 8ab7bbf2f430913211d7c55d8a15e79176e6159d8b3b060707fac96b71a35de0
Instruction Fuzzy Hash: D2219430B107498FCB45EF69D58096EB7F5EFC5200B40466AD5069B359EF30DD85CB91

Function 064FA930 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: deffbb890ca1db1b58473fcb19db62113b4f5d36d8b650497351c71932270911
Instruction ID: a32997ea47fdc9868910a5426f99599ddc14a6f0c25d7663908852dfa36a29f7
Opcode Fuzzy Hash: deffbb890ca1db1b58473fcb19db62113b4f5d36d8b650497351c71932270911
Instruction Fuzzy Hash: 16213A357043449FC7156B3CA814D6B7BEEDFC662031A44B7EA09C7362CD20DC0283A1

Function 064F0FB3 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04c3f035bd6d526066eb83e3c2e8b3b60386804145f2e77b286625ae47b53b8b
Instruction ID: 0cde93e05f2d48743bf29d3805f3975274336a3ed39ea7beb9345a3b51ed46fd
Opcode Fuzzy Hash: 04c3f035bd6d526066eb83e3c2e8b3b60386804145f2e77b286625ae47b53b8b
Instruction Fuzzy Hash: 60310535A00109EFDF45DFA4E994AEDBBB2FF88310F048015FA16A7250DB31A955DF50

Function 064F1BC9 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99d5d173a66f993d79e74beb009a06edc3fc128eefb8d65388af878d93a22ad2
Instruction ID: 7100c01b2f7681c1bc40ae447c4e92a5e41634e5ed6a52fc310bf77df6ddb126
Opcode Fuzzy Hash: 99d5d173a66f993d79e74beb009a06edc3fc128eefb8d65388af878d93a22ad2
Instruction Fuzzy Hash: 4021D330B10349CFCB46EF69D9909AEB7F5EFC5200B40462AD5069B355EB20D949C791

Function 064FE3F0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31746bada009daee636e56297c580892efbe4ec4f7679020533d8674b6e561c9
Instruction ID: f3aaf650d511fbdeb449616ec40c3810e5879e2314316e21c8bd50edb2d29609
Opcode Fuzzy Hash: 31746bada009daee636e56297c580892efbe4ec4f7679020533d8674b6e561c9
Instruction Fuzzy Hash: 03218E74A16289AFDB41DBA8DC54ADEBBB9EF4A311F04806AF400F7262C7345D04CBA1

Function 064F39E0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aea1f45e98bd0f9ae55a5cae5e5fdbf3cfd8f16acc368426a0cc92ebab37bfd
Instruction ID: 23c382cfdb83aeb12a8de0dcbc51f40dc505841d4a911810988140bcdbff6458
Opcode Fuzzy Hash: 4aea1f45e98bd0f9ae55a5cae5e5fdbf3cfd8f16acc368426a0cc92ebab37bfd
Instruction Fuzzy Hash: C8216B31A06281AFDB138F25DC408A7FF79EF82320B1485E7E94487113C3319958C7E1

Function 0623360B Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019018663.0000000006230000.00000040.00000800.00020000.00000000.sdmp, Offset: 06230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6230000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 695f28339bfdc5052b8daddf97ca2169ffa1e11e5f02a5f9b3f3be82369d2ac3
Instruction ID: bc87ab6eab7afd8ce3106f1562d44381e96bf658d02a1c027761e558b167c679
Opcode Fuzzy Hash: 695f28339bfdc5052b8daddf97ca2169ffa1e11e5f02a5f9b3f3be82369d2ac3
Instruction Fuzzy Hash: 4A215A35B500159FCB54DF69C984EAABBB2FF88714F1180A9E9059B3B5DB31ED05CB10

Function 06258A98 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecf84d617cd0d0adf88ac67a7bb8aea0c5db2e31ddf54212897a05d09d19fff0
Instruction ID: 2bfa167a1632aa8401675a41a715b1e53f0ba39b4a0e5f455e7a6ea289fe8237
Opcode Fuzzy Hash: ecf84d617cd0d0adf88ac67a7bb8aea0c5db2e31ddf54212897a05d09d19fff0
Instruction Fuzzy Hash: 823114B1D11258DFDB64DFA9D890BDEBBF9AF48310F24842AE805F7240DB74A845CB90

Function 00C5D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1998518426.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c5d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a25e1ae896e69cbf530731cfdddbd142ebced9613a569d240671ee3f9229979a
Instruction ID: b1be8dc9dde0f087ccd352509b96ca4b7b70f275284455ed3a276bd7fa0268fd
Opcode Fuzzy Hash: a25e1ae896e69cbf530731cfdddbd142ebced9613a569d240671ee3f9229979a
Instruction Fuzzy Hash: 742145B5500340DFCB21DF14C9C0B26BF61FB94319F60C569EC0A4B216C336D88ACBA2

Function 00C5D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1998518426.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c5d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 555864459023601b558352694226c7a34a2f81ca577ef955fecef4439776fae4
Instruction ID: f2b1ccacc1e68dbbca8199ca1f5cfe6eb90d9181ab38be01c94e93c1e2129639
Opcode Fuzzy Hash: 555864459023601b558352694226c7a34a2f81ca577ef955fecef4439776fae4
Instruction Fuzzy Hash: D0214579100300DFDB24DF04C9C0B26BF65FB94325F20C169EC0A4B216C33AE88ACAA2

Function 064F8B58 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 796b9c8c0574851d63284400e596a4716c3e5bbd75ccf3f9c0b0325d47a93d2c
Instruction ID: c5351a6f9db80da559bfe1ce0c4dff665128f4254a8df68f60ce89c4b1a02b6f
Opcode Fuzzy Hash: 796b9c8c0574851d63284400e596a4716c3e5bbd75ccf3f9c0b0325d47a93d2c
Instruction Fuzzy Hash: 7521CF71A102059FC711DB6AC8409AFBBFAEF85310B01896AE5159B322CB30ED44CBA1

Function 064FE432 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f72a61daca0dbe79ebe4e2b216d2ae0ec2048b619f442f9fe6f3a0a4019a8cf
Instruction ID: 7f019456ec970fe0f9bdc209f539b233e5fc42bf221fc6c06e70df4e85c3fe6e
Opcode Fuzzy Hash: 1f72a61daca0dbe79ebe4e2b216d2ae0ec2048b619f442f9fe6f3a0a4019a8cf
Instruction Fuzzy Hash: EC21A170E15289AFDB41CFA8EC50ADEBBB5AF4A311F0451AAE400F72A1C7344941CB91

Function 00C6D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1998590879.0000000000C6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c6d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89d64359b74f53ee30dc156d2f6aeb0a89331eb399e379bda6e20467667b5404
Instruction ID: fd84050668c189d8edcddcc91bacb7f1063c785db0f9e204ca8194d19f2d0130
Opcode Fuzzy Hash: 89d64359b74f53ee30dc156d2f6aeb0a89331eb399e379bda6e20467667b5404
Instruction Fuzzy Hash: D4210475A04240DFCB24DF14D9C4B26BFA5EB84314F24C56DE90A4B256C33BD847CAA1

Function 064F2731 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5a6a00883e82f91cd8ffef41a3297c216e977eeb06f7bc51f944b8831c3e97b
Instruction ID: 6ddb8d7fc160f72364a8521a1c53da94ff48a0bd424353ff0c683b6e9dc51520
Opcode Fuzzy Hash: b5a6a00883e82f91cd8ffef41a3297c216e977eeb06f7bc51f944b8831c3e97b
Instruction Fuzzy Hash: 75219232A007049FC760DFAAD9808ABB7F6BF88320714872AE549C7625D770E9448B50

Function 064FFE98 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9745da053416c0261ebdac0814c3bb1d6c7e8f5f79652132a77475d09e00f54b
Instruction ID: 675361a1230707b1eaeada1b2fc542bb379343cf215ad75aea0aa38a5e047801
Opcode Fuzzy Hash: 9745da053416c0261ebdac0814c3bb1d6c7e8f5f79652132a77475d09e00f54b
Instruction Fuzzy Hash: 21216D357141149FC785DF2AE888D6ABBEAFF89621715806AF509CB361CB71EC05CBA0

Function 064F2C10 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61b6a3c2c9239cd2c77ff5e5fa3f3a257875cb9281de2de0606b3db1cb5a1a28
Instruction ID: 747371540669b3f84212be7bf81d9c7058a421cd672f219229e40b8a89dfc944
Opcode Fuzzy Hash: 61b6a3c2c9239cd2c77ff5e5fa3f3a257875cb9281de2de0606b3db1cb5a1a28
Instruction Fuzzy Hash: 00211074B104018FC744CFA9D998C6ABBB6FF89714B2140A9E906DB332CB70ED05CBA1

Function 064FEDE2 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c3419902c5b5d98fa412fbe8e8debc6bd6cdb54361bbc0a3862c5fbf6c0a6c9
Instruction ID: 66f54e47bbcae33b8e3c49d4ed66e43d856e8687915f4f1271b94ecbfdf71c98
Opcode Fuzzy Hash: 9c3419902c5b5d98fa412fbe8e8debc6bd6cdb54361bbc0a3862c5fbf6c0a6c9
Instruction Fuzzy Hash: 19210471A09354AFCB12CFA4D8149EBBFF5AF49300F18459BE941E72A2C7358A05CBB1

Function 064FCB42 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab24ab8ca51a835b9915c4d547ca05c1a29697ff4dff901fb402aa3f42855cc1
Instruction ID: 8914db65beddcd03bb477422ef92045a0e002598694dfbb6df440d6492f30f8e
Opcode Fuzzy Hash: ab24ab8ca51a835b9915c4d547ca05c1a29697ff4dff901fb402aa3f42855cc1
Instruction Fuzzy Hash: 95218E35E142088FDB55CF69D494AEFBBF6EB88311F14806ADA09E7351DB708C45CBA1

Function 064F1638 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e06d6db0134292a4fccc5ffc32f1fc60624ba617f7bfe7b34dce08ef2220ef6d
Instruction ID: 8e46739c00a7d31c6dbd100910c40cb9a0e91a06834905446f60c2b841ab358a
Opcode Fuzzy Hash: e06d6db0134292a4fccc5ffc32f1fc60624ba617f7bfe7b34dce08ef2220ef6d
Instruction Fuzzy Hash: C621A2316057549FC325CF2AC940957BBFAEF86314B04896AF549C7662DA32FC46CBE0

Function 064F1730 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99f8a2a9b3588c2af13ba6d31c6eef45c5d237eef5156376809453177cce9bc9
Instruction ID: 753b989de8d47aeb319e305f16a4ecd726522be11f442fd6afa092cbe85317ef
Opcode Fuzzy Hash: 99f8a2a9b3588c2af13ba6d31c6eef45c5d237eef5156376809453177cce9bc9
Instruction Fuzzy Hash: D6215134724601CFC759AB39D59862A77E6FF882117108429D65FC7B50DB30EC46CBA1

Function 064FDD40 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a28237172dc87044518a077f85844760f0b029e8b99294348757bbaf417d16eb
Instruction ID: 7aea64d9cef49814d4051bcdc0f1762dd48fddabc4b98dd674c89bf7f69ae1b2
Opcode Fuzzy Hash: a28237172dc87044518a077f85844760f0b029e8b99294348757bbaf417d16eb
Instruction Fuzzy Hash: 3D219531E207099FDB45AB64D84869AB7B6FF89300F10C62AE656A7350EF70A945CB90

Function 064F2C20 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 376c83965894db37ffbdd0bee9f4b38224fba4836ae066b36d61a49403f4f05f
Instruction ID: 90a71e0d458a499360b3c75f8ae4b77d57d034a38cc32ceb99815851a660bc75
Opcode Fuzzy Hash: 376c83965894db37ffbdd0bee9f4b38224fba4836ae066b36d61a49403f4f05f
Instruction Fuzzy Hash: E921DF74B104158FC744DBA9D99886AB7FAFF8961472140A9E906EB331CB70ED05CB60

Function 06258A8C Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cf8f14bfd97841bc9529b391c1bb557da6b3157414cb64d6560d8faa394462d
Instruction ID: 7a13b08a83440b4d7382a163b115491564e4433963d64c181b3b1e0ed9c3c445
Opcode Fuzzy Hash: 7cf8f14bfd97841bc9529b391c1bb557da6b3157414cb64d6560d8faa394462d
Instruction Fuzzy Hash: 382115B1D102589FDB24DFA9C895BDEBFF8AF08310F14842AE845E7240DB74A945CBA0

Function 064F5D20 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddbc7ff74d571d6d6e1b03383c946bb28202f1de7f11d968db52e9175373a99a
Instruction ID: f52d6c2fda8435349800a8e4414787188267fce1ec516ebcd88cb18a823298ca
Opcode Fuzzy Hash: ddbc7ff74d571d6d6e1b03383c946bb28202f1de7f11d968db52e9175373a99a
Instruction Fuzzy Hash: 07214D726106089FC755EF68C544D9BBBF9FB49210F40856FE146D7650EA30F985CBA0

Function 00C6D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1998590879.0000000000C6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c6d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05cd6d848cd801c249e057d2b88ac89937304fad489e9b5c9b0ae01f3d3e7bec
Instruction ID: 2863ab1092091c377f605e7f9a72d17690ecf86289fdb921e288ad283fd3927f
Opcode Fuzzy Hash: 05cd6d848cd801c249e057d2b88ac89937304fad489e9b5c9b0ae01f3d3e7bec
Instruction Fuzzy Hash: 122179755093808FCB12CF24D994B15BF71EB46214F28C5EAD8498B6A7C33A980ACB62

Function 064F5758 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2831201fcd970a9c4a38c4745d9b6eeee1626c9e6f3e6663c2268bd40c5a0484
Instruction ID: ab31671e23cfb0a4dfed7cad28e4c6828655dca059ad906018df91106d079692
Opcode Fuzzy Hash: 2831201fcd970a9c4a38c4745d9b6eeee1626c9e6f3e6663c2268bd40c5a0484
Instruction Fuzzy Hash: 1121C471E20608CFDB58DFA9D9486DEBBF2EF8C311F14806AD505B7260EB719984CB61

Function 064F34E9 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892e0cd69a7a6a61e46b57a64dec63893ef91c7baa98b7dd0a4119987183333f
Instruction ID: 4f347565a810f4dc8374a12edca373e070d41ab180773c44bca2ffc0ec86adec
Opcode Fuzzy Hash: 892e0cd69a7a6a61e46b57a64dec63893ef91c7baa98b7dd0a4119987183333f
Instruction Fuzzy Hash: 01115536A01106DFEF62DF19D8808A6FB65FBD5321B04C1B7EA2587201C331E869CBE1

Function 064F009A Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45f80fb7c6f29717ef9bb8392fef31aa5a4051074e9b2170696f639d42d184e8
Instruction ID: dc74c7ca51e909868dfdf367c46a414657cd4cf766e93652af613ec8f33f0d5c
Opcode Fuzzy Hash: 45f80fb7c6f29717ef9bb8392fef31aa5a4051074e9b2170696f639d42d184e8
Instruction Fuzzy Hash: 1311C4317156009FC7459F1DECA086A7BAAEFC6A11314419BEA05DB322DE61DC01C7A1

Function 064FEF32 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8038607c472d030a0cb846fde05ba1cb7f6daefd8247c6b560c3069979adf649
Instruction ID: fa76f1cc0f5d920eb55b0e4120a35e89a51ac2a5717c96cd8e56994e4b692a1c
Opcode Fuzzy Hash: 8038607c472d030a0cb846fde05ba1cb7f6daefd8247c6b560c3069979adf649
Instruction Fuzzy Hash: 50118631700210EFDB568F14D898E67B7A6EF84611B098196F904CF275C730CD50CBB0

Function 064FE4CA Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 726da8f5687733b2d54de119bd8c86a93de0c0ac05af2ead932904f6fab38c88
Instruction ID: dded040ab1daa36c8eaac23144f55b96e755597644a94617e9f4d037ef6822ed
Opcode Fuzzy Hash: 726da8f5687733b2d54de119bd8c86a93de0c0ac05af2ead932904f6fab38c88
Instruction Fuzzy Hash: FC114674E11119AFDF44DFA8E844AEEBBB6EF88311F14902AE900B7260CB345D05CBA0

Function 06258E70 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87717abc28d608d501150750b980a621cd1d894cb19d8e78ecd175ebcccd1724
Instruction ID: 4102ebd453dd900bf6721ce98b992a6a75258cbc564e4491d45279d18a9fd9c5
Opcode Fuzzy Hash: 87717abc28d608d501150750b980a621cd1d894cb19d8e78ecd175ebcccd1724
Instruction Fuzzy Hash: B521C274E112189FCB58DFA9E8846DDBBB6FF88311F10902AE805B7250EB781905CB54

Function 0625BF2F Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa9169cfc453d8200bcabf916aca4e0dc89156c2bceed10f48e08ded67d679a9
Instruction ID: f31b15f1010cb559e999ff1621e268dc237419a2b78ec633b7ebd2b198c0e3fb
Opcode Fuzzy Hash: aa9169cfc453d8200bcabf916aca4e0dc89156c2bceed10f48e08ded67d679a9
Instruction Fuzzy Hash: C71125312202454FCB96A738A81456EBBE3EFC2381704483CE957C7754DD30AD8B87B6

Function 00C5D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1998518426.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c5d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce69cba98bfff612cefda2c4877fe7df6cc59bd7a6ce96c012d28fad0f514114
Instruction ID: 0990009511ef8ab2e76cb793a9165cab81ebed1e4dc824f56801cd699c90c4c8
Opcode Fuzzy Hash: ce69cba98bfff612cefda2c4877fe7df6cc59bd7a6ce96c012d28fad0f514114
Instruction Fuzzy Hash: 0511DF76404380CFDB16CF00D9C4B16BF61FB94325F24C6A9DC0A0B616C33AE99ACBA1

Function 00C5D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1998518426.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c5d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce69cba98bfff612cefda2c4877fe7df6cc59bd7a6ce96c012d28fad0f514114
Instruction ID: 532ca04f3b8f3bd51abdf1ba42ee286c762429676f3ff0bd2193f17cb0050b75
Opcode Fuzzy Hash: ce69cba98bfff612cefda2c4877fe7df6cc59bd7a6ce96c012d28fad0f514114
Instruction Fuzzy Hash: 5211AFB6504280CFCB16CF14D9C4B16BF61FB94319F24C6A9DC494B616C336D99ACBA1

Function 064F07E0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c46d7f5a00b321172f8b987360f3ee04c7f2ce3eecf8db471bd91de36b8d4755
Instruction ID: 684e5c5a15a3bf0ed47c1304256259e32f9b0f60057092a8305561106fe2b713
Opcode Fuzzy Hash: c46d7f5a00b321172f8b987360f3ee04c7f2ce3eecf8db471bd91de36b8d4755
Instruction Fuzzy Hash: C2115276A006049FCB00DF78D845DAEBBF9FF89211B11426AF905D7321D731E945CBA0

Function 06258350 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd0622cebc8fe3981f8f88af29f743adb9dc0a82e4ea04a98c992813b707c00f
Instruction ID: 8ae9b01a2f2f8465e47ae03d194456b3a546964ba8cc8ea107c0a43b0d720ad3
Opcode Fuzzy Hash: bd0622cebc8fe3981f8f88af29f743adb9dc0a82e4ea04a98c992813b707c00f
Instruction Fuzzy Hash: EE018F31B00119AFDB10DEA9EC44ABFB7FAEBC4261F14403AEA14D3240EB71A95587A1

Function 064FEEA8 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54a99a143a7f7cb6446614a3eb0ca55380201b8a2b98cc56b570e1ce6ec5ec8b
Instruction ID: 80701316506d75d17eca1046eac153a3e4a184e551597f7fe6f548fee71abd30
Opcode Fuzzy Hash: 54a99a143a7f7cb6446614a3eb0ca55380201b8a2b98cc56b570e1ce6ec5ec8b
Instruction Fuzzy Hash: B611B675900209FFCB81CFA8D5449ADBBF1EB08211F1484AAE909D7361E332DA61EF61

Function 064FE4D8 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be31d255c09cfeffcf658fff154c07ba382dd18b16bea156e1455cf64008f05d
Instruction ID: f2b69493a2a223a15fc77e69cb6c9d7d9bbe1916e6088ec23c2a5e77bea79c23
Opcode Fuzzy Hash: be31d255c09cfeffcf658fff154c07ba382dd18b16bea156e1455cf64008f05d
Instruction Fuzzy Hash: 99111574E101199FDB44DFA9E844ADDBBF6EF89311F10902AE904B7360DB345941CBA4

Function 064FACF0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01674190306f939b4eaf4478c1010130b76e7345f16b36ada865523a4ebdff89
Instruction ID: 15c80448ecdb5fcd5f704d8931648c580325e468869d8a79c83c8dd0605ec0f5
Opcode Fuzzy Hash: 01674190306f939b4eaf4478c1010130b76e7345f16b36ada865523a4ebdff89
Instruction Fuzzy Hash: F2016231319204DFC7565729E9149A777AFEB86262715006BFA49C77A0CF358C82C761

Function 064F5D11 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 048ad906b5ed088383a1ccd4307c25c6341db4f0c8c4ae0606ce188c86a9c855
Instruction ID: 90e0a789c746c710630e636bdab6452b784de7b1751b1fea2ae339353cf0bba7
Opcode Fuzzy Hash: 048ad906b5ed088383a1ccd4307c25c6341db4f0c8c4ae0606ce188c86a9c855
Instruction Fuzzy Hash: 6211D672A113449FD76ADB64C444E977BB9EF06210F04819BE146CB551DA30E989C7A0

Function 0625C769 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44907e21437326ee23017b58f2cc72c2f7b210163aef1b9cca8b48153a552f24
Instruction ID: db9477f483c93a1c30dd14a1e542e3a21d2286c58dd312933440731022519ef3
Opcode Fuzzy Hash: 44907e21437326ee23017b58f2cc72c2f7b210163aef1b9cca8b48153a552f24
Instruction Fuzzy Hash: D911CE302043458FD325AB74E41466EBBE3EFC6342B148A2DD45A8B785DB74AD4A8BE1

Function 064F07F0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c2f8ca1834a0c247cca154adcc93e24899821ed0a51a5f4a758bdb201552354
Instruction ID: 594e497b9b9681e7b2e766b958900f98ba1eceb273bb6173d637edac0f26ed57
Opcode Fuzzy Hash: 0c2f8ca1834a0c247cca154adcc93e24899821ed0a51a5f4a758bdb201552354
Instruction Fuzzy Hash: B1014075A00605DFCB04DFA8D844CAEBBF9FF89221B100269E905D7320D730E945CBA0

Function 064F08A0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6642f93fe8232338e3dc9bc0cec8d24873c73325655b591b7170098853fd6df5
Instruction ID: da8de3cbfd0b5fb808263bd90b4b6665cf1269342497c7a8d1e72c20906bb1f5
Opcode Fuzzy Hash: 6642f93fe8232338e3dc9bc0cec8d24873c73325655b591b7170098853fd6df5
Instruction Fuzzy Hash: B2015A3690110AAFCB01CFA4DD05CEFBFB9EF4A210B1041A5F614EB171D6319A15CBB2

Function 06258F32 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88183bed0e27fa3a8bff336b7b5d6257ef1eaa2d07a0481edcb75bf766f1b345
Instruction ID: b8d234d75f15ef7917254c1e222319a3903af6abd1c09482687bcd696208a60a
Opcode Fuzzy Hash: 88183bed0e27fa3a8bff336b7b5d6257ef1eaa2d07a0481edcb75bf766f1b345
Instruction Fuzzy Hash: BD110570E0021A9FDB18DFA9D8545EEBBB6EF89305F10806AD914B7360DB755E41CFA0

Function 064FAD60 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a4ad427f72ab678c0fd4d5ea417b5ffcbee741731682c718f533ef1e5df3aed
Instruction ID: bca62e13cf45bdf5a3c165a5aec5818fb15db559f271fb59dcd5eec77c940307
Opcode Fuzzy Hash: 3a4ad427f72ab678c0fd4d5ea417b5ffcbee741731682c718f533ef1e5df3aed
Instruction Fuzzy Hash: ED01F734B04254AFC7129B78E858AABBFFAFB89250F08016AF605D7361C7709D45CBA1

Function 064F1D39 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 598dd8ead00a6240a025090010e90296ac0086bab2fb98f2edf67aee84e68106
Instruction ID: 8e43899d5f643796c2b3ce9559e5ea5f37002b12c2bab04c37c28e3e4dbd2aa7
Opcode Fuzzy Hash: 598dd8ead00a6240a025090010e90296ac0086bab2fb98f2edf67aee84e68106
Instruction Fuzzy Hash: CFF044327286098BE7A29358E800BFA37BA97812A1F040273E20DCF782C654F84187E0

Function 0625BF40 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35c53454a26087ba9e85ff7fdd14618164bb1f232bc7bfdd4c0248612e02e8e9
Instruction ID: 8f2c79c71449a3975670388151e251c8fb091aa858c7540ec2e91464d4d8ba87
Opcode Fuzzy Hash: 35c53454a26087ba9e85ff7fdd14618164bb1f232bc7bfdd4c0248612e02e8e9
Instruction Fuzzy Hash: AB01B1312202058FCA85A738E55852EBAE3EFC1395354883CE117C7754DE30BD8F87A6

Function 00C5D885 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1998518426.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c5d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce5bdb8e9d8a01076412cde48e73d29d0b85a47074c8a8259a068f37743c5a20
Instruction ID: 8bccdd57999a364a90faf67db6e7f25eff1ce6ad6636ca7424af81abcc738b98
Opcode Fuzzy Hash: ce5bdb8e9d8a01076412cde48e73d29d0b85a47074c8a8259a068f37743c5a20
Instruction Fuzzy Hash: 0401F735108340DAE7208F1ACE84767BF98DF41326F18C46AED1A5E2C6C6389888DAB5

Function 064F7EDF Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbb267037948c7dde1f307faac794fb93a9d333f4284d384081f4202a99ed58a
Instruction ID: ebc467ed9ce55e4849aea0a3619d1b81fd42b361f1436a233a5021d01aca6212
Opcode Fuzzy Hash: fbb267037948c7dde1f307faac794fb93a9d333f4284d384081f4202a99ed58a
Instruction Fuzzy Hash: 95F0F032A162147FAB014A55AC048FBBBAEEBC9260B014467FE01E7341CA305C5586F1

Function 06258C10 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ff1fa7e4c1101c6b5caf7d384ed08fad756dc3eba726bd4fc0051e22002cfee
Instruction ID: d108ec8949fd1cf7adac6e3d7fc67b6856a1290afad9fa92d31bef5c5ad8f821
Opcode Fuzzy Hash: 4ff1fa7e4c1101c6b5caf7d384ed08fad756dc3eba726bd4fc0051e22002cfee
Instruction Fuzzy Hash: 81F0F6723006155FE314DA59DC94FE77BADEBC8314F00452AE105D7381EAB1EC0087A0

Function 06256E90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feb45e932bc2a8dca0c32a92a07903138f22684dc20e409bd8c416213430ee2f
Instruction ID: 42eb8c444c956dab43da91b05f63bb3aa6511f4e08cfa1912c9b89a52de86299
Opcode Fuzzy Hash: feb45e932bc2a8dca0c32a92a07903138f22684dc20e409bd8c416213430ee2f
Instruction Fuzzy Hash: 61F0F6632080D93FCB654E9A5C50EFB7FEDDBCD155B884016FED8D2241C468C951A7B0

Function 0625EB70 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62766f76c5a0b4e8b98e4b9445267b0c4d06b8d1b8fa932f4b6c1a0f8e84a11e
Instruction ID: 687758051891b5dc31dec533a3f776dc290ba8d1cd90569efad80d93a202234b
Opcode Fuzzy Hash: 62766f76c5a0b4e8b98e4b9445267b0c4d06b8d1b8fa932f4b6c1a0f8e84a11e
Instruction Fuzzy Hash: 5901FD346183499FCB42AF78C8108A93FB6EF86300B1484E9E945CB362EA32CD02C791

Function 064FEE08 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d36bdebcb398d8dde7456dd7444a755b97ebc99098c0db111a1a0fdfe5523db2
Instruction ID: 6ce96ef77d99974781be7abe609912b23b48946a412fce26b1c10ec509cba954
Opcode Fuzzy Hash: d36bdebcb398d8dde7456dd7444a755b97ebc99098c0db111a1a0fdfe5523db2
Instruction Fuzzy Hash: 7D01D431A04328AFDB25CF65C814AAFBFF6BF88301F14446EE542A3260CB759905DBA0

Function 0625C778 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72deda60ff6d8840f4cb3f402287a6d818609f5554019b1b13a6f73f29814370
Instruction ID: 787164f6ce87391fc7cbcc76d46f796a52bf68ed4e0d23b812a026af7b4c30ed
Opcode Fuzzy Hash: 72deda60ff6d8840f4cb3f402287a6d818609f5554019b1b13a6f73f29814370
Instruction Fuzzy Hash: B201B1342002048FD325AF65E41866ABBE3EFC5352B50CA2DD55B87784CF74AD4E8BE1

Function 06255508 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 571cfd487af96bbd163f820015032b2dcb37821dda4913b833572702b663d7c0
Instruction ID: bf156e7fc28b7e0446b7a560dfd4ef8e1f61a7a90c199b67151700a499c71d56
Opcode Fuzzy Hash: 571cfd487af96bbd163f820015032b2dcb37821dda4913b833572702b663d7c0
Instruction Fuzzy Hash: 9E018130A31702CFDBB99E39A504667B7F7BF84215B16883DEC0696614EAB1E484CB90

Function 06259158 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb61cc9ab9eaac60ca484670b796fa038aadd39c52b675210ebaed4ba724e0cf
Instruction ID: 10d8699a65057c61d712a8a3ef540e76dc03556a0f6a05581cae1c123fa2add5
Opcode Fuzzy Hash: eb61cc9ab9eaac60ca484670b796fa038aadd39c52b675210ebaed4ba724e0cf
Instruction Fuzzy Hash: 910144B4D0925ADFCB50DFA9D9497AEBFB4FB0A301F1084AAD815A3381D3741B80DB90

Function 064FF060 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfdebb63491730595dca48fa9d3be41c71b8981b24480629ebc5b9505e3e67a4
Instruction ID: 4fe649dba7b48066eb6b46be8c7d8052d29bff101615a5469f03bbbb9ac788dc
Opcode Fuzzy Hash: dfdebb63491730595dca48fa9d3be41c71b8981b24480629ebc5b9505e3e67a4
Instruction Fuzzy Hash: B4018B366002119FC786CF58C884C5ABBF9FB49320305C69BF918CB392CB70E845CB90

Function 064F2CC2 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38aa68afc2a683153d97188c7322bfcafea6730da5686c8fac42b96c22865e4a
Instruction ID: 8ea251058f15b5b3f3d8945e52a5b4b01077d5c963b90b11e5d2434c13ae7e1f
Opcode Fuzzy Hash: 38aa68afc2a683153d97188c7322bfcafea6730da5686c8fac42b96c22865e4a
Instruction Fuzzy Hash: D9F0EC793151109F8705DB18E894C7A7BBAFF8921531941D6F509CB332C621DC42CBA5

Function 064F7D5D Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcf0479884d244a66bdc45c3a3c3bebe2a54f873dc824935ca35789e0572a80c
Instruction ID: ac3671c3e7f4a320b6d0eaeaf80789f73b10b03219adfc951a5509f700388134
Opcode Fuzzy Hash: fcf0479884d244a66bdc45c3a3c3bebe2a54f873dc824935ca35789e0572a80c
Instruction Fuzzy Hash: 3EF08C39B002058FCB46DFA9E5046AD77F2EFC8365B240069EA06DB3A0CB31DD45CB91

Function 064FAD70 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 109c2d3c655f085cc80f77a8c5877fe74eed2b4eab2cfede7a525538febed0ea
Instruction ID: a524c1abec19b24aaaba75e1d607ce502899bd57afb16b6a7a7f45780f228eeb
Opcode Fuzzy Hash: 109c2d3c655f085cc80f77a8c5877fe74eed2b4eab2cfede7a525538febed0ea
Instruction Fuzzy Hash: 2BF0AF31B041149FCB15DBA9D848AAEBBFAFB88351F08012AE60597361CB709D45CB90

Function 064F09EC Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 255e297c06bde21453d3c2685075dede564cba31071137d0476f45ce4eff8a4c
Instruction ID: e8f09bf3fdc308219e460f7c1e7294bbe81ddc35096f9a058f0dca3a747fc36b
Opcode Fuzzy Hash: 255e297c06bde21453d3c2685075dede564cba31071137d0476f45ce4eff8a4c
Instruction Fuzzy Hash: CD01E831640B049FC724DF2AC984957FBF5EF89310B008A2AE54A87B75DA71F8498B94

Function 06259168 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f938a4bcadbac66c610845d7db05eaefc6ee00e129afb729b5a3dde347301630
Instruction ID: 6dd551a31ea82e45b79d641863cb214676f424e8c1308b165f5b8932ca111491
Opcode Fuzzy Hash: f938a4bcadbac66c610845d7db05eaefc6ee00e129afb729b5a3dde347301630
Instruction Fuzzy Hash: 0001D6B4D0521ADFCB54DFA9D9486AEBBF5FB49301F1094A9D815A3350D7740B80DF90

Function 064FDED0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01301fd29960650af06393f0a3b9bcc41a80ac38874cae0722e7592550bf8d87
Instruction ID: 836720e71d28f337ff08515a0710d466a01c3d316114d647b6bb2628db48cf6d
Opcode Fuzzy Hash: 01301fd29960650af06393f0a3b9bcc41a80ac38874cae0722e7592550bf8d87
Instruction Fuzzy Hash: 07F01D74D152099FDBD9CFA99804ABBBBF6AF49211F00806AE518A3250E6305541CBA0

Function 064F7EB9 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ed62985f7e37b14dd4275da55e8ee842e30686df58f5ade370340ca268f048b
Instruction ID: c091d1a14ee4dc17cf4bb55be585a5f01eadc98ef0f9a0bc70e42bf6ce5fe235
Opcode Fuzzy Hash: 0ed62985f7e37b14dd4275da55e8ee842e30686df58f5ade370340ca268f048b
Instruction Fuzzy Hash: 4AF052713295806FEB968B10BC00BFB3F2BF781200F05809BEB01CB292C678492AC361

Function 00C5D884 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1998518426.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_c5d000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef8b00610742edff1d1088da37fb8f02db3ba42fb1fb99af4566b33b6582730b
Instruction ID: 6274d8281c285fb7f1b3907c51ef171b1a29500edb543094f0703a6348f0a3c5
Opcode Fuzzy Hash: ef8b00610742edff1d1088da37fb8f02db3ba42fb1fb99af4566b33b6582730b
Instruction Fuzzy Hash: 20F0C2714083409AE7208F1ADCC4B62FFA8EB51725F18C45AED095E286C2789C84CAB1

Function 0625C440 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1c4da8f45d32e53978b51cf83a09b8cd812182b3b129c678fcb1aeff330d0d6
Instruction ID: e99409b69a9ddb5c675101aaaafff70abe837d42bfe9796c8c9c129588d87d58
Opcode Fuzzy Hash: d1c4da8f45d32e53978b51cf83a09b8cd812182b3b129c678fcb1aeff330d0d6
Instruction Fuzzy Hash: 3A012631505B428FD325EF25E408575BBF2FF89341B00CA2ED88BC2611DB30984ACF84

Function 0625B4B9 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b91cbf088d3692eba2bba3ecaec3e8a72c32480130ab9e24e506a91704aec89
Instruction ID: 5e07b583892c98514d6994e1b6de8f67f174f063974629a52064958db17618ae
Opcode Fuzzy Hash: 8b91cbf088d3692eba2bba3ecaec3e8a72c32480130ab9e24e506a91704aec89
Instruction Fuzzy Hash: 29F059312042805FE3212769A81479ABFD6DFCB742F01416DE61EC3283CA21084987B5

Function 0625C3E0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0974dfc1cc5e4f2875e6dd0badc0dc39185ad7ba5b695ace54a1c9fcfc54d66e
Instruction ID: 8b3bda04695861f6b6124fd162ba4f4f84e0b009ef91d35ca1666fffd392e544
Opcode Fuzzy Hash: 0974dfc1cc5e4f2875e6dd0badc0dc39185ad7ba5b695ace54a1c9fcfc54d66e
Instruction Fuzzy Hash: 73F0F6302093D54FC723A728E8147AE7FE6DF82254B09457EE682CB292DA656C0987A5

Function 06258C20 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3b63bd7fd35d1d6d5a7d0634ceb114f3c1e4d6a8b42f108d880bbe1a5206614
Instruction ID: 5c827007babdfa0787a5b0b906792894f4f1a2e0f9f90804c365c02b3ff1f667
Opcode Fuzzy Hash: d3b63bd7fd35d1d6d5a7d0634ceb114f3c1e4d6a8b42f108d880bbe1a5206614
Instruction Fuzzy Hash: 56F05EB27002155FD714CA59EC44EABB7AEEBC8325F10452EE10AC7295EAB5EC0587A0

Function 064FFF60 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1003448d7ea9da882764abfa85a9df109764fa5d3eb10be6931351ee196b9478
Instruction ID: 459d1bfdbd7d8ff66e8e69ddb4f99332cb3390048e426c30a4c47df8e3daad12
Opcode Fuzzy Hash: 1003448d7ea9da882764abfa85a9df109764fa5d3eb10be6931351ee196b9478
Instruction Fuzzy Hash: 1AF089767002186B8F459ED89C049AF7BABEBC8360B404429FA19C3350DB319D5557B5

Function 064FAD00 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1367029457dc02939b11149c33fb05d5dae2cb968bcf9e06e87b8afc2870b787
Instruction ID: 4d843ce4dad4027fe10afa48309dfa0b3a79dc2456c7714accc450b3867b007f
Opcode Fuzzy Hash: 1367029457dc02939b11149c33fb05d5dae2cb968bcf9e06e87b8afc2870b787
Instruction Fuzzy Hash: 6BF06D31710200CFC7598B2DD50856673EBABC5212714406AE60ACB7A4CF31CC82CB50

Function 064F08B0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 809f433c4e9e6e80f13e7c1586e0e8affa19b72e6a5110a3ce75d50b2ff69617
Instruction ID: 016b01a99da5919c1c9bee0392365b09a5feb07a4df4150872c745925082cde7
Opcode Fuzzy Hash: 809f433c4e9e6e80f13e7c1586e0e8affa19b72e6a5110a3ce75d50b2ff69617
Instruction Fuzzy Hash: CBF03C3690010AEFCF00DF98D904DDEBBB6FF49310B1041A5E618EB270D731AA15CB91

Function 062567C8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92907aabce3d7bf50198235b3f730e0601b1d0464cff7043714d6509e2cf3cf4
Instruction ID: a3865841010ec53ae75af23a2b084c6634e6009c2c0b7da2488de5cd3d1d327b
Opcode Fuzzy Hash: 92907aabce3d7bf50198235b3f730e0601b1d0464cff7043714d6509e2cf3cf4
Instruction Fuzzy Hash: 02F0F031B103005FD7208A28AC45F967FE5EB42764F058166FA10CF1E2D7B1E8088390

Function 06256EA0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b58e221a73cdbfab476ecfe17235284a542185270ea356e08d160d41b24c9c1f
Instruction ID: b52d09468d9565a262591e97e18cd8a9400e83ed1dce2528dd97c3ee3b2e6fa1
Opcode Fuzzy Hash: b58e221a73cdbfab476ecfe17235284a542185270ea356e08d160d41b24c9c1f
Instruction Fuzzy Hash: F5F0A7762081E83F8B154E9A5C14CFB7FEDDACE1627084056FED8C2141C429C921ABB0

Function 062591E8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8e22baa6c1b8bea20585ce4afcfac888a66c80bda0176a3112ab1cd89757608
Instruction ID: 71a3a724013421ade6776178ad3b85e382143d85cc973374b37ca6f7dcd65264
Opcode Fuzzy Hash: a8e22baa6c1b8bea20585ce4afcfac888a66c80bda0176a3112ab1cd89757608
Instruction Fuzzy Hash: 6FF05E317042048B8754DAEDD940566B7D6DB88624314C46EDD1EDBB40DA32EC038780

Function 0625AF88 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8bdcc057e1f9608d14d5d3b0f29ba7d56d70e5379f92fb019bdc3a299de23f6
Instruction ID: b4297940c4d1ac2eb297f1902257d766005291be937e12baeb8762bebad2196e
Opcode Fuzzy Hash: b8bdcc057e1f9608d14d5d3b0f29ba7d56d70e5379f92fb019bdc3a299de23f6
Instruction Fuzzy Hash: CBF059723082904FD75317646C241BD7FA2DBC729270901DFD596CB293DA65850AC3E1

Function 064F2CD0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b97a3f0c170bde756fba9f2c2785e23274ac9d93869de12526b2eecb9d4450f4
Instruction ID: 0d43b83a25bfe7b2abb3ce06b9a96c5755a6e8129519d6857ef8751eb7827c4e
Opcode Fuzzy Hash: b97a3f0c170bde756fba9f2c2785e23274ac9d93869de12526b2eecb9d4450f4
Instruction Fuzzy Hash: 37F07A753105109F8754DF59E898C6ABBEAFF8D6253258095E909CB331CB71EC41CBA1

Function 064F1D87 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2f6779ecb1f9aa0de80f2b798c83d0a93d5bf54fe2881322f307b3785f1fc91
Instruction ID: 4b3a2d671d957f38fa7caccd70d7fbb5e403af028287f7dc656fe23b40d1dadb
Opcode Fuzzy Hash: c2f6779ecb1f9aa0de80f2b798c83d0a93d5bf54fe2881322f307b3785f1fc91
Instruction Fuzzy Hash: 98F097313082005BD34627AAE84099D3BAB8BC5342F04417AF509CB782CE31D804C7E6

Function 06258341 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 817e992d8fbf6ef73d09e946f8f9fbf2d3c32ed0869844833242dca955782457
Instruction ID: fd9d069de98464a339048b0276fbe1a1306ad54d4d742e2166de1492f8d55ab1
Opcode Fuzzy Hash: 817e992d8fbf6ef73d09e946f8f9fbf2d3c32ed0869844833242dca955782457
Instruction Fuzzy Hash: B3F0EC31F101255B9B50DA699C45AFF77FDFF841617080036DD14D3100F774D81587A1

Function 064F3F70 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76aa80c3c3ff8c8e822d7c9e74525c47f237189874d40c880819b26da564b36d
Instruction ID: 46fefc3fe72d4d21b99a65316031c5b0f09e5f05290770d23baf1f1c254a677c
Opcode Fuzzy Hash: 76aa80c3c3ff8c8e822d7c9e74525c47f237189874d40c880819b26da564b36d
Instruction Fuzzy Hash: D3F0F8763501109F8744DF6ED888C0ABBEAEF8DA6031180BAF209CB332CA61DC01CB90

Function 064FE030 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f6ca20a95f019ae912393e1a3ff7aedec8503322fcab4991ffb0919664744c2
Instruction ID: 69774e0c5399625e920afe630355c3c2b8b76e6d3c35bdd19cd603c728097133
Opcode Fuzzy Hash: 5f6ca20a95f019ae912393e1a3ff7aedec8503322fcab4991ffb0919664744c2
Instruction Fuzzy Hash: 4CF0A7367003116BC776965BD840A67B796AFC2110B08852FD6AD4B320DFB1E841C251

Function 064F56B2 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6762e5225f52788327f12eecd636b8d71a86be877d20656b5b53157c897727d8
Instruction ID: ef04b80d8a58bc0e3d5d33690cf183148ada72be5b3da6956cc0e1d1792280b5
Opcode Fuzzy Hash: 6762e5225f52788327f12eecd636b8d71a86be877d20656b5b53157c897727d8
Instruction Fuzzy Hash: 87F03A75D052599ECB40EFBC99045EEBFB8AF05200F14817AE958E7211E2344A55CBE1

Function 064F3F72 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7206cc6a7f7c74f4f59acae29007c67dda9fdfdda9da8e5bc4aad040a4657e7
Instruction ID: 2a2c170b6b37d7ce6f04418ac81cc9a24ecc07df1dfcdf929c0ed265976b63db
Opcode Fuzzy Hash: b7206cc6a7f7c74f4f59acae29007c67dda9fdfdda9da8e5bc4aad040a4657e7
Instruction Fuzzy Hash: 86F098763504109F8754DF6DD888C5A7BEAEFCD66131581BAF209CB331CA61DC45CB50

Function 062554F8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c665f0a1dbf2c48cd272be0349d5ef70283b90627dcac6429d4d821717b5893
Instruction ID: 6025405e2cd704c75eb3937bf061df8e979d125d0cfcb9cf5f5be58e95d2c4c6
Opcode Fuzzy Hash: 5c665f0a1dbf2c48cd272be0349d5ef70283b90627dcac6429d4d821717b5893
Instruction Fuzzy Hash: D4F02431620702CFDBB8CE21DA00767BBF2AF80314F49886CDC4282A65D6B5E484CB40

Function 06259237 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0a86f46dfd4e469ad4873096d16b9de84c8d62456f28c696d6261220d290449
Instruction ID: 03e4d753259635e8c7e32c507eb85c7997db281dcb50f3ffe3876fef12a59698
Opcode Fuzzy Hash: f0a86f46dfd4e469ad4873096d16b9de84c8d62456f28c696d6261220d290449
Instruction Fuzzy Hash: 52F0BE74E08344AFCB92EFA4E88079D7BB0EB01304F2181A9D8589B791DB788E05CB80

Function 06259294 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db8d8404acc5381a5f957e93659c461dd1ab2eab8bad2bb23acc48d0bdc1866b
Instruction ID: a7da0489236b2355284fbd2c617d53fb2f3ff3d1dd06b91a934b1cb092045e1e
Opcode Fuzzy Hash: db8d8404acc5381a5f957e93659c461dd1ab2eab8bad2bb23acc48d0bdc1866b
Instruction Fuzzy Hash: 5EF024B0D18280DFD7A1DBA0E8517AD7B70EB41300F0181CADC448F3E5DB789A40CB80

Function 0625B4C8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e209ab1c567b4fcdc46e475e99cffbe500ed5196f07a8448ef86e57d50d5ca5
Instruction ID: af44e1290f3898b8af0ff2a46cda8f85f8b8b073ce8cea586867ae402855fe5e
Opcode Fuzzy Hash: 1e209ab1c567b4fcdc46e475e99cffbe500ed5196f07a8448ef86e57d50d5ca5
Instruction Fuzzy Hash: E2E09231200204AFD3146A9AA448B9EBADAEBC9355B00452CF60EC3282CE61584947B5

Function 064F4620 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f97ede7b03fce58c92c359f76072c53af2f76ab397064a06e9e1db6a1802aa37
Instruction ID: 32782c74c1b0cdda24e6e59e750af7ad03145b5fe4c06f6a7463bf198931a4f4
Opcode Fuzzy Hash: f97ede7b03fce58c92c359f76072c53af2f76ab397064a06e9e1db6a1802aa37
Instruction Fuzzy Hash: DDE0DF3230A2A0AFC3014B29D844CA67FBEEFCA62131940DBF044C7223CA61DC42C3E1

Function 0625C450 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0839a17d2bb2edfe3b41597e384cd634e1bd5156853a6d415d93da96ea8d1ae9
Instruction ID: c697b9bd0a7663ac90035e6b99005a63dc3c334e0493ade390870eeb23d85df0
Opcode Fuzzy Hash: 0839a17d2bb2edfe3b41597e384cd634e1bd5156853a6d415d93da96ea8d1ae9
Instruction Fuzzy Hash: 60F09071501B029FD729EF26E408562BBF2FB88311700C62EE84BC3A10DB70A54ACF94

Function 0625CF10 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0e19e35ce38e82acd79617ce9a54083f18699e4d498bdb016e073eeae5631a3
Instruction ID: 859b4da070a0ad6b3b3dcf4419c4bf91d7f027d3b3bc7c88ab08ab0c409da8f6
Opcode Fuzzy Hash: c0e19e35ce38e82acd79617ce9a54083f18699e4d498bdb016e073eeae5631a3
Instruction Fuzzy Hash: 56E0E5336297806FDB62EB24B80018EFF92D741750B02515ADC0ACB245F630084587A6

Function 064FCEFA Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92afa1520e98899fd0f7eab52959591f11d99f2431b029c89b566a398bb6ab01
Instruction ID: f32d5df794de291191d139cbf4308b8ba8c5f3b81727e58a7cb34fdcd4bd5813
Opcode Fuzzy Hash: 92afa1520e98899fd0f7eab52959591f11d99f2431b029c89b566a398bb6ab01
Instruction Fuzzy Hash: 0CE086353601249F8A549F19D888CA677EDEF49A7130501AAFB06C7371DA52DC00CBE4

Function 064F6360 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 063c6019e9039afe061165943b58329db0a885f7e2a66df501af3bab63ac5aae
Instruction ID: 45668644337613507ead8b8d101db44d213a4172569848568c8b4cec17f70663
Opcode Fuzzy Hash: 063c6019e9039afe061165943b58329db0a885f7e2a66df501af3bab63ac5aae
Instruction Fuzzy Hash: A4E0D835905254AFC301A724D8158857BBC9F4611431684DAE4188F222C221DC02CBF1

Function 0625AF40 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f181fb6929fbc26b9cbaf81b0318f2cf798245d20dc19dd6667638a144323254
Instruction ID: ca810d33dd408a1dbc21bb1a3f460b1d215bba696f4620872ea97cc69f3edf6b
Opcode Fuzzy Hash: f181fb6929fbc26b9cbaf81b0318f2cf798245d20dc19dd6667638a144323254
Instruction Fuzzy Hash: CAE022713082904FCB072774A8182AEBFA6DBC7222709019FE196C7283CA24494AC3E5

Function 0625B7D0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3a0369d644272895617a6cfc3df3fe4403090771535d5d0a31eeec62b521052
Instruction ID: 5c37be49c100c47233d578b10f533ceafdb695996aa67e62b1f34362337c9ac9
Opcode Fuzzy Hash: f3a0369d644272895617a6cfc3df3fe4403090771535d5d0a31eeec62b521052
Instruction Fuzzy Hash: 5DF03935D0820DFFCB41DFB4D9488CDBFB9EB44204F1082A6D805E3240EA315B55CB90

Function 0625C3F0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5c3ddcfcb156281261c1c00e3c8bde4a970a1d96894380c2df3118f8d5d33b4
Instruction ID: f6397f591d92c7ed3b2154327dedd1de6440bc4cf9b4bb1480d5e01b03255031
Opcode Fuzzy Hash: b5c3ddcfcb156281261c1c00e3c8bde4a970a1d96894380c2df3118f8d5d33b4
Instruction Fuzzy Hash: 67E0E5302047914FC712E72DE40879FBBE6DFC1314F04442DE246C7741CBA1A8498BA1

Function 064F56C0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d742f74caab8c034f36732db2725ea045d8744f39346631daf6a3260e99d95d
Instruction ID: e99a45f566dddd57662d66a9732e7c59ef672b6da1586c1e84ebca47300b55eb
Opcode Fuzzy Hash: 7d742f74caab8c034f36732db2725ea045d8744f39346631daf6a3260e99d95d
Instruction Fuzzy Hash: DAF01571C002198FCB40EFBCD8015DEBBF4AF05210F508126D949E7214E6345A558BD1

Function 064FDEFE Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b06655da2e421bed07bfbd3383851490bdfc6753db6683e2a033d3a8631e7c0f
Instruction ID: 06b0a3d73e5a8af9a43cd43f8bb583cb6a323f0770fce11ef538ca24a89ee8f1
Opcode Fuzzy Hash: b06655da2e421bed07bfbd3383851490bdfc6753db6683e2a033d3a8631e7c0f
Instruction Fuzzy Hash: B4F01530E212098FCF98CFA9D108A6EBBF2AF48311F0040AAD609E7250DB35C941CFA5

Function 064F1D48 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e5ad3c786c4ce1e434b9e16e0812b37511be057cbe63897baa0f35ef08139f5
Instruction ID: 2a0dee2deea86cca137f63f9729a57525baf82a629a24cdb98a7322f3a3fd507
Opcode Fuzzy Hash: 7e5ad3c786c4ce1e434b9e16e0812b37511be057cbe63897baa0f35ef08139f5
Instruction Fuzzy Hash: 46E0863367852A43E7625398E0153F676AD8B84661F040177D60DCBF45C994A85547E0

Function 06255698 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e0628d151bae9e05807f9ba2cd46bf8c136dae72595e9fdce4552f70452b27f
Instruction ID: e936f0db36a0aee9c82e95d2b391a99132d7231ecc1e6bdb23426be3f50fab6e
Opcode Fuzzy Hash: 0e0628d151bae9e05807f9ba2cd46bf8c136dae72595e9fdce4552f70452b27f
Instruction Fuzzy Hash: 8AE092B210C3119FD3449B24E8058A67BA4EBA5220F06886EE840C7181E732E841C7A5

Function 06259248 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cfff4069d14b515724801cf0b48d6a3f74c2f0da401d0e0d33aaa914c7f9e23
Instruction ID: 86ab32d964ab5d6b544219426676467469df6c62de779c4c9894b6d1d11f33bf
Opcode Fuzzy Hash: 5cfff4069d14b515724801cf0b48d6a3f74c2f0da401d0e0d33aaa914c7f9e23
Instruction Fuzzy Hash: 2DF06D74E14308AFCB95EFA4E880B9DBBB0AB44304F1081A8E8049B394EB745D40CF80

Function 062591DA Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03f84ec4c3724f104aec60849b1bd3fb90577b293f6d4452fec43e9dfc608b81
Instruction ID: 1c7baf5fb18028a228d1eecb2a1b933aaf4b96ad8e3a4e15a11233e2174ccc46
Opcode Fuzzy Hash: 03f84ec4c3724f104aec60849b1bd3fb90577b293f6d4452fec43e9dfc608b81
Instruction Fuzzy Hash: 43E08631A049148BD3A0D66DD9517A2BBD5DB88614B14C479DD1DDBB80E932D803C380

Function 064F59D3 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48fd684a46d69cdf0d2997ba3be746f74c99aea7ff6b326c90a7dafc8b72853b
Instruction ID: caa3b0df64f20eb6c735663f93bea68a1abd2d4eb5ba642d1175843d1ad4611c
Opcode Fuzzy Hash: 48fd684a46d69cdf0d2997ba3be746f74c99aea7ff6b326c90a7dafc8b72853b
Instruction Fuzzy Hash: 42E0927091874BCFDB49DF60C004A9DBFB1AF95310F28195BD546AB280CB744A82CB92

Function 0625E4BF Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b821d3b7397b03e4b324fb3d410e2b80219c95c8943d66699b65b4bcda4500b
Instruction ID: aaef1b5be49bd48623c8f6215e48da31c241d3c37fe421a058e8dfe0f9fcfc3c
Opcode Fuzzy Hash: 8b821d3b7397b03e4b324fb3d410e2b80219c95c8943d66699b65b4bcda4500b
Instruction Fuzzy Hash: E8E04871E49248FFCB01DB74A9519AD7BF1DB82301B2041D6D809D7391E5705F159761

Function 0625E540 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 490cfeaf49563f35de2ab6a60f6aaf28d6c25b0b33ceb43fd8ec1b9ae6ec4893
Instruction ID: d3883dc3dfe9bef5c4d3dab6d53ebc0727e6faf0e18f83f58fe53fcb4c41fe68
Opcode Fuzzy Hash: 490cfeaf49563f35de2ab6a60f6aaf28d6c25b0b33ceb43fd8ec1b9ae6ec4893
Instruction Fuzzy Hash: 29E06F3542A300AFCB01F620BC02581BBA2A789700B020051EC025B2AAEB305E8A8BE1

Function 0625AF50 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6c4c9683f4ef995596c71f5637ba1fd6a7c90e90528f6e39666cadeb16b046a
Instruction ID: 6c88313ed6fc0a93baa18793cc6d0202252d6a8dc705e3336c5accf95f4ef87a
Opcode Fuzzy Hash: b6c4c9683f4ef995596c71f5637ba1fd6a7c90e90528f6e39666cadeb16b046a
Instruction Fuzzy Hash: 1AD05B713002189796052769B4186AE779BDBC9662305012AE607C3341CE755D4D47D5

Function 064F4630 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a452cb772d93bedd8a619941b7491fb5ab16f0172404a08ab640fa9c7b6a53c
Instruction ID: a7b72cbb2aaffc31f0eca3bb75c1946828cdb064af4a6b619e24618079696bd5
Opcode Fuzzy Hash: 3a452cb772d93bedd8a619941b7491fb5ab16f0172404a08ab640fa9c7b6a53c
Instruction Fuzzy Hash: C6D05E327101209FC7049F5EE44486ABBEFEFC966132540ABE109C7322CAB1EC03C790

Function 0625B7E0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf2752ed0baa2504a3efc8be11aa6f71825aacf45f123cb820175e261e3216d0
Instruction ID: b15737afcbb9e4ce78a741e37a3f46ac402388f590927871e87ddb223c95c758
Opcode Fuzzy Hash: cf2752ed0baa2504a3efc8be11aa6f71825aacf45f123cb820175e261e3216d0
Instruction Fuzzy Hash: 98E09275D0020DEFCB40DFE4E9448DDBBB9EB48200F1082AAD909E3200EB306B66DF90

Function 0625EBB8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cc03c8d3f7323b6f47ab8611a10b3434b7f33dc8494ca23f7867044f1659968
Instruction ID: 7086d894d79e9b0e1d9541dc80018f200e4154d1349b90d2d0572635c6bb407b
Opcode Fuzzy Hash: 4cc03c8d3f7323b6f47ab8611a10b3434b7f33dc8494ca23f7867044f1659968
Instruction Fuzzy Hash: A9E08C396282828FDB52AF14C8008583FB0BF1A752B0A40C9E9858F162C2318821DB60

Function 0625E4D0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4e40b922424e39a7dfa8a8bb452db19e2f12cc9ede7ebb1b64b02f77a4b6e1c
Instruction ID: c02a4ee956d4ff6836f025fecd728376c62f965ff788f740c6eccaba4193fc4b
Opcode Fuzzy Hash: f4e40b922424e39a7dfa8a8bb452db19e2f12cc9ede7ebb1b64b02f77a4b6e1c
Instruction Fuzzy Hash: F7D05E71A0020CFFCB40EFA8E90195DF7FAEB84314B2081E9D809E7340EA316F049BA1

Function 064F3750 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17f55b0ccbaa297f4a116839ce09f28a028980a797300bb378f3784ee3c32feb
Instruction ID: d548d2a208cefe93fbacda54e00ab6791e5bdcd71cedefcf9d53b63ba70c13c5
Opcode Fuzzy Hash: 17f55b0ccbaa297f4a116839ce09f28a028980a797300bb378f3784ee3c32feb
Instruction Fuzzy Hash: E1D0C775A141049F5751EF2DD585D1377E8DB54650718C195EE04C7311E631E810C6D1

Function 064F4A00 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1462e7a6bf461a29227d1aef368b1e6aa331f48c41811d3324bfd47f1c7550f
Instruction ID: 711b81e64a88562ae9142f7f85946830f9fb67945625d237fe41d2518bad0938
Opcode Fuzzy Hash: a1462e7a6bf461a29227d1aef368b1e6aa331f48c41811d3324bfd47f1c7550f
Instruction Fuzzy Hash: 10C0123400E3413EC2421B608C10CB77E6DAA56210F454A86B5D4950B2C22509588372

Function 064F3060 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d174dab81f08aaa74c86b670da430441462b7e8e2201d930fe936c692149da22
Instruction ID: f94901aa57b72a2e8e807e2318eff4eb88d73258a439079b9c54e002bd8745a2
Opcode Fuzzy Hash: d174dab81f08aaa74c86b670da430441462b7e8e2201d930fe936c692149da22
Instruction Fuzzy Hash: 8FD05E30628211CFD682FB24F100699B393E784750B018518D1475FB5CEB701985D7C6

Function 0625FBAB Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60e67261952b8801980b3f6ab125a5eff6e20a9631e10301f64d614a7bbe6604
Instruction ID: 51b7fb2836d7c85cb4a46fe42afaec449aa2d94abb5be0c6179921286a6bdd6a
Opcode Fuzzy Hash: 60e67261952b8801980b3f6ab125a5eff6e20a9631e10301f64d614a7bbe6604
Instruction Fuzzy Hash: 22C012367401200B1686BA6CB0100AEA6D7E3C82E3385413AEA0EC3398CE608C864BA5

Function 064F1B99 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69728033d4f2fbbd90832978cc2975971b9bcfcf79d98bed3763ffef660404c6
Instruction ID: 4c0b5719354d112d144e3094cfe746dd739349c301687f620aefe7f2c2d3be73
Opcode Fuzzy Hash: 69728033d4f2fbbd90832978cc2975971b9bcfcf79d98bed3763ffef660404c6
Instruction Fuzzy Hash: 3CD05E7050F2C19FDB16E760FE65B013FA25B12304F15A9EAD0809F1A7D67444A5C7A2

Function 064FACD0 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d053fdf7a51a25ba1f63fb41cb0ed314fc4cca3c05c8225c757a5607601d4dc
Instruction ID: 5685af607912f818aabb892d08668930f9028b1c66e7dce0f157f7aca74b4aa1
Opcode Fuzzy Hash: 5d053fdf7a51a25ba1f63fb41cb0ed314fc4cca3c05c8225c757a5607601d4dc
Instruction Fuzzy Hash: ECC08C305A0108CFC740ABA8F00889A37A9FF9463A3114091F61C8BB31EB32EC409AA0

Function 064F041E Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019338081.00000000064F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_64f0000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 493fafe6ab84d0b288f7858af8888110200fbaafc8ad2cb8ae0709e6bf431ea4
Instruction ID: c7614b04b3a9c5fa1179e5e68121747291243a8c49abe287a284533755abc586
Opcode Fuzzy Hash: 493fafe6ab84d0b288f7858af8888110200fbaafc8ad2cb8ae0709e6bf431ea4
Instruction Fuzzy Hash: A4D0C97094520BCFE714DF50C269BBEBB71EF54708F600419D101BA652C7768A4ACBE1

Function 06253721 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 925f0ef3794e8e3f3d4737a67ed1360c1fc21af2dbd97beaa8c07b839f908fea
Instruction ID: 97e7517ae8b35c9faf3a99e6e6c8ae98f83d0e0ec4d841ec8d0a671f8e57afc4
Opcode Fuzzy Hash: 925f0ef3794e8e3f3d4737a67ed1360c1fc21af2dbd97beaa8c07b839f908fea
Instruction Fuzzy Hash: 04B0123232150427F714B140EC0BFE63C10EBD0B08F29C2127B57A5185CB92E448D4FB

Non-executed Functions

Function 06532E88 Relevance: 2.7, Strings: 2, Instructions: 202COMMON

Download Yara Rule

Strings

$^q, xrefs: 06532F7B
$^q, xrefs: 06533039

Memory Dump Source

Source File: 00000007.00000002.2019605399.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6530000_RegAsm.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 37c44cf084007143846ad13971ec66089bf7b6b84d6936919cf01123a0ad4836
Instruction ID: e4cad7787f4e62f96137f61ef3bbb30e32eda4e49d44b84588609f87a390d205
Opcode Fuzzy Hash: 37c44cf084007143846ad13971ec66089bf7b6b84d6936919cf01123a0ad4836
Instruction Fuzzy Hash: 3E61BC74E002189FDB44DFA9C880ADDBBB2BF89700F249169E405BB265DB34A986CF54

Function 06533158 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2019605399.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6530000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fdfe8a0a260da19254cea888f2b7b243d3d7c22f4b224808825b77d856051c2
Instruction ID: c470297e52a369cca2010c24f3a5c52990b5c2cbe474e064c7ebfe255716f4c4
Opcode Fuzzy Hash: 1fdfe8a0a260da19254cea888f2b7b243d3d7c22f4b224808825b77d856051c2
Instruction Fuzzy Hash: 84011634E45318EFCB40CF94D881AEDFBB5FB4A711F219196E809AB262C6359D11CFA0

Function 0625EFD0 Relevance: 7.9, Strings: 6, Instructions: 377COMMON

Download Yara Rule

Strings

(_^q, xrefs: 0625F33A
(_^q, xrefs: 0625F3B9
(_^q, xrefs: 0625F03A
(_^q, xrefs: 0625F0B9
(_^q, xrefs: 0625F239
(_^q, xrefs: 0625F1BA

Memory Dump Source

Source File: 00000007.00000002.2019061977.0000000006250000.00000040.00000800.00020000.00000000.sdmp, Offset: 06250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_6250000_RegAsm.jbxd

Similarity

API ID:
String ID: (_^q$(_^q$(_^q$(_^q$(_^q$(_^q
API String ID: 0-2896069617
Opcode ID: 01a1bd6d34dfdefe7499150bd5d456ea3f415f3b4cd344f595f2184ae93b7e08
Instruction ID: 275bddd85ba77a246428896ee222d9e8057d2454acce0ae31eacb914b9d009fc
Opcode Fuzzy Hash: 01a1bd6d34dfdefe7499150bd5d456ea3f415f3b4cd344f595f2184ae93b7e08
Instruction Fuzzy Hash: 83D1DD79B14344AFCB15AF78C41456E7BB2EFC6310F2581AADC06DB382DA319E06CB91

Analysis Process: crypteda.exePID: 1260, Parent PID: 7860COMMON

Execution Graph

Execution Coverage:	28.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	20
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 02BF2551 Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02BF24C3,02BF24B3), ref: 02BF26C0
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 02BF26D3
Wow64GetThreadContext.KERNEL32(000002C8,00000000), ref: 02BF26F1
ReadProcessMemory.KERNELBASE(000002CC,?,02BF2507,00000004,00000000), ref: 02BF2715
VirtualAllocEx.KERNELBASE(000002CC,?,?,00003000,00000040), ref: 02BF2740
WriteProcessMemory.KERNELBASE(000002CC,00000000,?,?,00000000,?), ref: 02BF2798
WriteProcessMemory.KERNELBASE(000002CC,00400000,?,?,00000000,?,00000028), ref: 02BF27E3
WriteProcessMemory.KERNELBASE(000002CC,029D64C4,?,00000004,00000000), ref: 02BF2821
Wow64SetThreadContext.KERNEL32(000002C8,029E0000), ref: 02BF285D
ResumeThread.KERNELBASE(000002C8), ref: 02BF286C

Strings

VirtualAlloc, xrefs: 02BF2618
ress, xrefs: 02BF25DB
VirtualAllocEx, xrefs: 02BF2651
Load, xrefs: 02BF258F
aryA, xrefs: 02BF2597
WriteProcessMemory, xrefs: 02BF2664
CreateProcessA, xrefs: 02BF2605
ReadProcessMemory, xrefs: 02BF263E
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 02BF26BF
TerminateProcess, xrefs: 02BF274F
GetThreadContext, xrefs: 02BF262B
ResumeThread, xrefs: 02BF268D
GetP, xrefs: 02BF25D3
SetThreadContext, xrefs: 02BF2677

Memory Dump Source

Source File: 00000009.00000002.1879724765.0000000002BF2000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2bf2000_crypteda.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2687962208-1257834847
Opcode ID: 6ed679946abb4a161c9f75f6101290084365813039212a6bd0c7882d8dd446c2
Instruction ID: cc9c27ab65e3727b51bd46a017ab9eea191e674cf27d633cdc2f870488445079
Opcode Fuzzy Hash: 6ed679946abb4a161c9f75f6101290084365813039212a6bd0c7882d8dd446c2
Instruction Fuzzy Hash: 43B1D57664028AAFDB60CF68CC80BDA77A5FF88714F158564EA08EB341D774FA41CB94

Function 00FD1001 Relevance: 1.6, APIs: 1, Instructions: 62
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 00FD1082

Memory Dump Source

Source File: 00000009.00000002.1879331110.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fd0000_crypteda.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 0f66145b1a51d7fc05702cdabb5d9ad312f3ddba982eb751d4543f81ea254ba6
Instruction ID: 6e53148d06299ac7baaa7457367ab4b4a2a810643d2f3d2555b11aa65552dcd8
Opcode Fuzzy Hash: 0f66145b1a51d7fc05702cdabb5d9ad312f3ddba982eb751d4543f81ea254ba6
Instruction Fuzzy Hash: 3E2135B1D00259AFCB10DFA9C885AEEFFB4FF48320F14852AE818A7240C7785944CFA1

Function 00FD1008 Relevance: 1.6, APIs: 1, Instructions: 58
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 00FD1082

Memory Dump Source

Source File: 00000009.00000002.1879331110.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_fd0000_crypteda.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 631e38b5927ace1cd1eec697892a5072c8918150f26d0225ca885293aaf08f8f
Instruction ID: 07692693e34e174c2a2fc11de9424ce6c60bb67a09c40e555192d6cb421c3417
Opcode Fuzzy Hash: 631e38b5927ace1cd1eec697892a5072c8918150f26d0225ca885293aaf08f8f
Instruction Fuzzy Hash: 3321F7B1D00259ABCB10DFAAC884ADEFBB4FF48324F14852AE918A7240C7756954CBE5

Analysis Process: RegAsm.exePID: 1748, Parent PID: 1260COMMON

Execution Graph

Execution Coverage:	5.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	61

Executed Functions

Function 0041FE9D Relevance: 13.8, APIs: 9, Instructions: 273
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041FB56: CreateFileW.KERNELBASE(?,00000000,?,0041FF46,?,?,00000000,?,0041FF46,?,0000000C), ref: 0041FB73

GetLastError.KERNEL32 ref: 0041FFB1
__dosmaperr.LIBCMT ref: 0041FFB8
GetFileType.KERNELBASE(00000000), ref: 0041FFC4
GetLastError.KERNEL32 ref: 0041FFCE
__dosmaperr.LIBCMT ref: 0041FFD7
CloseHandle.KERNEL32(00000000), ref: 0041FFF7
CloseHandle.KERNEL32(?), ref: 00420144
GetLastError.KERNEL32 ref: 00420176
__dosmaperr.LIBCMT ref: 0042017D

Memory Dump Source

Source File: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID:
API String ID: 4237864984-0
Opcode ID: 8a6ad238e456dfb5c6acf6d43a8fdbc71dc0bcedd465f29062b7f109bfad7472
Instruction ID: bfa7e2cc036e27e26c30110013f893a37d44138e153881355e96e1974d99462b
Opcode Fuzzy Hash: 8a6ad238e456dfb5c6acf6d43a8fdbc71dc0bcedd465f29062b7f109bfad7472
Instruction Fuzzy Hash: 6AA14832A041148FCF19EF68EC91BAE3BA0AB06314F14016EF801EB3D2C7799857DB59

Function 004038B0 Relevance: 12.7, APIs: 3, Strings: 4, Instructions: 401
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(shell32.dll), ref: 004038FA

Strings

.exe, xrefs: 004039D4, 004039E5, 00403C18, 00403C29
shell32.dll, xrefs: 004038F5
open, xrefs: 00403DF4, 00403E15
` H, xrefs: 0040392E

Memory Dump Source

Source File: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: .exe$` H$open$shell32.dll
API String ID: 1029625771-2834257608
Opcode ID: d4c97a5889b133242607335a8d42e56c099b9df17a057e4e584b721371644320
Instruction ID: 857efcede616dcd8c83fca5595c578517c5b7e2349eff73c2340159bc27b1389
Opcode Fuzzy Hash: d4c97a5889b133242607335a8d42e56c099b9df17a057e4e584b721371644320
Instruction Fuzzy Hash: F7E118312083408BE328DF28CD45B6FBBE5BF85305F144A2DF485AB2D2D779E5458B9A

Function 00411422 Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,0041141C,00000016,0040BD88,?,?,FBF4E51B,0040BD88,?), ref: 00411433
TerminateProcess.KERNEL32(00000000,?,0041141C,00000016,0040BD88,?,?,FBF4E51B,0040BD88,?), ref: 0041143A
ExitProcess.KERNEL32 ref: 0041144C

Memory Dump Source

Source File: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: fdc9db31659cbe28c415a8b0888f718e5b65b0592ff8268f2e9698ce38014a47
Instruction ID: 9f5cffd960a9e5e784bd49b974cdbcfa3e36e1e28e8dab912b0267a8a3414f4f
Opcode Fuzzy Hash: fdc9db31659cbe28c415a8b0888f718e5b65b0592ff8268f2e9698ce38014a47
Instruction Fuzzy Hash: 76D09E31100508AFCF117F61DC0DA993F2AAF44745B858025BA0556131CB3A9993EA5D

Function 00416D9F Relevance: 3.2, APIs: 2, Instructions: 191
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004164B2: GetConsoleOutputCP.KERNEL32(FBF4E51B,00000000,00000000,0040BDA8), ref: 00416515

WriteFile.KERNELBASE(FFBF5BE8,00000000,?,0040BC65,00000000,00000000,00000000,00000000,?,?,0040BC65,?,?,004328B8,00000010,0040BDA8), ref: 00416F08
GetLastError.KERNEL32(?,0040BC65,?,?,004328B8,00000010,0040BDA8,?,?,00000000,?), ref: 00416F12

Memory Dump Source

Source File: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: f464ed671a76038d08897ffb1fb948258ea98ac2c0acb72c9529f46f39d22c7a
Instruction ID: 2fa65d471856ac80343e11fa98bfc53c13d7c1330e77fa5001ed2fcda6fa269c
Opcode Fuzzy Hash: f464ed671a76038d08897ffb1fb948258ea98ac2c0acb72c9529f46f39d22c7a
Instruction Fuzzy Hash: 9F61D675D00249AFDF10DFA9C844AEF7FB9AF09308F16415AF800A7252D339D986CB69

Function 00414D4D Relevance: 3.1, APIs: 2, Instructions: 63
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,00414C34,00000000,CF830579,00432C48,0000000C,00414CF0,0040BCFB,?), ref: 00414DA3
GetLastError.KERNEL32(?,00414C34,00000000,CF830579,00432C48,0000000C,00414CF0,0040BCFB,?), ref: 00414DAD

Memory Dump Source

Source File: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ChangeCloseErrorFindLastNotification
String ID:
API String ID: 1687624791-0
Opcode ID: cf05b64a0bbd980239ba65db1c1c6f103e722fbee84b5f4660c8636332b429dd
Instruction ID: 85074f4f6ff141bd7efcce855698502eef5de44000b51f9bf88cca9df30e92f5
Opcode Fuzzy Hash: cf05b64a0bbd980239ba65db1c1c6f103e722fbee84b5f4660c8636332b429dd
Instruction Fuzzy Hash: 77114C326041105ACB206675BC857FE27459BD2738F25025FF908C72C2EB388CC1529D

Function 00403ED0 Relevance: 3.0, APIs: 2, Instructions: 22
synchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,004038B0,00000000,00000000,FBF4E51B), ref: 00403EF6
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00403EFF

Memory Dump Source

Source File: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateObjectSingleThreadWait
String ID:
API String ID: 1891408510-0
Opcode ID: 9419f3325bceeff1f49f4aa1ba74e54397c78aa36a806008d2e466c127b4d74a
Instruction ID: 586eb301f3ad505b2fb8a5e2c0845f04df15ed7da879dad1818cca3ffdf321d7
Opcode Fuzzy Hash: 9419f3325bceeff1f49f4aa1ba74e54397c78aa36a806008d2e466c127b4d74a
Instruction Fuzzy Hash: 7EE08675748300ABD720FF24DC07F1A3BE4BB48B01F914A39F595A62D0D6747404965E

Function 004143BC Relevance: 1.6, APIs: 1, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 672b8ef80a1082ffe797a66fe554d50d659c07feffc08aafbed84bfcd02d8428
Instruction ID: 2b8528776d8d16502f0b8a76a82d10506d50424a6c704f85483994a1d03f90d6
Opcode Fuzzy Hash: 672b8ef80a1082ffe797a66fe554d50d659c07feffc08aafbed84bfcd02d8428
Instruction Fuzzy Hash: 9D012D377001255FDF25CE6EEC40BDB3396EBC47243548536F914DB544DA34D8829759

Function 00413EE2 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__wsopen_s.LIBCMT ref: 00413F1C

Memory Dump Source

Source File: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: caa3c88317b3bbee83e5854bbea9c678844db8772e50a39c133be3f8c5400fb7
Instruction ID: ec9553a80a63d261aca480410fc230252e3ea256619d772961208cbce9478613
Opcode Fuzzy Hash: caa3c88317b3bbee83e5854bbea9c678844db8772e50a39c133be3f8c5400fb7
Instruction Fuzzy Hash: F6111871A0420AAFCF05DF58E9419DF7BF4EF48304F0440AAF805AB351D631DA15CBA8

Function 00414084 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,0000000C,?,?,004152C9,00000001,00000364,?,00000006,000000FF,?,?,0040E067,00415459), ref: 004140C5

Memory Dump Source

Source File: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 14b8f9ac75b8980b6812ff089cde42dce8ba1f12a125e940596199f5ca44a4d3
Instruction ID: 3ab61ddca1e281f31ccd9bd3b5a9704ff4491f1e9476c0382436f1b215dccb25
Opcode Fuzzy Hash: 14b8f9ac75b8980b6812ff089cde42dce8ba1f12a125e940596199f5ca44a4d3
Instruction Fuzzy Hash: 83F0BB31144624A6DB215A639C05BDB3F889FC5760F158127F908EA590CA78DCD582AD

Function 0041FB56 Relevance: 1.5, APIs: 1, Instructions: 15
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,00000000,?,0041FF46,?,?,00000000,?,0041FF46,?,0000000C), ref: 0041FB73

Memory Dump Source

Source File: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 32f1cee3c5876f16e38c750b1e34007635eee82df29fa4d42b06ff8a7cf34f14
Instruction ID: 28cfbda6749b70c9de2fbd9d245fef773b8951bf2dd70127050a9a6bf190398c
Opcode Fuzzy Hash: 32f1cee3c5876f16e38c750b1e34007635eee82df29fa4d42b06ff8a7cf34f14
Instruction Fuzzy Hash: 05D06C3210010DFBDF128F84DC06EDA3FAAFB4C714F018010FA5856021C732E832AB94

Non-executed Functions

Function 0041EB91 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(3FC00000,2000000B,0041EEAF,00000002,00000000,?,?,?,0041EEAF,?,00000000), ref: 0041EC2A
GetLocaleInfoW.KERNEL32(3FC00000,20001004,0041EEAF,00000002,00000000,?,?,?,0041EEAF,?,00000000), ref: 0041EC53
GetACP.KERNEL32(?,?,0041EEAF,?,00000000), ref: 0041EC68

Strings

OCP, xrefs: 0041EBE5
ACP, xrefs: 0041EBAF

Memory Dump Source

Source File: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: ae0517b9bda7198648f1cbed6e652a34a4e79f3510d6da964a24c0c18db862fc
Instruction ID: c85fc144d60ddc6525dae33cd09e0d060d1fedf04b2ffe12a12074c054b5e7b8
Opcode Fuzzy Hash: ae0517b9bda7198648f1cbed6e652a34a4e79f3510d6da964a24c0c18db862fc
Instruction Fuzzy Hash: 0D218E3A704104EADB38CF16CD05AD772A6AB54B54B5A8426ED0AD7304F73ADEC1C798

Function 0041ED66 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041512B: GetLastError.KERNEL32(?,00000008,004176AA), ref: 0041512F
Part of subcall function 0041512B: SetLastError.KERNEL32(00000000,00000001,00000006,000000FF), ref: 004151D1

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 0041EE72
IsValidCodePage.KERNEL32(00000000), ref: 0041EEBB
IsValidLocale.KERNEL32(?,00000001), ref: 0041EECA
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 0041EF12
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 0041EF31

Memory Dump Source

Source File: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: cb1f43e0842fc1b57530168fcb5aadb50c479eb7f68bca799765aa874482350f
Instruction ID: 6dcde63b9ee3f13586b647639649f64518bbb4cfa058cf0b9fa01e7f3d3dbd24
Opcode Fuzzy Hash: cb1f43e0842fc1b57530168fcb5aadb50c479eb7f68bca799765aa874482350f
Instruction Fuzzy Hash: 2951A075A00206ABDF20EFA6DC45AEB77B8BF04700F49452AED11E7290D7789981CB69

Function 0041E402 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041512B: GetLastError.KERNEL32(?,00000008,004176AA), ref: 0041512F
Part of subcall function 0041512B: SetLastError.KERNEL32(00000000,00000001,00000006,000000FF), ref: 004151D1

GetACP.KERNEL32(?,?,?,?,?,?,00411ED1,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0041E4C3
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00411ED1,?,?,?,00000055,?,-00000050,?,?), ref: 0041E4EE
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 0041E651

Strings

utf8, xrefs: 0041E5C0

Memory Dump Source

Source File: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8
API String ID: 607553120-905460609
Opcode ID: 1eb3fb8f5e23b37753c7c554b08859c7808b39e1099525de27aec97b4695ee5a
Instruction ID: e1a377e19c5f71cd44c11824ea9e35987c280acd53c56ff76f51ea565ef0af36
Opcode Fuzzy Hash: 1eb3fb8f5e23b37753c7c554b08859c7808b39e1099525de27aec97b4695ee5a
Instruction Fuzzy Hash: AB71F779A00201BADB24AB77CC46BEB73A9EF44718F14442BFD05D7281FA7CE9818659

Function 00415625 Relevance: 6.3, APIs: 4, Instructions: 337COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 004156B2

Memory Dump Source

Source File: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: d8f824a3a597dbe048be884bb3e91045552750dfa5ffe6b567c0d7537b351b3d
Instruction ID: a35172905f2c9e80df687ae2f548e4ff91b5a56ee58bfd6494556f9989062819
Opcode Fuzzy Hash: d8f824a3a597dbe048be884bb3e91045552750dfa5ffe6b567c0d7537b351b3d
Instruction Fuzzy Hash: 44B16A72E00655DFDB11DF68C8817EEBBA5EF85310F14416BE815AB381D238DD81CBA9

Function 00407AF1 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00407AFD
IsDebuggerPresent.KERNEL32 ref: 00407BC9
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00407BE9
UnhandledExceptionFilter.KERNEL32(?), ref: 00407BF3

Memory Dump Source

Source File: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: bdb8d4ffe5861b74027a400539b36d4e8f115b4355d90c864d7f04757154f5f6
Instruction ID: e6d40a2ad45d1a0383389914ec1c7b177219f7559a83785ff08c1c1c590c79bb
Opcode Fuzzy Hash: bdb8d4ffe5861b74027a400539b36d4e8f115b4355d90c864d7f04757154f5f6
Instruction Fuzzy Hash: 76314975D0521CDBDB21DFA0D989BCDBBB8BF08304F1040AAE40DAB290EB755A85CF49

Function 0041E815 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 0041512B: GetLastError.KERNEL32(?,00000008,004176AA), ref: 0041512F
Part of subcall function 0041512B: SetLastError.KERNEL32(00000000,00000001,00000006,000000FF), ref: 004151D1

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0041E869
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0041E8B3
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0041E979

Memory Dump Source

Source File: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: 70364720e12663236a414e2dcb1dce5353f717cfc86153b9853f2e5e3999c068
Instruction ID: 519a0177cb526aaaa458b2f6b8e716251f3c0a2969a148864a23d158d411bc59
Opcode Fuzzy Hash: 70364720e12663236a414e2dcb1dce5353f717cfc86153b9853f2e5e3999c068
Instruction Fuzzy Hash: 9B617B75A102079FEB289F26CD82BEA77A8FF44354F14417AED05C6681E738E981CB58

Function 0040DD68 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000001), ref: 0040DE60
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000001), ref: 0040DE6A
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000001), ref: 0040DE77

Memory Dump Source

Source File: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: c9299be453f233d1f34e7b439eda9d176e6efb048eb56d82e46d8d1a49e6a2a2
Instruction ID: d2f4f48b52c025ad6b33b38734eeeb510d7991f02fac7d06ce453438f3003fcc
Opcode Fuzzy Hash: c9299be453f233d1f34e7b439eda9d176e6efb048eb56d82e46d8d1a49e6a2a2
Instruction Fuzzy Hash: A731C574D012289BCB21DF65D98978DBBB4BF58310F5041EAE41CA7290E7749F858F49

Function 0041EA68 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 0041512B: GetLastError.KERNEL32(?,00000008,004176AA), ref: 0041512F
Part of subcall function 0041512B: SetLastError.KERNEL32(00000000,00000001,00000006,000000FF), ref: 004151D1

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0041EABC

Memory Dump Source

Source File: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 9d790b3c45bb2bf0643d5e8ab68d8f402ebc04587a63254904ddd76dacdf4023
Instruction ID: 789565f62a9f3b81efb00754059a0722f9dd97d30215528fd29c40c366a42c5d
Opcode Fuzzy Hash: 9d790b3c45bb2bf0643d5e8ab68d8f402ebc04587a63254904ddd76dacdf4023
Instruction Fuzzy Hash: F1217136605206ABDB28DE26DC42AFB77A8EF44714B10407FFD06D6241EB79BD81CA58

Function 0041E6EF Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041512B: GetLastError.KERNEL32(?,00000008,004176AA), ref: 0041512F
Part of subcall function 0041512B: SetLastError.KERNEL32(00000000,00000001,00000006,000000FF), ref: 004151D1

EnumSystemLocalesW.KERNEL32(0041E815,00000001,00000000,?,-00000050,?,0041EE46,00000000,?,?,?,00000055,?), ref: 0041E761

Memory Dump Source

Source File: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: c41bd8c13944af45959f55b7b285689f368a5b2ee216d29e3bbf5953bd320f82
Instruction ID: 3355e78b0c1919935c13ae0f7f932fd25516bb8159513c05bc37ad2f76743b3e
Opcode Fuzzy Hash: c41bd8c13944af45959f55b7b285689f368a5b2ee216d29e3bbf5953bd320f82
Instruction Fuzzy Hash: 6911E93B6007019FEB189F3AD8916FAB791FF80358B19442EE99687740E7757983C744

Function 0041EC97 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 0041512B: GetLastError.KERNEL32(?,00000008,004176AA), ref: 0041512F
Part of subcall function 0041512B: SetLastError.KERNEL32(00000000,00000001,00000006,000000FF), ref: 004151D1

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0041EB12,00000000,00000000,?), ref: 0041ECC3

Memory Dump Source

Source File: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: f78a423274370276909a02de998c8e2fb19ace7283c045400ea6aabaf7fbf6a9
Instruction ID: a74d281951bb25d9d225ee6b49b477873636137a5a6801bc69a0b20bd4e45b62
Opcode Fuzzy Hash: f78a423274370276909a02de998c8e2fb19ace7283c045400ea6aabaf7fbf6a9
Instruction Fuzzy Hash: BCF0A93AA00126BFDB245A269C45BFB7764EB40754F15442AED07A3280EA78FE82C6D4

Function 0041E5FD Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 0041512B: GetLastError.KERNEL32(?,00000008,004176AA), ref: 0041512F
Part of subcall function 0041512B: SetLastError.KERNEL32(00000000,00000001,00000006,000000FF), ref: 004151D1

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 0041E651

Strings

utf8, xrefs: 0041E5C0

Memory Dump Source

Source File: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID: utf8
API String ID: 3736152602-905460609
Opcode ID: d3c02c1389eacca91a5e291a11e928c47885a93e678f07e32e4ca4d141b25baf
Instruction ID: c8b41ea417b063d59171f4d5afc3dd36f9caaff362045ecd69b67607d46fe07f
Opcode Fuzzy Hash: d3c02c1389eacca91a5e291a11e928c47885a93e678f07e32e4ca4d141b25baf
Instruction Fuzzy Hash: AFF0C836A10115ABC724AF35EC46FFA37E8EB88314F51057EFA02D7281DA7CAD458758

Function 0041E78A Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041512B: GetLastError.KERNEL32(?,00000008,004176AA), ref: 0041512F
Part of subcall function 0041512B: SetLastError.KERNEL32(00000000,00000001,00000006,000000FF), ref: 004151D1

EnumSystemLocalesW.KERNEL32(0041EA68,00000001,45F1B473,?,-00000050,?,0041EE0A,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 0041E7D4

Memory Dump Source

Source File: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 02464ed723b4c354a84e3378b332530d88ad943763cb876e16d480aee733ffc6
Instruction ID: 6c1b8be79df370ff527d3fdf83c27c448d8a6d1d4b53373dd59006919712f969
Opcode Fuzzy Hash: 02464ed723b4c354a84e3378b332530d88ad943763cb876e16d480aee733ffc6
Instruction Fuzzy Hash: 4AF0FC3A3003045FEB145F36DC816BABB95FF81758F15442EFD0647680D6755C82D714

Function 00414128 Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0040E0B6: EnterCriticalSection.KERNEL32(?,?,00412ECC,00000000,00432B68,0000000C,00412E93,0000000C,?,004140B7,0000000C,?,004152C9,00000001,00000364,?), ref: 0040E0C5

EnumSystemLocalesW.KERNEL32(0041411B,00000001,00432BE8,0000000C,0041454A,00000000), ref: 00414160

Memory Dump Source

Source File: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: fc11d79f479730948cfa985309707b8b0dda7b619e314f4f66de2ebc116367d5
Instruction ID: bc8c9cdb39ea7b6907bdcd078d42f788ce3f3be240e1371db2048b296ab99c2e
Opcode Fuzzy Hash: fc11d79f479730948cfa985309707b8b0dda7b619e314f4f66de2ebc116367d5
Instruction Fuzzy Hash: FBF04F72A04204DFD710EF99E842B9C77B0FB84724F10412BF411EB2E1CBB959409B58

Function 0041E6A4 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041512B: GetLastError.KERNEL32(?,00000008,004176AA), ref: 0041512F
Part of subcall function 0041512B: SetLastError.KERNEL32(00000000,00000001,00000006,000000FF), ref: 004151D1

EnumSystemLocalesW.KERNEL32(0041E5FD,00000001,45F1B473,?,?,0041EE68,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0041E6DB

Memory Dump Source

Source File: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: a2ffc06d5736e119ec660f653c38e39955ecf1050f89d0cc871d51e530c5514b
Instruction ID: f4de27644733dcfc8870d4860b87f459398b730b02dc09fbb697d88a70ba3928
Opcode Fuzzy Hash: a2ffc06d5736e119ec660f653c38e39955ecf1050f89d0cc871d51e530c5514b
Instruction Fuzzy Hash: 2FF0EC3930024597CB149F36D8457AABF55EFC1714B97405AEE068B290C6759883C754

Function 0041464E Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00412A37,?,20001004,00000000,00000002,?,?,00412039), ref: 00414682

Memory Dump Source

Source File: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: a79f5b4871ba1c4f54388a69458767bdf475af3fdf68469de367ee09879fad86
Instruction ID: c8c0b9562f9231183dee5b7a6e52053c98a93abb6350c4165c74df5b9bb5bc08
Opcode Fuzzy Hash: a79f5b4871ba1c4f54388a69458767bdf475af3fdf68469de367ee09879fad86
Instruction Fuzzy Hash: D9E04831540118B7CF122F61DC04EEE7F15FF95751F064116FC0566161C7399961A69D

Function 00407C53 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00007C5F,0040727A), ref: 00407C58

Memory Dump Source

Source File: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 79dec9a97241ece6b8b7572846782a00b5d64aae3784071d2de835e605e51f4e
Instruction ID: 3c64f4b928e2e8a9299ff9da9a038668c79c2f648c86c238da55c8401a5bab25
Opcode Fuzzy Hash: 79dec9a97241ece6b8b7572846782a00b5d64aae3784071d2de835e605e51f4e
Instruction Fuzzy Hash:

Function 0041EFC8 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0041EFC8

Memory Dump Source

Source File: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 960917853a08cbcbaec74a3857df259023f2eba71cc87e2cdee0c8228e0b7f47
Instruction ID: d5d072ba9748c195f736b78e16f2f5f2af1f06de213b616d404cea10f9c51eb0
Opcode Fuzzy Hash: 960917853a08cbcbaec74a3857df259023f2eba71cc87e2cdee0c8228e0b7f47
Instruction Fuzzy Hash: 01A02230300280CF83808F32AE0CB0C3FF8AE082E0B0AC03AA000C80B0EF3080A0AF08

Function 00404B10 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00404B3C
std::_Lockit::_Lockit.LIBCPMT ref: 00404B59
std::_Lockit::~_Lockit.LIBCPMT ref: 00404B7D
std::_Lockit::~_Lockit.LIBCPMT ref: 00404BA8
std::_Lockit::_Lockit.LIBCPMT ref: 00404C1A
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00404C6F
__Getctype.LIBCPMT ref: 00404C86
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00404CC6
std::_Lockit::~_Lockit.LIBCPMT ref: 00404D68
std::_Facet_Register.LIBCPMT ref: 00404D6E

Strings

bad locale name, xrefs: 00404D88

Memory Dump Source

Source File: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_GetctypeLocinfo_ctorLocinfo_dtorRegister
String ID: bad locale name
API String ID: 103145292-1405518554
Opcode ID: 16ee915ab7cf0eeebb519dba0dd6371d05be51749d4f9f448169caa51adc919d
Instruction ID: 6e9f63e8d2ea1b6a4942e0921d9002d8c0fd89e6bfff9ad2541224c8a884b4bc
Opcode Fuzzy Hash: 16ee915ab7cf0eeebb519dba0dd6371d05be51749d4f9f448169caa51adc919d
Instruction Fuzzy Hash: D56191B19047408BE710DF65D981B5BB7E4AFD4304F05483EF989A7392E738E948CB5A

Function 0040A988 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 0040AAA7
___TypeMatch.LIBVCRUNTIME ref: 0040ABB5
_UnwindNestedFrames.LIBCMT ref: 0040AD07
CallUnexpected.LIBVCRUNTIME ref: 0040AD22

Strings

csm, xrefs: 0040A9C5
csm, xrefs: 0040AADE
hqB, xrefs: 0040AA9E
csm, xrefs: 0040AA32

Memory Dump Source

Source File: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm$hqB
API String ID: 2751267872-961717235
Opcode ID: 5312b3d91eab99b169114e3402d6476c4e494fcb55b904c8292e4fd39c2bab0a
Instruction ID: 60820d6e0ecca0eb9fd5676567882ca170ad0f0461b4efe27468591c46910b05
Opcode Fuzzy Hash: 5312b3d91eab99b169114e3402d6476c4e494fcb55b904c8292e4fd39c2bab0a
Instruction Fuzzy Hash: D1B177719003099FDF24DFA5C9809AFB7B5FF14304B15456AE8017B282D339EA61CF9A

Function 00422D30 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 147COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,0042484F), ref: 00422D49

Strings

asin, xrefs: 00422E76
pow, xrefs: 00422DE7, 00422E91, 00422EDE
exp, xrefs: 00422DC8, 00422E2D
log10, xrefs: 00422D8B, 00422D9A
sqrt, xrefs: 00422E88
acos, xrefs: 00422E7F
log, xrefs: 00422DA6, 00422DB5

Memory Dump Source

Source File: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: 7b307bdfa77ac4e727fad644a701e6850a4604595a9cd81a6cd06f0e8c4ceaf9
Instruction ID: c72ee430fc5992e789082aa674a62eb4bc159944c4a08777ca012a565c4a57b4
Opcode Fuzzy Hash: 7b307bdfa77ac4e727fad644a701e6850a4604595a9cd81a6cd06f0e8c4ceaf9
Instruction Fuzzy Hash: C2515F71B0062AEBCF108F59FA481AE7BB0FB05304FD24157D891A7264CBBD8925DB5E

Function 0040717D Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00407183
GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 00407191
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 004071A2
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 004071B3

Strings

GetSystemTimePreciseAsFileTime, xrefs: 00407197
GetCurrentPackageId, xrefs: 0040718B
kernel32.dll, xrefs: 0040717E
GetTempPath2W, xrefs: 004071A8

Memory Dump Source

Source File: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: GetCurrentPackageId$GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1247241052
Opcode ID: 12cc8ab004fe47f31fffcbf58e36badd15f6e56e2ad587471c9b10d870eb8305
Instruction ID: 3afd18a413fbafaec0d1884410ec314f69904bb85606d66d63126fe90f125993
Opcode Fuzzy Hash: 12cc8ab004fe47f31fffcbf58e36badd15f6e56e2ad587471c9b10d870eb8305
Instruction Fuzzy Hash: 3CE0EC71749671AB83209F70BC0EDAA3AA4EE0971139205B2BD15D2361D6BC44559B9C

Function 00424315 Relevance: 12.2, APIs: 8, Instructions: 248COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 004243BB
__alloca_probe_16.LIBCMT ref: 00424476
__alloca_probe_16.LIBCMT ref: 00424505
__freea.LIBCMT ref: 00424550
__freea.LIBCMT ref: 00424556
__freea.LIBCMT ref: 0042458C
__freea.LIBCMT ref: 00424592
__freea.LIBCMT ref: 004245A2

Memory Dump Source

Source File: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: faf4b7bb4f82d6e060df7418f04cdf54d9d5ced2acf79a653a27d1271983cb36
Instruction ID: 2268128186bf180321159b17a5804e3cf269d1f4a161c5de96289f76b50a9a64
Opcode Fuzzy Hash: faf4b7bb4f82d6e060df7418f04cdf54d9d5ced2acf79a653a27d1271983cb36
Instruction Fuzzy Hash: 55711872B00225ABDF20AF94AC41BAF77A5DFC9714FA4001BEA54A7381D73CDC818769

Function 004142F1 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,FBF4E51B,?,004143FE,004038D3,?,?,00000000), ref: 004143B2

Strings

api-ms-, xrefs: 00414348
ext-ms-, xrefs: 0041435C

Memory Dump Source

Source File: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 86759f0994eafd6f84a6647c0fdf9b4e30a2247b6dec6dce197b99e7f52573c2
Instruction ID: 29acd09180d048b520d34109221675969bd24e1d04ac4f63b004638bf800aa58
Opcode Fuzzy Hash: 86759f0994eafd6f84a6647c0fdf9b4e30a2247b6dec6dce197b99e7f52573c2
Instruction Fuzzy Hash: 9A210572B01218EBCB219B61EC45FDB3758AF81765F250222ED26A7380D738ED41C6D8

Function 00422220 Relevance: 9.3, APIs: 6, Instructions: 298COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 210f578ede6e8c57bcd3a2866613218aeec721f6e00fb4164bfe4fb791038aae
Instruction ID: 0fa8f66f13a9205f03f3c964acb7b0f3d35d0cf0561fe90a84cb6ac065f7fb8a
Opcode Fuzzy Hash: 210f578ede6e8c57bcd3a2866613218aeec721f6e00fb4164bfe4fb791038aae
Instruction Fuzzy Hash: 2FB1FA70B00265BFDB11DF59D980BAE7BB1BF85304F54815AE400AB392C7F99D42CB69

Function 0040A61A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0040A611,00408D4A,00407CA3), ref: 0040A628
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0040A636
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0040A64F
SetLastError.KERNEL32(00000000,0040A611,00408D4A,00407CA3), ref: 0040A6A1

Memory Dump Source

Source File: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: ea70f88f1a7dd67ad85e4a1eb3bc890aa5c44d2470a951be6c0d9591e2143091
Instruction ID: 17c3b720e5989fb0f4645250ee9d2db9be2b1969e3f2a356d50bd165ba2ebccc
Opcode Fuzzy Hash: ea70f88f1a7dd67ad85e4a1eb3bc890aa5c44d2470a951be6c0d9591e2143091
Instruction Fuzzy Hash: 4C01D2322083111EE62836B5BC456672678DB21378734023FF114B22E1EF7F1C11558D

Function 004114B8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,FBF4E51B,?,?,00000000,0042533E,000000FF,?,00411448,?,?,0041141C,00000016), ref: 004114ED
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004114FF
FreeLibrary.KERNEL32(00000000,?,00000000,0042533E,000000FF,?,00411448,?,?,0041141C,00000016), ref: 00411521

Strings

mscoree.dll, xrefs: 004114E6
CorExitProcess, xrefs: 004114F7

Memory Dump Source

Source File: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: da08a1f12de9d9fa0ab2bf8521bb4e597b9d9615b2022019d023aedce6e96a45
Instruction ID: 1c3cb0f38f93fbefe2a6f9ddff53ce04e6b84d498977bd807167e5d34d417036
Opcode Fuzzy Hash: da08a1f12de9d9fa0ab2bf8521bb4e597b9d9615b2022019d023aedce6e96a45
Instruction Fuzzy Hash: 3801A231B40625FFDB218F50DC09BBEBBB9FB44B15F400526E912A22A0DB789D00CA98

Function 00418EA1 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00418F28
__alloca_probe_16.LIBCMT ref: 00418FE9
__freea.LIBCMT ref: 00419050

Part of subcall function 00415416: HeapAlloc.KERNEL32(00000000,?,?,?,0040743B,?,?,004038D3,0000000C), ref: 00415448

__freea.LIBCMT ref: 00419065
__freea.LIBCMT ref: 00419075

Memory Dump Source

Source File: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: e87fd6e571ad0e28fa7a801ff3008c7610ce0f637704132bd005f8cf4c9e9da1
Instruction ID: 70ac7dc22d859429bcfaf21a5452dbaba508fd75fda8d3d1cad1bcbaee3c79d9
Opcode Fuzzy Hash: e87fd6e571ad0e28fa7a801ff3008c7610ce0f637704132bd005f8cf4c9e9da1
Instruction Fuzzy Hash: CE51C872600216AFEB249F65CC41EFB3AAAEF48754B15012EFD08D7250EB39DC918769

Function 00405A19 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00405A20
std::_Lockit::_Lockit.LIBCPMT ref: 00405A2A

Part of subcall function 00401980: std::_Lockit::_Lockit.LIBCPMT ref: 0040199C
Part of subcall function 00401980: std::_Lockit::~_Lockit.LIBCPMT ref: 004019B9

codecvt.LIBCPMT ref: 00405A64
std::_Facet_Register.LIBCPMT ref: 00405A7B
std::_Lockit::~_Lockit.LIBCPMT ref: 00405A9B

Memory Dump Source

Source File: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
String ID:
API String ID: 712880209-0
Opcode ID: 7fb8576a75b95fb445e58ecf22290f584e2f77657a518a4edd59b5f9bfd13557
Instruction ID: aa6d00897e01abd1bad4c0c36b67e0d55590054934450fdc9fe3478e464ff2ad
Opcode Fuzzy Hash: 7fb8576a75b95fb445e58ecf22290f584e2f77657a518a4edd59b5f9bfd13557
Instruction Fuzzy Hash: A001AD71A00A16CBCB05EB658881AAF7761EF84324F24052EF411BB3D2CF3C9E058F89

Function 00401F00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00401F9D

Part of subcall function 00408080: RaiseException.KERNEL32(E06D7363,00000001,00000003,00407F9B,?,?,?,?,00407F9B,0000000C,00432FA4,0000000C), ref: 004080E0

Strings

ios_base::badbit set, xrefs: 00401F37, 00401F62, 00401F80
ios_base::eofbit set, xrefs: 00401F46
ios_base::failbit set, xrefs: 00401E62, 00401F41

Memory Dump Source

Source File: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3109751735-1866435925
Opcode ID: 6416560fe7b3465a17b1f8f352e1428cd4f36e73f34119d908d19ba395871ba5
Instruction ID: d02687490f24597757631495c4e1f09aa39ba096523de16938e047820cfe1a48
Opcode Fuzzy Hash: 6416560fe7b3465a17b1f8f352e1428cd4f36e73f34119d908d19ba395871ba5
Instruction Fuzzy Hash: 7B1124B2910715ABC710DF58D801B96B3E8AF08310F14853FF954E7291F778A844CBA9

Function 0040B762 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000011,00000000,00000800,?,0040B713,00000000,00000001,0043568C,?,?,?,0040B8B6,00000004,InitializeCriticalSectionEx,00427C38,InitializeCriticalSectionEx), ref: 0040B76F
GetLastError.KERNEL32(?,0040B713,00000000,00000001,0043568C,?,?,?,0040B8B6,00000004,InitializeCriticalSectionEx,00427C38,InitializeCriticalSectionEx,00000000,?,0040B66D), ref: 0040B779
LoadLibraryExW.KERNEL32(00000011,00000000,00000000,?,00000011,0040A583), ref: 0040B7A1

Strings

api-ms-, xrefs: 0040B786

Memory Dump Source

Source File: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 22226141dfb546a2f16a4bc61347b62053759e468ff986d8c484c8ccf3c75455
Instruction ID: 6663bac76f2ed2691183a1b60790d81093b85d379b5950931f3594d96b826320
Opcode Fuzzy Hash: 22226141dfb546a2f16a4bc61347b62053759e468ff986d8c484c8ccf3c75455
Instruction Fuzzy Hash: 95E01A34384208BFEF605B61EC06F5A3E64AB80B85FA04031FA0DE91E1E779A96195CC

Function 004164B2 Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(FBF4E51B,00000000,00000000,0040BDA8), ref: 00416515

Part of subcall function 0041B07B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00419046,?,00000000,-00000008), ref: 0041B127

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00416770
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 004167B8
GetLastError.KERNEL32 ref: 0041685B

Memory Dump Source

Source File: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 9c03409dc5e3a637d6edbebb8196099dd852bb166edf4384a40f4e99c6182c37
Instruction ID: 23b960d84f86169114bff6dd91ebd8bfb000f40d43b919249b886c4f1d777fdd
Opcode Fuzzy Hash: 9c03409dc5e3a637d6edbebb8196099dd852bb166edf4384a40f4e99c6182c37
Instruction Fuzzy Hash: 57D17975E002589FCB11DFA8D880AEDBBB5FF48304F19452AE866E7341D734E882CB54

Function 0040A731 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 0040A7F8
___AdjustPointer.LIBCMT ref: 0040A81B
___AdjustPointer.LIBCMT ref: 0040A8B7

Memory Dump Source

Source File: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 651f461737145a99faeddf7e9cbc434de1019a0abfbd738a44b85bf0bb0bacfa
Instruction ID: 563ab20b51bfab9fbe5384d5980a8cd95d5d08f0ac2ebead566dcb8f0746e7f3
Opcode Fuzzy Hash: 651f461737145a99faeddf7e9cbc434de1019a0abfbd738a44b85bf0bb0bacfa
Instruction Fuzzy Hash: 8E51CF72A003069FEB29AF11C941B7A77B4EF04314F14853FE8056B2D1E739E862C79A

Function 0041B497 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 0041B07B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00419046,?,00000000,-00000008), ref: 0041B127

GetLastError.KERNEL32 ref: 0041B4FB
__dosmaperr.LIBCMT ref: 0041B502
GetLastError.KERNEL32(?,?,?,?), ref: 0041B53C
__dosmaperr.LIBCMT ref: 0041B543

Memory Dump Source

Source File: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 98539fc020fd00bd43affe0888965e6ed426553bce3dc314c44ab490fe6ade4c
Instruction ID: e5a019830a3c5c962b54c78c2afe39edf9115806d1ecbdc6188aeecc851efa14
Opcode Fuzzy Hash: 98539fc020fd00bd43affe0888965e6ed426553bce3dc314c44ab490fe6ade4c
Instruction Fuzzy Hash: 3E21B371600615BFDB20AF6688809ABB7A9FF04368710C52FF91997251D778EC9087E8

Function 00410892 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66e116e2024aada6cab71803717b56169a7abbe351efb3759331a0be8796517d
Instruction ID: 3ec36e4c3c4c4b3940ca693e254ce5ca1d14e98f6d28ba957a4fd44e2fb4f4c4
Opcode Fuzzy Hash: 66e116e2024aada6cab71803717b56169a7abbe351efb3759331a0be8796517d
Instruction Fuzzy Hash: E621D7B1210205AFEB20AF62CC609AB7768BF40368710452BF959D7252D7B8ECD087A8

Function 0041C42D Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0041C435

Part of subcall function 0041B07B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00419046,?,00000000,-00000008), ref: 0041B127

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041C46D
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041C48D

Memory Dump Source

Source File: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 4d096bac32b07df6f96bbfc29f435c2dddc1c3056e5e13fb52e26ce166ed4541
Instruction ID: 0fd12c7dda382d3999d10f706f970f90d8e04c4becb4264e138dc4c2bd032ff0
Opcode Fuzzy Hash: 4d096bac32b07df6f96bbfc29f435c2dddc1c3056e5e13fb52e26ce166ed4541
Instruction Fuzzy Hash: 4F11C4B6605515BFA72127B25CDACFF6D5CDE89398710402BF901D2102EA3CDD8295BD

Function 004241D9 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00421C32,00000000,00000001,00000000,0040BDA8,?,004168AF,0040BDA8,00000000,00000000), ref: 004241F0
GetLastError.KERNEL32(?,00421C32,00000000,00000001,00000000,0040BDA8,?,004168AF,0040BDA8,00000000,00000000,0040BDA8,0040BDA8,?,00416E6D,?), ref: 004241FC

Part of subcall function 004241C2: CloseHandle.KERNEL32(FFFFFFFE,0042420C,?,00421C32,00000000,00000001,00000000,0040BDA8,?,004168AF,0040BDA8,00000000,00000000,0040BDA8,0040BDA8), ref: 004241D2

___initconout.LIBCMT ref: 0042420C

Part of subcall function 00424184: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,004241B3,00421C1F,0040BDA8,?,004168AF,0040BDA8,00000000,00000000,0040BDA8), ref: 00424197

WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,?,00421C32,00000000,00000001,00000000,0040BDA8,?,004168AF,0040BDA8,00000000,00000000,0040BDA8), ref: 00424221

Memory Dump Source

Source File: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: ca09305258c16a54d0dcba451752d25af7c96ee1953d8ec0ee725fe34d53713b
Instruction ID: daf606a8d683033c96f790e5cebbb7c3d718dd05ed61dfd599687816ed725ea8
Opcode Fuzzy Hash: ca09305258c16a54d0dcba451752d25af7c96ee1953d8ec0ee725fe34d53713b
Instruction Fuzzy Hash: E4F03736700124BBCF226F95FC0899A3F26FF453B1F454565FE1995130CA319870AB98

Function 0041029D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0041032D

Strings

pow, xrefs: 00410305, 00410322

Memory Dump Source

Source File: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: c0cf26b477ce003e2ec9021a6fbfbc89d90c79d8eb5fc1b2203591be7fd8a1bc
Instruction ID: fc6d2ca4dc19ba0b715d37a90518746425c4eaa4db822c587b4b2213400e0bc5
Opcode Fuzzy Hash: c0cf26b477ce003e2ec9021a6fbfbc89d90c79d8eb5fc1b2203591be7fd8a1bc
Instruction Fuzzy Hash: 6F519F71A0A60587CB157714DA413EB3B90AB00711F644D6BE8A1463E9EB7D8CF2DA8F

Function 00401E50 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00401F9D

Part of subcall function 00408080: RaiseException.KERNEL32(E06D7363,00000001,00000003,00407F9B,?,?,?,?,00407F9B,0000000C,00432FA4,0000000C), ref: 004080E0

Strings

ios_base::badbit set, xrefs: 00401F37, 00401F62, 00401F80
ios_base::failbit set, xrefs: 00401E62

Memory Dump Source

Source File: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 3109751735-1240500531
Opcode ID: 50fcd3a1a371244ec7a0f3f24a710ecb3351835c0196af839c5ad707446f783d
Instruction ID: 4f5bf0a45fc4208832a8654eef8c337e9c06d50c54c87a988f481c954303cb93
Opcode Fuzzy Hash: 50fcd3a1a371244ec7a0f3f24a710ecb3351835c0196af839c5ad707446f783d
Instruction Fuzzy Hash: 7F4147B1504305AFC304DF29C841A9BF7E8EF89310F14862FF994A76A1E778E945CB99

Function 0040A420 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 0040A45F
__IsNonwritableInCurrentImage.LIBCMT ref: 0040A513

Strings

csm, xrefs: 0040A4FD

Memory Dump Source

Source File: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: ca5a29bd391d885cd4634227e419514380eff920c463d90092caad24f93c2f58
Instruction ID: 18bede24dd224cfa91d1e00103c3baabbd685d05025061fa587fd2bb58ff80c9
Opcode Fuzzy Hash: ca5a29bd391d885cd4634227e419514380eff920c463d90092caad24f93c2f58
Instruction Fuzzy Hash: 8041D934A002189BCF10DF69C885A9E7BB0FF44318F14817BE8146B3D2D779A921CB9A

Function 0040AD2D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 0040AD52

Strings

RCC, xrefs: 0040AD6C
MOC, xrefs: 0040AD64

Memory Dump Source

Source File: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 5b710ab2a9f474c2cc4afd51bace25907f511bb75432380764933eab186ad071
Instruction ID: 578a82eb6ed92837561ac62ae5e682fef8a2830442736a5cd94d75dd4d38702e
Opcode Fuzzy Hash: 5b710ab2a9f474c2cc4afd51bace25907f511bb75432380764933eab186ad071
Instruction Fuzzy Hash: 2F417D71900209AFCF16DF94CD81AEEBBB5FF48304F19406AF9047B291D3399960DB95

Function 00407413 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00407D98
___raise_securityfailure.LIBCMT ref: 00407E80

Strings

@SC, xrefs: 00407E7B

Memory Dump Source

Source File: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: @SC
API String ID: 3761405300-4053289583
Opcode ID: 42319827a0e0b74c587616dcc60c70791287d7417a5014e862dc5be5bea1f8a0
Instruction ID: c5c0fd815b2f08e14ceb602fe243d88e4d65426d2e31bcd62793ea7bd9420f3f
Opcode Fuzzy Hash: 42319827a0e0b74c587616dcc60c70791287d7417a5014e862dc5be5bea1f8a0
Instruction Fuzzy Hash: 972104B4640A009BD328CF15FD857983BF4BB68359FA0643AE9088B3B0D3B46484CF1E

Function 00407E93 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00407E9E
___raise_securityfailure.LIBCMT ref: 00407F5B

Strings

@SC, xrefs: 00407F56

Memory Dump Source

Source File: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: @SC
API String ID: 3761405300-4053289583
Opcode ID: ee42222a1a21f84a104741ef492a216a118de1db3b1281724e16a62be68f0859
Instruction ID: 2125179719012bf3b699bacd38cc00c528494cfbc9043f550ba33f2ea8b81d37
Opcode Fuzzy Hash: ee42222a1a21f84a104741ef492a216a118de1db3b1281724e16a62be68f0859
Instruction Fuzzy Hash: DC11E3B4651A04DBC318CF15F8817883BB4BB28346B50B03AE8088B371E3B4A5958F5E

Function 00401870 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00401875
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 004018BA

Part of subcall function 0040589A: _Yarn.LIBCPMT ref: 004058B9
Part of subcall function 0040589A: _Yarn.LIBCPMT ref: 004058DD

Strings

bad locale name, xrefs: 004018C8

Memory Dump Source

Source File: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 1908188788-1405518554
Opcode ID: 72551ae77e736be2171b1fcc8d603e91bdd62b17c33b334120392a8c0c99013b
Instruction ID: fbb5483a5c0b3d6c860fa312477ba2c73c4b5eacc305877fe335d4945849315c
Opcode Fuzzy Hash: 72551ae77e736be2171b1fcc8d603e91bdd62b17c33b334120392a8c0c99013b
Instruction Fuzzy Hash: D8F01261505B508ED370DF368404743BEE0AF25714F048E2ED4C9D7A91D379E508CBA9

Function 00405AAE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00405AB5

Strings

1]@, xrefs: 00405ADB
pdB, xrefs: 00405AF1

Memory Dump Source

Source File: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prolog3
String ID: 1]@$pdB
API String ID: 431132790-2574904542
Opcode ID: 73ce1e61eeabf46a09a1e5cf8c5bfbef05ff3b583e132448a225ea9f7212eaca
Instruction ID: 123d69972286fd69fb551aecc998dcfff066a917831aeb16d417dea724d1ca27
Opcode Fuzzy Hash: 73ce1e61eeabf46a09a1e5cf8c5bfbef05ff3b583e132448a225ea9f7212eaca
Instruction Fuzzy Hash: 1B01D6B4A00715CFC761DF28C540A5ABBF0FF08318B51896EE48ADB751D776AA40CF48

Function 004012D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 004012D5

Part of subcall function 004055CE: std::invalid_argument::invalid_argument.LIBCONCRT ref: 004055DA

___std_exception_copy.LIBVCRUNTIME ref: 004012FC

Strings

string too long, xrefs: 004012D0

Memory Dump Source

Source File: 0000000A.00000002.1884009401.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Xinvalid_argument___std_exception_copystd::_std::invalid_argument::invalid_argument
String ID: string too long
API String ID: 1846318660-2556327735
Opcode ID: 26fc9a0f88cba3b3d08977187bf2055019bce32afe2b0aefe6f2504baa2ffc18
Instruction ID: 272e35dc6304a19a67255a0f261e943e5561bca0c73071cc2d95ade12bed5fb2
Opcode Fuzzy Hash: 26fc9a0f88cba3b3d08977187bf2055019bce32afe2b0aefe6f2504baa2ffc18
Instruction Fuzzy Hash: DEE0C2B2A343119BD200AF94AC01986B6D99F55314712CA2FF444F3200F3B8A8808768

Analysis Process: c4W13ZFj1P.exePID: 3992, Parent PID: 1748COMMON

Execution Graph

Execution Coverage:	9.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	164
Total number of Limit Nodes:	11

Executed Functions

Function 0243C8A0 Relevance: 1.7, APIs: 1, Instructions: 204
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0243CB06

Memory Dump Source

Source File: 0000000B.00000002.1906556512.0000000002430000.00000040.00000800.00020000.00000000.sdmp, Offset: 02430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2430000_c4W13ZFj1P.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a436d1b0da413e4f6de3eefa6311512e6f70ce67f1992033c8583ca63db82149
Instruction ID: d7c83cedb42c6cfffa582538baed1faa754fa69196374c41282d15844b41182f
Opcode Fuzzy Hash: a436d1b0da413e4f6de3eefa6311512e6f70ce67f1992033c8583ca63db82149
Instruction Fuzzy Hash: 93811371A00B059FDB25DF2AD48079ABBF1BF88304F04892ED48AE7B50DB75E945CB91

Function 0243456C Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02435A49

Memory Dump Source

Source File: 0000000B.00000002.1906556512.0000000002430000.00000040.00000800.00020000.00000000.sdmp, Offset: 02430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2430000_c4W13ZFj1P.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 3ab8c668087bb93492e71412d25dc22e1c47dd9fd07fd8064ea9759657080d7e
Instruction ID: 69e3636d5c227cc143602860902e41e18d46c12556024ed962df28532dbfec7a
Opcode Fuzzy Hash: 3ab8c668087bb93492e71412d25dc22e1c47dd9fd07fd8064ea9759657080d7e
Instruction Fuzzy Hash: 1D41E3B0C0071DCBDB24DFA9C88479EBBF5BF49304F6480AAD408AB255DB756989CF90

Function 0243598C Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02435A49

Memory Dump Source

Source File: 0000000B.00000002.1906556512.0000000002430000.00000040.00000800.00020000.00000000.sdmp, Offset: 02430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2430000_c4W13ZFj1P.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 3bfe25e901d88ef26b9d63a6dfee14d52d5b84e4e33beea42ee9753def50d32c
Instruction ID: 1656291b95e32f348b0636296242dd626ecb4ae651e3c8752dab97f52bef836a
Opcode Fuzzy Hash: 3bfe25e901d88ef26b9d63a6dfee14d52d5b84e4e33beea42ee9753def50d32c
Instruction Fuzzy Hash: CB41E5B0C00719CFDB24DFA9C9847CEBBB5BF48304F24805AD418AB255DB75694ACF90

Function 0243E8C8 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0243ED4E,?,?,?,?,?), ref: 0243EE0F

Memory Dump Source

Source File: 0000000B.00000002.1906556512.0000000002430000.00000040.00000800.00020000.00000000.sdmp, Offset: 02430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2430000_c4W13ZFj1P.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 97451760edc16f47be6c94c9bf4117e5df239c4b2bfdb5b2c10d3d973574ce1d
Instruction ID: 9a2d2219069d345453aad8bdc23d9396a5c003911af1a7b802689e1dbea218bf
Opcode Fuzzy Hash: 97451760edc16f47be6c94c9bf4117e5df239c4b2bfdb5b2c10d3d973574ce1d
Instruction Fuzzy Hash: 712114B5900208AFDB10CF9AD984ADEBFF8EF48310F14841AE914A7350D375A940CFA1

Function 0243ED80 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0243ED4E,?,?,?,?,?), ref: 0243EE0F

Memory Dump Source

Source File: 0000000B.00000002.1906556512.0000000002430000.00000040.00000800.00020000.00000000.sdmp, Offset: 02430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2430000_c4W13ZFj1P.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 231a95f63e44ec6bd8a656724fe04f7f747e764224a5a494117b7d3aa5c4ec07
Instruction ID: ffd60c38d682a91db257397a9cabb3730366d068cd408065d7dd3c8801aad630
Opcode Fuzzy Hash: 231a95f63e44ec6bd8a656724fe04f7f747e764224a5a494117b7d3aa5c4ec07
Instruction Fuzzy Hash: 6B2116B59002589FDB10CFA9D584ADEFFF4EF48310F14841AE954A7350D375A944CFA1

Function 0243CD20 Relevance: 1.6, APIs: 1, Instructions: 56
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0243CB81,00000800,00000000,00000000), ref: 0243CD92

Memory Dump Source

Source File: 0000000B.00000002.1906556512.0000000002430000.00000040.00000800.00020000.00000000.sdmp, Offset: 02430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2430000_c4W13ZFj1P.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6cb6d61b7c7d7b0525cd2eb702e94fd59c1d4c9cb58efe929fdb659481a999cf
Instruction ID: 40a25bb34c272044b2792cf0b6730929da09c3941893e8dff2fbaa22f64c0207
Opcode Fuzzy Hash: 6cb6d61b7c7d7b0525cd2eb702e94fd59c1d4c9cb58efe929fdb659481a999cf
Instruction Fuzzy Hash: F81114B6D002099FDB10CF9AD484ADEFBF4EB48314F10842AE559A7310C375A545CFA5

Function 0243C578 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0243CB81,00000800,00000000,00000000), ref: 0243CD92

Memory Dump Source

Source File: 0000000B.00000002.1906556512.0000000002430000.00000040.00000800.00020000.00000000.sdmp, Offset: 02430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2430000_c4W13ZFj1P.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1883ad6c33ef9516f1e4bb9bdee7bdfc3066cc8325573a9e913b84d8d092d0ca
Instruction ID: fdfe66b06afb5e3f83d434d1ba091cb422a76c37179eec83d2dc6799156a5fb2
Opcode Fuzzy Hash: 1883ad6c33ef9516f1e4bb9bdee7bdfc3066cc8325573a9e913b84d8d092d0ca
Instruction Fuzzy Hash: 271114B69002089FDB10CF9AD484ADEFFF4EF48314F10842AE919B7210C375A545CFA5

Function 04C3E074 Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowTextW.USER32(?,00000000), ref: 04C3E0E2

Memory Dump Source

Source File: 0000000B.00000002.1918887700.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4c30000_c4W13ZFj1P.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 7cf0d0fc831734f5e9fd0a8287d59021458eba869e94a73bc9f0d753171ec958
Instruction ID: bcd4c017cbfcf498b6c47b9e5ce7f4557d83326f8666434f7b8a0f9c72405b06
Opcode Fuzzy Hash: 7cf0d0fc831734f5e9fd0a8287d59021458eba869e94a73bc9f0d753171ec958
Instruction Fuzzy Hash: 761123B2C006498FDB14CF9AC544BDEFBF5EB88320F10C42AD868A7640D779A645CFA5

Function 04C3E078 Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowTextW.USER32(?,00000000), ref: 04C3E0E2

Memory Dump Source

Source File: 0000000B.00000002.1918887700.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4c30000_c4W13ZFj1P.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: afa1846d74de3a45679bd8c1942df339545bc9271fa7aab1aa9f91b3cc7e5439
Instruction ID: da464142316bfc849a1ec7978dfd631d177ccdf14df21e482c78d29b0817b711
Opcode Fuzzy Hash: afa1846d74de3a45679bd8c1942df339545bc9271fa7aab1aa9f91b3cc7e5439
Instruction Fuzzy Hash: B21123B28006498FDB14CF9AC444BDEFBF5EB88320F10C42AD868A7640D739A645CFA1

Function 0243CAA0 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0243CB06

Memory Dump Source

Source File: 0000000B.00000002.1906556512.0000000002430000.00000040.00000800.00020000.00000000.sdmp, Offset: 02430000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_2430000_c4W13ZFj1P.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4d95ba56d3d72877cdbcb16a29c24c42e3c38088b278dc13b82212d505f7f589
Instruction ID: e2393dc061ba7712d1c8944a9a1fa9fd1a42d4947b174cd9d4493fb19fa99cac
Opcode Fuzzy Hash: 4d95ba56d3d72877cdbcb16a29c24c42e3c38088b278dc13b82212d505f7f589
Instruction Fuzzy Hash: 4311E0B6D002498FCB10DF9AD484ADEFBF8AB89324F10846AD869B7210D375A545CFA5

Function 04C3C2D4 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000018,00000001,?), ref: 04C3FB55

Memory Dump Source

Source File: 0000000B.00000002.1918887700.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4c30000_c4W13ZFj1P.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 3e459b3a73e104cb5bc6352435f90a390cdf07f8b91db7aa134bae0d7deae4d8
Instruction ID: 08b30430fe91073f2048da369dabaaa74a2f5e35fc5b23f836bbb8e7e5f066f3
Opcode Fuzzy Hash: 3e459b3a73e104cb5bc6352435f90a390cdf07f8b91db7aa134bae0d7deae4d8
Instruction Fuzzy Hash: 0A11F5B5900349DFDB10DF9AC584BDEBBF8EB48324F108859E558A7200D375A984CFA5

Function 04C3FAF1 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000018,00000001,?), ref: 04C3FB55

Memory Dump Source

Source File: 0000000B.00000002.1918887700.0000000004C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 04C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_4c30000_c4W13ZFj1P.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: ae0554a47bd175806aca84488bc1d02f30188dd911f12f21b44523f70a0a62d8
Instruction ID: c71de2093eac309a3268eadb1699a1b136b6df9c8c6cea8e436dcda1db133c21
Opcode Fuzzy Hash: ae0554a47bd175806aca84488bc1d02f30188dd911f12f21b44523f70a0a62d8
Instruction Fuzzy Hash: DC1133B5C00348CFCB10CF99C588BDEBBF8EB08324F20885AD958A7200C379A584CFA1

Function 0089D4D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1904376540.000000000089D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0089D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_89d000_c4W13ZFj1P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3932be63ffe72db4bdfff2c99d1099def4b1f46417642693d09ae3ccca63d16a
Instruction ID: 04e166675528a7c04ddfac039cafd27909641a971a70743e78728a432ea2ea73
Opcode Fuzzy Hash: 3932be63ffe72db4bdfff2c99d1099def4b1f46417642693d09ae3ccca63d16a
Instruction Fuzzy Hash: AF212571500304DFCF05EF14D9C0B26BFA5FB98318F28C169E9098B256C33AD856CBA6

Function 008AD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1904942225.00000000008AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8ad000_c4W13ZFj1P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a592cd65142556baebe764b26e8725c08eb24a2a474ad0a778daec18dd0040c7
Instruction ID: ebcfe80b2c08db9bd2c92af550c11d663c8afd0758a3519a8b014167b1674005
Opcode Fuzzy Hash: a592cd65142556baebe764b26e8725c08eb24a2a474ad0a778daec18dd0040c7
Instruction Fuzzy Hash: 3A212271604704DFEB14DF24D984B26BBA5FB89318F20C569D80ACBA96C33AD847CA61

Function 008AD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1904942225.00000000008AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8ad000_c4W13ZFj1P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e332227eaec2d811ccb488f13b2e69a62f6a6439471051954a1c8d0cba63fe1
Instruction ID: a18d75dfcbf5a4c3d75e98090c3bd97045f2324a0f10dafb84ff61b6c48e3c84
Opcode Fuzzy Hash: 1e332227eaec2d811ccb488f13b2e69a62f6a6439471051954a1c8d0cba63fe1
Instruction Fuzzy Hash: 52212971504304DFEB05DF14D5C4B26BBA5FB85318F20C56DD80ACBB55C33AE846CA61

Function 008AD006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1904942225.00000000008AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8ad000_c4W13ZFj1P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6417d02f3733ae68547a61f06a5a5b5c31e880c4c975095eb67644db45d12e6d
Instruction ID: b4ffa9d261bd079b04e2c980c5a57fbe77c99d46dd407885956c0ad62b812914
Opcode Fuzzy Hash: 6417d02f3733ae68547a61f06a5a5b5c31e880c4c975095eb67644db45d12e6d
Instruction Fuzzy Hash: 682180755087809FDB02CF24D994711BF71FB46314F28C5EAD8498F6A7C33A981ACB62

Function 0089D4D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1904376540.000000000089D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0089D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_89d000_c4W13ZFj1P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: d6fc33b4815d22083b27a247bd1c0165382bba8ae1e8071ecfedae0ac92ce8f0
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 7A119D76504340CFCF16DF14D5C4B16BF61FB94318F28C6A9D9094B256C33AD85ACBA1

Function 008AD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.1904942225.00000000008AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_8ad000_c4W13ZFj1P.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 80fbfa414380e756c115a78a1462f2a47a18ac1b4a5e5f5e8edc62a1c50ddbe2
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 10118E75504340DFDB15CF14D5C4B15BB61FB85314F24C6A9D84A8BA66C33AE84ACB51

Analysis Process: vzVy6ZevhK.exePID: 4948, Parent PID: 1748COMMON

Execution Graph

Execution Coverage:	7.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	52
Total number of Limit Nodes:	9

Executed Functions

Function 061C3F50 Relevance: 1.8, Strings: 1, Instructions: 524
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 061C41E4

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: 6a2c06e4233a764dfa4b6ed06ff0c35eee97809cb7afd48135ade38b5d42b127
Instruction ID: c121f89d3886e900524ac0cd5d4b230488d419e96cb5e0385a512f9bb9e0a0c2
Opcode Fuzzy Hash: 6a2c06e4233a764dfa4b6ed06ff0c35eee97809cb7afd48135ade38b5d42b127
Instruction Fuzzy Hash: 65127034F002158FCB55DF68C594AAEBBF6BF88710B158569E406EB365DB31EC42CB90

Function 061C67D0 Relevance: .4, Instructions: 413COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7ce4910bf8bca2a4d5f4d1b50049443e893cc3b3a723a517f9e53c345152121
Instruction ID: ba5011810286e67d735576e525ef7e1b1c98398e3f546d1fbee2af19ce8b8a73
Opcode Fuzzy Hash: b7ce4910bf8bca2a4d5f4d1b50049443e893cc3b3a723a517f9e53c345152121
Instruction Fuzzy Hash: C3F1AD30A002099FDB55DFA8D984B9EBBF2FF88310F158569E405EB2A5DB31ED45CB90

Function 061CA3BD Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ca6e4e9a392b985c9d90980474b2e0d3c6800b5b96791d021b7f1a9da751b44
Instruction ID: 05d7bf42b5f1f500bd03b21cb459d39f4f8b03b9e982dad26d5397ed1e8360ad
Opcode Fuzzy Hash: 1ca6e4e9a392b985c9d90980474b2e0d3c6800b5b96791d021b7f1a9da751b44
Instruction Fuzzy Hash: 1BD1F534D10318CFCB15EFB4D854A9DBBB6FF8A301F1085A9D50AAB294DB319986CF91

Function 061B0D80 Relevance: 20.6, Strings: 16, Instructions: 618
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 061B0F36
$^q, xrefs: 061B137B
$^q, xrefs: 061B0E02
$^q, xrefs: 061B0FB8
$^q, xrefs: 061B1455
$^q, xrefs: 061B1336
$^q, xrefs: 061B0FAC
$^q, xrefs: 061B13A0
$^q, xrefs: 061B0E52
$^q, xrefs: 061B1430
$^q, xrefs: 061B13AC
$^q, xrefs: 061B1461
$^q, xrefs: 061B0F86
$^q, xrefs: 061B0E84
$^q, xrefs: 061B0E78
$^q, xrefs: 061B13EB

Memory Dump Source

Source File: 0000000D.00000002.2046823756.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61b0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2449488485
Opcode ID: 0b87fcad72c850ed09fe23caba594205e79b3baa0574681e64e2d81aece1b745
Instruction ID: b213e8ccdd144c9e1f0877130226f3cf486ffd3fba3d63e35813460d78e401a6
Opcode Fuzzy Hash: 0b87fcad72c850ed09fe23caba594205e79b3baa0574681e64e2d81aece1b745
Instruction Fuzzy Hash: A422C230B002459FDB58DB69C854ABEBBF6FF89700B15986AE506CB3A5CB30DC41CB91

Function 061B1584 Relevance: 7.8, Strings: 6, Instructions: 339
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 061B18E3
$^q, xrefs: 061B1A7C
$^q, xrefs: 061B1A57
$^q, xrefs: 061B182E
$^q, xrefs: 061B1A12
$^q, xrefs: 061B1A88

Memory Dump Source

Source File: 0000000D.00000002.2046823756.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61b0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 6a3c1df06452ddae0c2fedff8bdbdc2358cc3de4f538b287ef265e8857fd81da
Instruction ID: 3dfbe5452edaf5c1ebd0d60727352d338f9777b80a257f23c23574d21bbfe484
Opcode Fuzzy Hash: 6a3c1df06452ddae0c2fedff8bdbdc2358cc3de4f538b287ef265e8857fd81da
Instruction Fuzzy Hash: 99C14434B00245AFDB549B68C864AAE7BE6FF85704F11985DD5038B3A6CFB0DC46CB91

Function 028AD0A8 Relevance: 6.1, APIs: 4, Instructions: 133
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 028AD136
GetCurrentThread.KERNEL32 ref: 028AD173
GetCurrentProcess.KERNEL32 ref: 028AD1B0
GetCurrentThreadId.KERNEL32 ref: 028AD209

Memory Dump Source

Source File: 0000000D.00000002.2029115137.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_28a0000_vzVy6ZevhK.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 971dd52f03bd3e89f8537621814cc41417aba636399895daa152b528c6ab9fac
Instruction ID: fa58b5d69d99e13a789d31b5b3968042ae3260b8cf4b60c7e07d88eed1a56e9f
Opcode Fuzzy Hash: 971dd52f03bd3e89f8537621814cc41417aba636399895daa152b528c6ab9fac
Instruction Fuzzy Hash: F45156B49003498FEB14DFA9D548B9EBBF1EF48304F208059E419AB3A0DB74A985CF65

Function 028AD0B8 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 028AD136
GetCurrentThread.KERNEL32 ref: 028AD173
GetCurrentProcess.KERNEL32 ref: 028AD1B0
GetCurrentThreadId.KERNEL32 ref: 028AD209

Memory Dump Source

Source File: 0000000D.00000002.2029115137.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_28a0000_vzVy6ZevhK.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 7312223e9751a7e89dbbd1b44b0801a8ae307ee59d41a4e54049a701b3b5bbe0
Instruction ID: 9d1965482b6d157bd51b5eb24a620e14d5162241c1dc69d7ca26eebdcaa456dd
Opcode Fuzzy Hash: 7312223e9751a7e89dbbd1b44b0801a8ae307ee59d41a4e54049a701b3b5bbe0
Instruction Fuzzy Hash: D45136B49003098FEB14DFAAD548B9EBBF1EF48314F208459E419AB360DB74A985CF65

Function 028AAE30 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 028AB086

Memory Dump Source

Source File: 0000000D.00000002.2029115137.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_28a0000_vzVy6ZevhK.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 645c9db2ff5126c645f9bdb3118da3be466b0a6cae84de75948e5d093d245625
Instruction ID: 002f6b2b98495058493b62816dc2b23c1d7ef373f8f2d32f79397015e3f565bf
Opcode Fuzzy Hash: 645c9db2ff5126c645f9bdb3118da3be466b0a6cae84de75948e5d093d245625
Instruction Fuzzy Hash: 0C7113B8A00B058FE728DF29D15475ABBF2FF88704F00892DD48AD7A50DB75E945CB91

Function 028A4248 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 028A59F1

Memory Dump Source

Source File: 0000000D.00000002.2029115137.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_28a0000_vzVy6ZevhK.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 13b6cbccdb76cb399bb70b2f0b0969c8cbb33848f65b4ee59ecbab5c5dbe6bd8
Instruction ID: 8a1ac94930a5f31015cd0e2b2b19db9e205169d39194ecc785a97d2fae0d877f
Opcode Fuzzy Hash: 13b6cbccdb76cb399bb70b2f0b0969c8cbb33848f65b4ee59ecbab5c5dbe6bd8
Instruction Fuzzy Hash: 7141E2B4D00619DBEB24CFA9C844B8DBBB5FF44304F24805AD409AB255DB756989CF90

Function 028A5935 Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 028A59F1

Memory Dump Source

Source File: 0000000D.00000002.2029115137.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_28a0000_vzVy6ZevhK.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 0425adddb871b51ea9352a4015c6e8ce7a6e66cb998a5f2f298a5d11a003e136
Instruction ID: 9389da0f7ec4381d9f5400c1ed2a54a588f156a3cbac4690c72d00e01af73a1c
Opcode Fuzzy Hash: 0425adddb871b51ea9352a4015c6e8ce7a6e66cb998a5f2f298a5d11a003e136
Instruction Fuzzy Hash: F741CFB4D00619CFEB24DFA9C9847CDBBB5FF48304F24805AD409AB255DB79698ACF90

Function 028AD2F9 Relevance: 1.6, APIs: 1, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 028AD387

Memory Dump Source

Source File: 0000000D.00000002.2029115137.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_28a0000_vzVy6ZevhK.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 1f1e024f809cd5d7849fc47d3ea9a077bc7df3db76d189d9c4b7d365b6445194
Instruction ID: d21c1a73c6cbd9ae4019db10ed73b2a5fe8badec37c835d1c6018592098fc385
Opcode Fuzzy Hash: 1f1e024f809cd5d7849fc47d3ea9a077bc7df3db76d189d9c4b7d365b6445194
Instruction Fuzzy Hash: A821E2B59002189FDB10CFAAD985AEEBFF4FB48324F14801AE958A7310D374A944CFA5

Function 028AD300 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 028AD387

Memory Dump Source

Source File: 0000000D.00000002.2029115137.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_28a0000_vzVy6ZevhK.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 74ef367e4e87446692e2e75c7c540d246a78911cb6e44ce23bc836d5b8121658
Instruction ID: 887903f9cf958b89e6dcb3f55d6bfea4c0432dc7f14fa2ceb3a5ff252e98048d
Opcode Fuzzy Hash: 74ef367e4e87446692e2e75c7c540d246a78911cb6e44ce23bc836d5b8121658
Instruction Fuzzy Hash: 4F21E2B59003089FDB10CFAAD984ADEBFF8EB48320F14801AE918A7310D374A944CFA4

Function 061C59D8 Relevance: 1.6, Strings: 1, Instructions: 307
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 061C5C29

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 95107ef26b745e1012bb64ec03680e109af11ff1e6e2f13bdd3abd0a7e380175
Instruction ID: 676113315d728de8f7759a99f7f73f070641b408df16a92c89d9f8072015145a
Opcode Fuzzy Hash: 95107ef26b745e1012bb64ec03680e109af11ff1e6e2f13bdd3abd0a7e380175
Instruction Fuzzy Hash: 57C15A34600602CFCB24CF19C58096ABBF7FF98320B56C959E45A9B665DB30FC56CB94

Function 028AB2A0 Relevance: 1.6, APIs: 1, Instructions: 56
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,028AB101,00000800,00000000,00000000), ref: 028AB312

Memory Dump Source

Source File: 0000000D.00000002.2029115137.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_28a0000_vzVy6ZevhK.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: ee2d3ef7431fb6d64b535366aaf27109ade38c3e3d6a7f8d66702331d16b0dbb
Instruction ID: 4d2a05a6dd9e0c1d812a26e897c6ff0afc424c157876acedb5ff4b318dfcf48c
Opcode Fuzzy Hash: ee2d3ef7431fb6d64b535366aaf27109ade38c3e3d6a7f8d66702331d16b0dbb
Instruction Fuzzy Hash: C21126B6D003498FDB10CFAAD844ADEFBF4EB58314F14842ED819A7210C775A545CFA4

Function 028AA870 Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,028AB101,00000800,00000000,00000000), ref: 028AB312

Memory Dump Source

Source File: 0000000D.00000002.2029115137.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_28a0000_vzVy6ZevhK.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9ff682f479c87a5aed9aa18712f65f5cc4981754a04d36080a402ea571c461c1
Instruction ID: 7392be4a8ae440420a6a1b8d7fde46f57252308264c5010e1dd0ada419a20f38
Opcode Fuzzy Hash: 9ff682f479c87a5aed9aa18712f65f5cc4981754a04d36080a402ea571c461c1
Instruction Fuzzy Hash: 3E1126BAD003499FDB10CF9AC444ADEFBF4EB98314F14842EE919A7210C775A945CFA4

Function 028AB020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 028AB086

Memory Dump Source

Source File: 0000000D.00000002.2029115137.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_28a0000_vzVy6ZevhK.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 381d0676723cb1297f100bab5a85b78d2fa1e0e0edb2cb0ade80d67e1417237f
Instruction ID: 149c0fe3f2e2d5c086df83568a558478681c1afff23e35c48d215b26d1c68c2b
Opcode Fuzzy Hash: 381d0676723cb1297f100bab5a85b78d2fa1e0e0edb2cb0ade80d67e1417237f
Instruction Fuzzy Hash: 8E11E0B9D007498FDB20DF9AC444ADEFBF4AB88324F10846AD869B7210C775A549CFA5

Function 061B1BA0 Relevance: 1.4, Instructions: 1447COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046823756.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61b0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59b6608db24fae9dcb54fe057a8a9c54dbe900c37bd171ee712ffea623dc9356
Instruction ID: 821c3169a5eef6d17d6f1498b6f09aa657d0af20f0f3f6d0860599cf4baccc76
Opcode Fuzzy Hash: 59b6608db24fae9dcb54fe057a8a9c54dbe900c37bd171ee712ffea623dc9356
Instruction Fuzzy Hash: F4C23E30A401189FCB54DF64C850EEEBBB6EF89704F109099E606AB3A5DB71EE46CF51

Function 061C3DE0 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

4'^q, xrefs: 061C3F25

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 660a2f1968c2847107987e9c4a2426d10f44bb7b7ff54f0f84723a7859dc4423
Instruction ID: 438c114f1f8862f4674f439a36d3900958211503a854fc34b68f81ba615618ca
Opcode Fuzzy Hash: 660a2f1968c2847107987e9c4a2426d10f44bb7b7ff54f0f84723a7859dc4423
Instruction Fuzzy Hash: 1431F6317406104FC719A778E85166E7BE6EFCA36071584BEE05ACB350DE35EC4787A1

Function 061C84C8 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

4'^q, xrefs: 061C85B1

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: ba7de4f90ec42d9569183c52cc354eebcceeab68acde2a1be1f374d1e83ecd45
Instruction ID: 78f8a3087285d07954a79da76687cc7d7f1aed01e554fad0c1aebefd20c8de42
Opcode Fuzzy Hash: ba7de4f90ec42d9569183c52cc354eebcceeab68acde2a1be1f374d1e83ecd45
Instruction Fuzzy Hash: 3F319C31B002088FDB09EB79A89466E7BE3EBC8621710487DD51BCB385EE35DD4687D2

Function 061CB358 Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

4'^q, xrefs: 061CB399

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 901dfb8476deebd3df9664b7f74e0129129b203f24b2d396fe2c5c491e28dc11
Instruction ID: 5aeb2bd614020dddd42fe50eb47edc8dda137887294f8f548c3a07ff078f05d1
Opcode Fuzzy Hash: 901dfb8476deebd3df9664b7f74e0129129b203f24b2d396fe2c5c491e28dc11
Instruction Fuzzy Hash: 2801B130906348AFCF05EFB8E95449DBFB3BF45304B1441A9D4459B351DB301E88CBA1

Function 061CB368 Relevance: 1.3, Strings: 1, Instructions: 32COMMON

Download Yara Rule

Strings

4'^q, xrefs: 061CB399

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 327a420e3b0b8bc0c6121bdbe667722373b276d598bbf7028281362b83ea73a0
Instruction ID: 2fa625164fcfa7df605a5127f06b8d06f13e987a2f932e0e31d16a838965f639
Opcode Fuzzy Hash: 327a420e3b0b8bc0c6121bdbe667722373b276d598bbf7028281362b83ea73a0
Instruction Fuzzy Hash: 67F03770E01209EFCB04EFB8E59859CBBB3FB85300B1055A9C80A9B354EB705E88DB91

Function 061B00D8 Relevance: .7, Instructions: 676COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046823756.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61b0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1c02aebd1e4f8bed5fb168638d5f72d251bc62ab750805e1a455aa53412aa2e
Instruction ID: 472270dbb44aee03d0f00a57b5419c9d5b9cdb091c5fef42855ac195286b3c4e
Opcode Fuzzy Hash: a1c02aebd1e4f8bed5fb168638d5f72d251bc62ab750805e1a455aa53412aa2e
Instruction Fuzzy Hash: 51425830B407188FCB65AF789454A6EB7E2FBC9705B104A5CC6079B3A4CF75ED068B86

Function 061B0598 Relevance: .5, Instructions: 462COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046823756.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61b0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9cccfb20667fc48e8d1a09c8ec8024718646703077e9212b75ca3d89295cf8a
Instruction ID: d4b99705e06c48264b342c7d7bdd02f6122e74575f86af24d5bdd59ce6391866
Opcode Fuzzy Hash: d9cccfb20667fc48e8d1a09c8ec8024718646703077e9212b75ca3d89295cf8a
Instruction Fuzzy Hash: 7B029B30B403148FDB549F68D858A6EBBB2FF89705F109958DA029B3A5CF75ED06CB81

Function 061B0610 Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046823756.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61b0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ae9cd15dabd786fd3ebfd1149833bbccc88d4c6b8ca3f82ec842ceab17f8c85
Instruction ID: e5474ebdf7c89d6cbbe707485fe4a19bd9c36c93d3edfdd7f797ba4f83ed482c
Opcode Fuzzy Hash: 9ae9cd15dabd786fd3ebfd1149833bbccc88d4c6b8ca3f82ec842ceab17f8c85
Instruction Fuzzy Hash: C602BC30B403148FDB549F68D898A6E77B2FF89705F109958DA029B3A5CF76ED06CB81

Function 061B0688 Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046823756.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61b0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 721414f5865017770fdede4bd142a2bf660e84df02b25957e8a5f2a9f89e9e3c
Instruction ID: 295b3768527ca2da126b2d202589a9bdd1d2f81c32249a9f83c9cbc91bb34fc9
Opcode Fuzzy Hash: 721414f5865017770fdede4bd142a2bf660e84df02b25957e8a5f2a9f89e9e3c
Instruction Fuzzy Hash: D2E1CF30B403149FDB449B68C898B6E77B2FF89705F109959DA029B3A1CF75ED46CB81

Function 061B0700 Relevance: .4, Instructions: 353COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046823756.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61b0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 600e5039f9e2e481658116b3e2232dd68943b57d7bbcf8da72e5d934c94ab757
Instruction ID: 1e0dda1bbf5225088aa43aa9f1996610330bef836c15ccf060ed04b7f88ceae1
Opcode Fuzzy Hash: 600e5039f9e2e481658116b3e2232dd68943b57d7bbcf8da72e5d934c94ab757
Instruction Fuzzy Hash: 1DD1DF30B403049FEB449B64C858BAE77B6FF8D705F109459EA028B3A5CBB5ED42CB91

Function 061B00B7 Relevance: .3, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046823756.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61b0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a56ef5d481ed28b373e04123ca7b63d2d9949143aa81cabcf1da1f819e92bbb9
Instruction ID: 3b8ed302230489439b0c6a9e3ed8b8a1679b401af9e21d4a9da7720bf8afb78b
Opcode Fuzzy Hash: a56ef5d481ed28b373e04123ca7b63d2d9949143aa81cabcf1da1f819e92bbb9
Instruction Fuzzy Hash: 5BC1C030B003049FEB449B64C858BAA7BB6FF8D705F149469EA029B3B5CB75DD42CB91

Function 061B3F0D Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046823756.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61b0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d909c3e29be66b2dd37c71289e590f436fb199fda7ff8454a43ba32f8e3782c
Instruction ID: 0a7f9bfaa81a8be7fd46821a4ea36391c4c641d7cc0bbdeb9d091274c6fc869e
Opcode Fuzzy Hash: 6d909c3e29be66b2dd37c71289e590f436fb199fda7ff8454a43ba32f8e3782c
Instruction Fuzzy Hash: 1AC11734B402148FCB44DF68C994EAABBF6EF89704F158099E506DB3A6DB71EC45CB50

Function 061C4AFF Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac6330505dd6ee7e55df1bce47d0fa2e3e56f923361e84ff0717f9e9bdb6099c
Instruction ID: 334f22607bf3e198b44c1650d00a10afe5fb7e8cb53bcdebe570247c61cb40b8
Opcode Fuzzy Hash: ac6330505dd6ee7e55df1bce47d0fa2e3e56f923361e84ff0717f9e9bdb6099c
Instruction Fuzzy Hash: 9EC14734B006058FCB54DF69C494AAEBBF2BF98310B1581A9E546DB3A5DB30EC45CBA0

Function 061CA3B7 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98e2651d852a0be6881cfdbdbcaf3ef2be4a177fca79fb193c978c46b0b1d274
Instruction ID: 02f1a93f4e0ade8b4fb96b69b8ab573ff1110c5756815e2991397d7ecbed4653
Opcode Fuzzy Hash: 98e2651d852a0be6881cfdbdbcaf3ef2be4a177fca79fb193c978c46b0b1d274
Instruction Fuzzy Hash: 67C1E534910318CFCB14EFB4D844A9DBBB6FF8A301F1085A9D50AAB294DB319986CF91

Function 061C3F3F Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4899ab164b6acdf06c978b8ee529c001a94f5f8637d96b7d2c91421ebdc412ac
Instruction ID: 61a8d77ee8d5a56403fc8cda9fc47e1c3efd06d5f32a04d81de47f03f45d23f1
Opcode Fuzzy Hash: 4899ab164b6acdf06c978b8ee529c001a94f5f8637d96b7d2c91421ebdc412ac
Instruction Fuzzy Hash: 87618F30F006158FCB54DF69C9A0AAEBBF6BF98710B14816AD905EB364DB31DC41CB91

Function 061C7D58 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc78529db77b63036239f6c7e2a7c9bda650d051d0f541eb8ad837acfe229add
Instruction ID: 2f30f3d9cc1e46a88737ed64806cde195737d76149603122150f65eb8bd027a4
Opcode Fuzzy Hash: dc78529db77b63036239f6c7e2a7c9bda650d051d0f541eb8ad837acfe229add
Instruction Fuzzy Hash: 57511671E00219CFDB55CFAAD880BDEBBF5AF88310F14852EE415AB294DBB49845CF91

Function 061C7D4C Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f6ca01fe28ce78f4cf8b3465b809ea8be46baa3561cdbc2fd2b2db7a2ad9d4c
Instruction ID: 3449b448cdf807d6f92f87e2c5a48eeb22c284918b505d4dc345de28e231ca7c
Opcode Fuzzy Hash: 5f6ca01fe28ce78f4cf8b3465b809ea8be46baa3561cdbc2fd2b2db7a2ad9d4c
Instruction Fuzzy Hash: D35145B1D00219DFDB64CFAAC881BDEBBF5AF48310F14852EE415AB280DBB49845CF91

Function 061C59C8 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 269cd06bbbda6ec59fef04142778b49982807995807d3a2140dc53d53db6afb0
Instruction ID: 92cc71ea3eb803ef3bdf0a7d511871439b270889db8803791fc8c997dfe4ea6a
Opcode Fuzzy Hash: 269cd06bbbda6ec59fef04142778b49982807995807d3a2140dc53d53db6afb0
Instruction Fuzzy Hash: A5413835A00606DFCB14CF59C880A6ABBF7FF99320B15C959E559AB361D730F811CB94

Function 061C5579 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b443b68d4884a49dc7b7bce3d044fdedd4522aa2e5e29705040503525beb739
Instruction ID: b6c0dd11ca24dfabecf18f3e2c7c170e5b9dc442d47867554e89db9dbcbe8fcc
Opcode Fuzzy Hash: 6b443b68d4884a49dc7b7bce3d044fdedd4522aa2e5e29705040503525beb739
Instruction Fuzzy Hash: E8318975B102109FCB55DF38D884AAEBBB2FF89310B408569E906CB365DB31ED05CBA0

Function 061C5588 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3069a6e431e69547d6b62ed550f6d3361a2eafd86249acbb0a9c9e73e4573e91
Instruction ID: 0111e1f40d37a44a9fac60bd36fbc3c138fc7fac81a42bf2879323de0a4dee98
Opcode Fuzzy Hash: 3069a6e431e69547d6b62ed550f6d3361a2eafd86249acbb0a9c9e73e4573e91
Instruction Fuzzy Hash: 8B315875B016109FCB55DF38D8849AEBBB2FF89310B50846AE906CB369DB31ED05CB90

Function 061C87A0 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d108431f5bdb2325206d67f9419f987e2eac0ae6da08f68a2123a0444ad370b3
Instruction ID: 26cf6ae51defd0aadce2a6f1d85da296be11f2b4c142050dd9be3ed496c72a26
Opcode Fuzzy Hash: d108431f5bdb2325206d67f9419f987e2eac0ae6da08f68a2123a0444ad370b3
Instruction Fuzzy Hash: E241DFB1D012489FDB54DFAAD990ADEBFF6AF88310F10802AE415A7254DB35A945CF90

Function 061CC0B5 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fdcb39616bc8e1b7080c91e1e436dbe59c4548b2893a6f6db5cc5a2c78a3d63
Instruction ID: 8520e6ff836bf4da153bcb4374447dbff1fb4cfaa5197b4c00563e08a9281518
Opcode Fuzzy Hash: 1fdcb39616bc8e1b7080c91e1e436dbe59c4548b2893a6f6db5cc5a2c78a3d63
Instruction Fuzzy Hash: CD212F2115B7E02FC703AB3CAE645D77FA69E8321870901D7E1C1CB267CA549A4CC7EA

Function 061C8796 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19a4e9450581c0b3c2b7b7d12b386b94f07fc7d27bfc6975a3fd1536c568d6cf
Instruction ID: ae48c8f5b1392a554ca52f98e6b5885da090f27a1ddd231215abde010a19de96
Opcode Fuzzy Hash: 19a4e9450581c0b3c2b7b7d12b386b94f07fc7d27bfc6975a3fd1536c568d6cf
Instruction Fuzzy Hash: CE3111B1D012489FDB54CFAAD990BDEBFF6AF88310F24802EE415AB650DB349945CF90

Function 061B105C Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046823756.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61b0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88502f43bd185ab3bee401f220087f55b293831badbacfe96656475d57f799af
Instruction ID: 86cbbaa60f3af9e6509bb4572d649437bca38d5eb6d4bd6ee4ca8a333dcc2d8a
Opcode Fuzzy Hash: 88502f43bd185ab3bee401f220087f55b293831badbacfe96656475d57f799af
Instruction Fuzzy Hash: 6F212430B01244AFCB45DB799C549AABBFAEFC521071A947AE415CB2A5CB30CC11C7A2

Function 061B360B Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046823756.00000000061B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61b0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36e2c8cd88674dffeccd4092106dbbf5bd818d68e8bf06733583c43ce6108eb7
Instruction ID: 5bad05786c3ab7846bbf983ef263cfd636145f3f1bc0c3e53a3df362cd3cad0b
Opcode Fuzzy Hash: 36e2c8cd88674dffeccd4092106dbbf5bd818d68e8bf06733583c43ce6108eb7
Instruction Fuzzy Hash: 1F215A35B400049FCB54DF69C984EAABBB2EF89714F1180A9EA059B3A6DB31ED45CB10

Function 061C8A98 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2996ec08810abe0f74ec7479103efb3ad51bb841a0b44486ad12f4e42dd87f14
Instruction ID: 0804f77e2beef23c99324fda5d84f2acd7e4e635ba25e62ecc5074cdb9b55695
Opcode Fuzzy Hash: 2996ec08810abe0f74ec7479103efb3ad51bb841a0b44486ad12f4e42dd87f14
Instruction Fuzzy Hash: 933112B1D01218DFDB54CFA9D890BDEBFF9AF48320F24842AE409B7240CB34A845CB90

Function 027AD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2028294921.00000000027AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_27ad000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bcb110d6cf19674144ec61911a96af15f3cd25777d4fed62f4a38730f22bbf5
Instruction ID: c2300f3754bf215b17f257a11316677b580158c6caf2bf4f502ff1fede8c451b
Opcode Fuzzy Hash: 7bcb110d6cf19674144ec61911a96af15f3cd25777d4fed62f4a38730f22bbf5
Instruction Fuzzy Hash: DB212271604200DFDB24DF24D9D4B27BFA5EBC8324F20C669E80A4B656C33AD447CA61

Function 061C8A8C Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc32a5db9c98a62640a36e8e71b6f24461b7bd37769e72610f921caef83c500d
Instruction ID: f7f3a3db6e1a165ad985cc50308dca8a4ac28c4cf056ae49bfa4f78319d4b044
Opcode Fuzzy Hash: fc32a5db9c98a62640a36e8e71b6f24461b7bd37769e72610f921caef83c500d
Instruction Fuzzy Hash: 442113B1D003489FDB64CFA9C895BDEBFF9AF48310F14842EE405AB240DB74A945CBA4

Function 027AD007 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2028294921.00000000027AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_27ad000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3088c0ec5e7e9046fbc3d1eb5a71f5d8d818eeabbcf8559fea00e8da29ec0afa
Instruction ID: 777dcdb5c70dc9c6b7d91fbb6da4c74f55bcaf74d1756205444dd9efdfb4625f
Opcode Fuzzy Hash: 3088c0ec5e7e9046fbc3d1eb5a71f5d8d818eeabbcf8559fea00e8da29ec0afa
Instruction Fuzzy Hash: 802184755093C08FDB12CF24D5A4716BF71EB86214F28C6DAD8498F6A7C33AD40ACB62

Function 061CBC5F Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 537ed04684a17f76485888e7eb69a6572e894b910e2021f336840b1fc7b1324a
Instruction ID: 96186d005f115ffc3d9a46f1c89a01902467237e062864f70e7334c526ea1af2
Opcode Fuzzy Hash: 537ed04684a17f76485888e7eb69a6572e894b910e2021f336840b1fc7b1324a
Instruction Fuzzy Hash: 64012B306012015FC785A778B9585BF7FA7EEC22443445568E1078F714DEF0BD4A8BE1

Function 061C8C58 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb8c0d195ac6b0cebc63ec2f69b2468fdaa7a4d1f98b2d6fc313032e6474ffa8
Instruction ID: 478e8349d6972e4117a698f02cdd26c0f0681661f07ce588321e8db099fc9295
Opcode Fuzzy Hash: cb8c0d195ac6b0cebc63ec2f69b2468fdaa7a4d1f98b2d6fc313032e6474ffa8
Instruction Fuzzy Hash: 1021B075E052189FCB48DFA9E888AEDBBF5FB88310F10912AE805B3360EB741945CB54

Function 061CC499 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4e6c5f6d52f4c4c942ac2a4ae3eed033623f295f65195291d03273f788e4886
Instruction ID: 63feffff778b666fc374494fa4d0b101ee36a5b06bfaa806bc466d16cf12d5cf
Opcode Fuzzy Hash: c4e6c5f6d52f4c4c942ac2a4ae3eed033623f295f65195291d03273f788e4886
Instruction Fuzzy Hash: 9501C4342047048FC325AF74E41866FBBA7EFC6315B148A2AD14A8B755CFB49D0A8BD1

Function 061C8350 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2d24f94c23fc79b89e40dc240a3a85e397db076a4e3f951aa90531de4ef04ee
Instruction ID: afff695343d68abb5fa0cf2be116a7063a30b8aeffdd306af0fd0ab5fd37c00d
Opcode Fuzzy Hash: a2d24f94c23fc79b89e40dc240a3a85e397db076a4e3f951aa90531de4ef04ee
Instruction Fuzzy Hash: D9018431B001199FDF10DEA9EC84ABFB7FAEBD4761B14403AE614D3240DB31A91587A1

Function 061CC0AF Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 458f9a75b9770ee65cb0c1544da54e651156b3f01af4219d73a31a2a803c078d
Instruction ID: 1269e9a9b66f3af7f0fe49d2975e3ea0e6a8fe241a74a605ab0d0d9b94cff640
Opcode Fuzzy Hash: 458f9a75b9770ee65cb0c1544da54e651156b3f01af4219d73a31a2a803c078d
Instruction Fuzzy Hash: 0001B53111A7E01FC302E73CE9245DB7FE6DF83218B08059AE181CB263CA64594987E5

Function 061CBC70 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b6cd7cab84011284177391d3306565845d3c3bb833f8526798b3f56835edd1c
Instruction ID: 8c4592e07b1b1d848f6c37733adc1bd3bd0c1649d110a73b35d0045bb8250ea5
Opcode Fuzzy Hash: 5b6cd7cab84011284177391d3306565845d3c3bb833f8526798b3f56835edd1c
Instruction Fuzzy Hash: 0D01DB316002054FCBC6ABB8E55856EBBA3EFC1354354482CD20B8F724DEF0BC9A8B91

Function 061CE8B0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6022d09080bb887e0b99f027bda610e96fbbf14d9814c117f15b1cca9854d362
Instruction ID: 0fb33cb6f0bbe74565cfe812fb5625a08b51bb03ee0578c7743945e65c388a92
Opcode Fuzzy Hash: 6022d09080bb887e0b99f027bda610e96fbbf14d9814c117f15b1cca9854d362
Instruction Fuzzy Hash: BF01D1346083489FCB02AB78D8148AA3FBFEF8621071485E9E541CB362DB32DD11DB91

Function 061C6E90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 603b0fe3908f8e5594fed9b5e7edf27dd340d9c5118b4f3bb37f8296e003cc90
Instruction ID: 6f832c4d34d840c7c9612eb1b6f90624cdb356e45c523ba372419b685e90b7e0
Opcode Fuzzy Hash: 603b0fe3908f8e5594fed9b5e7edf27dd340d9c5118b4f3bb37f8296e003cc90
Instruction Fuzzy Hash: CDF062632041E83ECB514AEA9C55EFB3FEDDB8D162F08405AFA98D1241C42DC951ABB0

Function 061CC4A8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8067c92db57a9bb4541c1d197b03aec2d46e3f672ae931aaba52b5fd5fc5f9b
Instruction ID: 7d521cddac674cc928c83f3b0e73530271e99bbb5e9b0181588cb67ad31c2474
Opcode Fuzzy Hash: d8067c92db57a9bb4541c1d197b03aec2d46e3f672ae931aaba52b5fd5fc5f9b
Instruction Fuzzy Hash: 110152342007048FD325AF69E41866EBBE7EFC5355B108A29D15B8B754DFB4A80A8BD1

Function 061C5508 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30e8723dce105ef98d6fbed66962a0d8d3c454c79c8d69e27cc1c964dd1f32a3
Instruction ID: fd109da14ca0e26c479ccc2ea1dcdb2b91d2efaf4b0ce0881f42f0e14273cd7d
Opcode Fuzzy Hash: 30e8723dce105ef98d6fbed66962a0d8d3c454c79c8d69e27cc1c964dd1f32a3
Instruction Fuzzy Hash: 3A01F430B11302CFCBA99A39E50462BB7F7BF94225B04883DE00286659DF71F494CB90

Function 061C8F42 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9499d0e1f7ba39f37df3aa66c60ed692a32449572d7a27d1deabe9e871efef0c
Instruction ID: 5bf09feaea0d76f5193b4546837a2ea9b754f8f11140bedc5c19fcb1d7b69a32
Opcode Fuzzy Hash: 9499d0e1f7ba39f37df3aa66c60ed692a32449572d7a27d1deabe9e871efef0c
Instruction Fuzzy Hash: A801E2B4D0420AAFDB84DFA4E9467EEBBB4EB08310F1085A9A915A3340D7785A51CB90

Function 061CC170 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cf712d0e71ebcc9d0a19098d19027b87b8e42e1aab713f996f3e63f5f26cc18
Instruction ID: 8ef47191abba98f3dc6954fec36257d8df1415c4bb84dbc3a92a1f282ee57c8a
Opcode Fuzzy Hash: 7cf712d0e71ebcc9d0a19098d19027b87b8e42e1aab713f996f3e63f5f26cc18
Instruction Fuzzy Hash: 2001AD31506B009FC721DF21E8084A7BBFBFF49301700861AE88686611CB70AA49CFD4

Function 061C8F50 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f829ebbca982452bc65baacbce265737e1df70a82cce3564eff41352bbf0f128
Instruction ID: 610ca0134cc5e20c841629998278b31372453f5b7abc28d782cd14588a3a4a24
Opcode Fuzzy Hash: f829ebbca982452bc65baacbce265737e1df70a82cce3564eff41352bbf0f128
Instruction Fuzzy Hash: 5501AEB4D0420AEFCB84DFA9E9856AEBFF5BB48311F1085AA9915A3240E7740A50CF90

Function 061CADE9 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b20c3094fa32b84b09954eb4325d08d07dc1e179f29bbd67a520908b35188302
Instruction ID: b7c053b8abf8f3f16002019de9e3665fe7edbd1bf8631957174c6540a103c1fe
Opcode Fuzzy Hash: b20c3094fa32b84b09954eb4325d08d07dc1e179f29bbd67a520908b35188302
Instruction Fuzzy Hash: E7F0E2302052406FC321276AA858A9BBFDFEFCA355F04406DE60EC7242CAA1580887F5

Function 061CACB8 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f457bd9ad4b4d312f681e6d0685cc068898f208aad1ba5fc97e9c61d539857b9
Instruction ID: 8653d763f597a827106e6b394d1cef8ed4dadec79ee71f08169484d26193bc0f
Opcode Fuzzy Hash: f457bd9ad4b4d312f681e6d0685cc068898f208aad1ba5fc97e9c61d539857b9
Instruction Fuzzy Hash: 59F0527230A2A45FC3171B386C280FD3F6EDDC2761B0500DEE186CB2A1CB048906C3E1

Function 061C67C0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce8a4a918a0888552b976d68fd6f9019218acea49d91ffa8ee549c8ce271cb7f
Instruction ID: ba9fa1da3be5d66250473597fd2da82b661dba1e001f42f12fc5e2b388f1dd0f
Opcode Fuzzy Hash: ce8a4a918a0888552b976d68fd6f9019218acea49d91ffa8ee549c8ce271cb7f
Instruction Fuzzy Hash: ACF09031B54700AFDB209A28AC51F967FE5AB86725F05826AF214CF1E2D7A1E805D780

Function 061C6EA0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2cc9bce623ce09f7c8c28db8c5cf3f009e2d291da0f503ee65920212340ab44
Instruction ID: 7055ecc9b8ca24e3917fab1be84990d11533e61712a1b4185c31ee9aa68ad872
Opcode Fuzzy Hash: a2cc9bce623ce09f7c8c28db8c5cf3f009e2d291da0f503ee65920212340ab44
Instruction Fuzzy Hash: E2F037762041E83F8F514EDA5C54CFB7FEDDA8E161B08415AFED8D2141C429CD21ABB0

Function 061C8341 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bc46e3d551c345e59c3ab1a6a3570a0ca76a07768650a19064010979f831b3a
Instruction ID: 934466c6e91bf7c77dfb5e16c32ce9831f78e7a17c289dc2b48ac9564e4e3b48
Opcode Fuzzy Hash: 7bc46e3d551c345e59c3ab1a6a3570a0ca76a07768650a19064010979f831b3a
Instruction Fuzzy Hash: A7F0E532F101195B9B50DA69AC84ABFBFFDEB94662B08003BEA14D3200FB34D815C7A1

Function 061C8FC0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5db1bb27e2be2399517066c4195645fa24adab75c27168f6a9963b744066c9d
Instruction ID: 73eafad4b6f652edb493db13ce501fd87866b8031b30fb61bbaac89c70b43d2a
Opcode Fuzzy Hash: d5db1bb27e2be2399517066c4195645fa24adab75c27168f6a9963b744066c9d
Instruction Fuzzy Hash: D4F0A9B4C082499FDB80CBA0D8961ADBFB0EB2A211F0046DAE402E7350E3398A01CB80

Function 061C54F8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0315863d199773016b2bfc091c8d9040216a4128fcaf8a4f7aa4886cea485785
Instruction ID: 34727fc3392b5dad27f6ffc79c03122155ec8b51c0048c9d4a07f9700ccd7690
Opcode Fuzzy Hash: 0315863d199773016b2bfc091c8d9040216a4128fcaf8a4f7aa4886cea485785
Instruction Fuzzy Hash: 1AF0B4315047418FDBA9CE61D90076BBBB3BF80725F48886DE04246A69DB75F489CB40

Function 061CADF8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e9e73e4e99c2c3f91841f8fe3dccbd86b7492f2a70587277bc791b3025c1fbc
Instruction ID: 2a22e963153358771dbb3d3e287fee6f5165bd52bb4b3038768ff1a3972c5049
Opcode Fuzzy Hash: 4e9e73e4e99c2c3f91841f8fe3dccbd86b7492f2a70587277bc791b3025c1fbc
Instruction Fuzzy Hash: 96E09231200200AFC7102B9AB888A9EBADFEBC9351F00402DE60EC3251CAA15C094BE5

Function 061CC180 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d3f4a04676a996acd8ad1f83d48b28e11cdcb77559ef98ffa4af7437530c85f
Instruction ID: 46fafa58e1131e0b261f922fd304ba752c28c1b97675d8799c3afd63bb3ff44d
Opcode Fuzzy Hash: 1d3f4a04676a996acd8ad1f83d48b28e11cdcb77559ef98ffa4af7437530c85f
Instruction Fuzzy Hash: 66F06D34500B058FD715DF26E448516BBFBFB88300B00862EE84B87A10DBB0A549CFC4

Function 061CCC38 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b10c570990d46bf86105da674fa7bf6e56ddfefc7f4ad09d4bcad3b0121be8e2
Instruction ID: 696fe3c192c253ebb9f8cb0925cbf50b9cc3c7d0671524ef9e8aee284c3b7811
Opcode Fuzzy Hash: b10c570990d46bf86105da674fa7bf6e56ddfefc7f4ad09d4bcad3b0121be8e2
Instruction Fuzzy Hash: 8CE0D83110A2505FCB02EA25FC009DA3B57DB42714B015596D0058F706D7300D458BD1

Function 061CAC70 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd98ca69a15fe3ec007a995394c7bbb4ced901ddbef852ce284a4e9d374d4063
Instruction ID: 6e3e1009d29859c8a650f816f6dd04290473fb4a09be8887a98ff87e142892a1
Opcode Fuzzy Hash: dd98ca69a15fe3ec007a995394c7bbb4ced901ddbef852ce284a4e9d374d4063
Instruction Fuzzy Hash: 61E0D8313282645FC7175378B81C5AE7FAFDAC1721B0501AEE64AC7291DF145D0587D5

Function 061CB500 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8693202a3759b8d11ccfca5c068a535d3b5e4ea03444a58586eb804bbcee09e
Instruction ID: 14d215946094a64949feafb8976cb9b71e5f0102b2935f456d59fbc1452524d7
Opcode Fuzzy Hash: c8693202a3759b8d11ccfca5c068a535d3b5e4ea03444a58586eb804bbcee09e
Instruction Fuzzy Hash: C3F01575D0120CAFCB01EFB4DA488DEBFBAEB44200F1042A6A905E2244EA305B459B91

Function 061CC120 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4c75e79ffc07516a3ceff4cd8cdbb27f06097abba2b2d18cf5302baa6703ff8
Instruction ID: efab3bd3e089f261bb1690abb4497488c2e6ba3e8f96820f7aeb8f339b630de3
Opcode Fuzzy Hash: e4c75e79ffc07516a3ceff4cd8cdbb27f06097abba2b2d18cf5302baa6703ff8
Instruction Fuzzy Hash: A2E06D302047518FC711AB2DE5087AFBBEBEF86318F04052DE2868B755CBB5AC098B91

Function 061CCE88 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec9b6b11400a3f537a9dccfafb26e6926b709be5c4f7400ff94d39fb81453866
Instruction ID: 5664645ca1c44edc36a9ed1d117992f3903ee2960fd739aeb7e29b75c1d0e8d6
Opcode Fuzzy Hash: ec9b6b11400a3f537a9dccfafb26e6926b709be5c4f7400ff94d39fb81453866
Instruction Fuzzy Hash: 02E0D87000A380AFDB42A624B50599A3F679B02310706819AE8468F716D7305D4587D5

Function 061C5698 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beb6132f6e5e7ea81d8b05ec3e2d74340843ea95a0d6bad59eb5978b51f765ed
Instruction ID: 7a6d2d950158409d555fe6c27f6798930bdc640ff813275644938e3621c275aa
Opcode Fuzzy Hash: beb6132f6e5e7ea81d8b05ec3e2d74340843ea95a0d6bad59eb5978b51f765ed
Instruction Fuzzy Hash: 31E092B210C2109FD3049B60E81599B7BA8EB95221B05896EE480C7141E731E881C7A9

Function 061CE8F8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7119b7e62e91535e9e9a66a223d4a5a0d8449172544cddb554a87127783113f
Instruction ID: 8cb55ed759f0b9d85889f6f4b160ef043d1eefe75e2061ed2610f08ee0bd324f
Opcode Fuzzy Hash: e7119b7e62e91535e9e9a66a223d4a5a0d8449172544cddb554a87127783113f
Instruction Fuzzy Hash: D9E0EC39265244AFC7029A54D840CD63F7AAF4961430880C5F5808F263C721DD219BA1

Function 061CE1FF Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e2f106e72340fd69081679d3678e5d644fc6fdad1afda6d75a70c4e8d9afcf7
Instruction ID: 71e529bc23d951096f17c0244bf9f2e2235ae2c8ca427c15caebc59a6167f245
Opcode Fuzzy Hash: 4e2f106e72340fd69081679d3678e5d644fc6fdad1afda6d75a70c4e8d9afcf7
Instruction Fuzzy Hash: 3CE04F71A49244EFCB41DFA8E9419AE7BB2DB82304B2045DBD80AEB351E6714F258B91

Function 061CE280 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95c5f99a565ef7c0309647cc17c08b0b044d7d3a9b5e7de4fce37c35a9dbd378
Instruction ID: 94d4d96779c420348f5bd8e7d93c99c9d2ad4eaa10457a71705e2d0f5ffe0702
Opcode Fuzzy Hash: 95c5f99a565ef7c0309647cc17c08b0b044d7d3a9b5e7de4fce37c35a9dbd378
Instruction Fuzzy Hash: F8E068304047409FD712FB10FE0A65477A2E744700B02801EC8030F6A8EBB01B488BC1

Function 061CAC80 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb4ac6d8a970a81e2337fefdc174b3676460b4cabb7e6056a925d7baa1125bcb
Instruction ID: af6ee7a8a4ea7f956d7e21506f80e335953875c9ed2462f4393a8f5eb2e9f5ed
Opcode Fuzzy Hash: fb4ac6d8a970a81e2337fefdc174b3676460b4cabb7e6056a925d7baa1125bcb
Instruction Fuzzy Hash: 2FD05E313201289B8B0A2769B41C6AE7BAFEBC5762F01002AE70FC3390CF655D0687D5

Function 061CB510 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 671a9c46b602be005fc223870ef804bcaacb723f82ea06af7814a003dea0b328
Instruction ID: 351a366d5585cae898a8f6418b5e2abeb04258127d07a29f2598e8cf90150881
Opcode Fuzzy Hash: 671a9c46b602be005fc223870ef804bcaacb723f82ea06af7814a003dea0b328
Instruction Fuzzy Hash: CBE07E75D0020CEFCB40EFA5E9448DDFBBAEB48200F1082AAD909A3204EA706B559F80

Function 061CE210 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce7436688606f21d43d6ec9f0be32d3fd14e1f8305aa15c7ddea89f86a544278
Instruction ID: 45d12ca08b7740fb15f86a279a71e325cf4bd8889145dc13063fd3c3836f4582
Opcode Fuzzy Hash: ce7436688606f21d43d6ec9f0be32d3fd14e1f8305aa15c7ddea89f86a544278
Instruction Fuzzy Hash: 9FD05E71E0120CFFCB40EFA8E90196DB7BAEB84304B1041EAD409EB300EA716F149F90

Function 061CF8EB Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f0cb8857710e18dfbf9444bf915c0e402f8c3bd73483a3b056228dbdb4802af
Instruction ID: 67c956ebd08733bfc15ea64debdcca05edb9a6d80d4f146fa1a5b7e9e2f0c556
Opcode Fuzzy Hash: 1f0cb8857710e18dfbf9444bf915c0e402f8c3bd73483a3b056228dbdb4802af
Instruction Fuzzy Hash: B5C01232B001208B0A85AA6C741406DA6D786C82A7399006BE60FC7388CEA28C568794

Function 061C3721 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9918ace2688dea0ba38cb75769b52e079fff52c419105f9a620b14ee069b78ba
Instruction ID: 2d35713a5c561f3f3ba7ca6d1a131b3fd971de2615722c199d681ec9908b5f64
Opcode Fuzzy Hash: 9918ace2688dea0ba38cb75769b52e079fff52c419105f9a620b14ee069b78ba
Instruction Fuzzy Hash: E2B092B22A010137F6145240EC07FD23C59D7D0B60F155116B606A9285CAEE905A88B9

Function 061CDFD1 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd4e305753b430680befc3f532a7715553700c6353daffc42cbf3b80fd6568c5
Instruction ID: a7e08216e07628bfb9e88910243e42d629995d7edb0175f7c9a1b96e18d77903
Opcode Fuzzy Hash: dd4e305753b430680befc3f532a7715553700c6353daffc42cbf3b80fd6568c5
Instruction Fuzzy Hash: 03C09B7165B7D45EDB0257308D0DC813E176F5273471540C6A3418E173DB614105CB91

Non-executed Functions

Function 061CED10 Relevance: 5.2, Strings: 4, Instructions: 243COMMON

Download Yara Rule

Strings

(_^q, xrefs: 061CED7A
(_^q, xrefs: 061CEF79
(_^q, xrefs: 061CEDF9
(_^q, xrefs: 061CEEFA

Memory Dump Source

Source File: 0000000D.00000002.2046884989.00000000061C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_61c0000_vzVy6ZevhK.jbxd

Similarity

API ID:
String ID: (_^q$(_^q$(_^q$(_^q
API String ID: 0-2697572114
Opcode ID: f4b7b0a2eda5ed779557a9b5e2fef968e6d5f5cc3420f9226f5a7cf1c3b02521
Instruction ID: 537c1b0e556f24c9a919dbee450bbfa69e5d5e0896ac4da6fb62eb05ae17206d
Opcode Fuzzy Hash: f4b7b0a2eda5ed779557a9b5e2fef968e6d5f5cc3420f9226f5a7cf1c3b02521
Instruction Fuzzy Hash: FD91BB39A042049FCB45AF78D4246AE7BB7EF85350B2485AED8069F381DB35DD06CBD1

Analysis Process: Nework.exePID: 7464, Parent PID: 7860COMMON

Execution Graph

Execution Coverage:	1.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	14.1%
Total number of Nodes:	410
Total number of Limit Nodes:	7

Executed Functions

Function 00C5638B Relevance: 4.5, APIs: 3, Instructions: 20
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,00C5638A,?,?,?,?,?,00C573DE), ref: 00C563AD
TerminateProcess.KERNEL32(00000000,?,00C5638A,?,?,?,?,?,00C573DE), ref: 00C563B4
ExitProcess.KERNEL32 ref: 00C563C6

Memory Dump Source

Source File: 0000000F.00000002.1915860342.0000000000C21000.00000020.00000001.01000000.00000013.sdmp, Offset: 00C20000, based on PE: true

Associated: 0000000F.00000002.1915819266.0000000000C20000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000F.00000002.1915932518.0000000000C70000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000F.00000002.1915987910.0000000000C82000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000F.00000002.1916028431.0000000000C84000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000F.00000002.1916062341.0000000000C85000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000F.00000002.1916100497.0000000000C89000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_c20000_Nework.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 6016e0b7a3a82bcb720e05153c51aa6a7711768556df19ba207a145dcab5a0f2
Instruction ID: 81622ed1ba183f90223fddd6be2650e8b081393653d4c50b8a484b3679bfeb1c
Opcode Fuzzy Hash: 6016e0b7a3a82bcb720e05153c51aa6a7711768556df19ba207a145dcab5a0f2
Instruction Fuzzy Hash: 74E0B635000648EBCB116F64DD09B5D3B69EB54746B904414FC1986132CB75DDD6DB85

Function 00C2C206 Relevance: 3.5, APIs: 2, Instructions: 532
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00C37860: __Cnd_destroy_in_situ.LIBCPMT ref: 00C37958
Part of subcall function 00C37860: __Mtx_destroy_in_situ.LIBCPMT ref: 00C37961

Sleep.KERNEL32(000003E8), ref: 00C2C659

Memory Dump Source

Source File: 0000000F.00000002.1915860342.0000000000C21000.00000020.00000001.01000000.00000013.sdmp, Offset: 00C20000, based on PE: true

Associated: 0000000F.00000002.1915819266.0000000000C20000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000F.00000002.1915932518.0000000000C70000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000F.00000002.1915987910.0000000000C82000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000F.00000002.1916028431.0000000000C84000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000F.00000002.1916062341.0000000000C85000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000F.00000002.1916100497.0000000000C89000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_c20000_Nework.jbxd

Yara matches

Similarity

API ID: Cnd_destroy_in_situMtx_destroy_in_situSleep
String ID:
API String ID: 113500496-0
Opcode ID: 57e39577ea88b47980539c9d5a0bfe0f30110551eecd9c9e3cbf66e293f0b923
Instruction ID: 7e27dec071d49e2ace7a93d2a7cead53b649676b80d81ae0fa7eae562311a92d
Opcode Fuzzy Hash: 57e39577ea88b47980539c9d5a0bfe0f30110551eecd9c9e3cbf66e293f0b923
Instruction Fuzzy Hash: 8912E271A101189BEF04DF68EDC5BEDBBB1EF48304F648218F815A7692D735EA84CB91

Function 00C2C740 Relevance: 1.6, APIs: 1, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000F.00000002.1915860342.0000000000C21000.00000020.00000001.01000000.00000013.sdmp, Offset: 00C20000, based on PE: true

Associated: 0000000F.00000002.1915819266.0000000000C20000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000F.00000002.1915932518.0000000000C70000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000F.00000002.1915987910.0000000000C82000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000F.00000002.1916028431.0000000000C84000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000F.00000002.1916062341.0000000000C85000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000F.00000002.1916100497.0000000000C89000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_c20000_Nework.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5d63aedcdc95b2752c0618404fa570ea04bc274f2c4ce106fca89584d5f3b2e
Instruction ID: f913d08ccff727e3ef649d82d1531d837851c16c8d311b0b78cfe558dd901e0b
Opcode Fuzzy Hash: e5d63aedcdc95b2752c0618404fa570ea04bc274f2c4ce106fca89584d5f3b2e
Instruction Fuzzy Hash: 5E31BE31A10248AFEB04CF68D985BDEBBB6FF48704F108219F815A72C1D775EA84CB90

Function 00C5AA43 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__wsopen_s.LIBCMT ref: 00C5AA7D

Memory Dump Source

Source File: 0000000F.00000002.1915860342.0000000000C21000.00000020.00000001.01000000.00000013.sdmp, Offset: 00C20000, based on PE: true

Associated: 0000000F.00000002.1915819266.0000000000C20000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000F.00000002.1915932518.0000000000C70000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000F.00000002.1915987910.0000000000C82000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000F.00000002.1916028431.0000000000C84000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000F.00000002.1916062341.0000000000C85000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000F.00000002.1916100497.0000000000C89000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_c20000_Nework.jbxd

Yara matches

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 6cfcf2a898e2844130e2face6a1ec8dc68d0f2e744dc1df91dae374cdf20a9bc
Instruction ID: 87ccc265e675cf698dfd65fa0109dd019e2d7a71a45ad5db423914b641deff35
Opcode Fuzzy Hash: 6cfcf2a898e2844130e2face6a1ec8dc68d0f2e744dc1df91dae374cdf20a9bc
Instruction Fuzzy Hash: EF114575A0020AAFCB05DF59E941A8A7BF4EF48304F044069F809AB251E630EE15DB69

Function 00C28622 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?), ref: 00C28629

Memory Dump Source

Source File: 0000000F.00000002.1915860342.0000000000C21000.00000020.00000001.01000000.00000013.sdmp, Offset: 00C20000, based on PE: true

Associated: 0000000F.00000002.1915819266.0000000000C20000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000F.00000002.1915932518.0000000000C70000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000F.00000002.1915987910.0000000000C82000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000F.00000002.1916028431.0000000000C84000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000F.00000002.1916062341.0000000000C85000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000F.00000002.1916100497.0000000000C89000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_c20000_Nework.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 6af04f5796b199e38663768e7ddf5e6d6f1bb327997cd4cc7637db0869380df7
Instruction ID: 92d366dd2c0fae4522fb52ec4856bab6c89a269765517d5ba7b0122263822f5e
Opcode Fuzzy Hash: 6af04f5796b199e38663768e7ddf5e6d6f1bb327997cd4cc7637db0869380df7
Instruction Fuzzy Hash: F0C08C300036104AEE1C1A387A88298330299437FA7E42BC8F1758A8F1CB39584FD700

Function 00C28620 Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?), ref: 00C28629

Memory Dump Source

Source File: 0000000F.00000002.1915860342.0000000000C21000.00000020.00000001.01000000.00000013.sdmp, Offset: 00C20000, based on PE: true

Associated: 0000000F.00000002.1915819266.0000000000C20000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000F.00000002.1915932518.0000000000C70000.00000002.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000F.00000002.1915987910.0000000000C82000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000F.00000002.1916028431.0000000000C84000.00000008.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000F.00000002.1916062341.0000000000C85000.00000004.00000001.01000000.00000013.sdmpDownload File
Associated: 0000000F.00000002.1916100497.0000000000C89000.00000002.00000001.01000000.00000013.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_c20000_Nework.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 80953fcea2f5e65f47b2bfcce665b24a560528847c4dacf1e94a3a9a248f8e97
Instruction ID: 402c401f84a3db47dbb4bbe12003382c946fb5642a06a265d901b19e6f033c0f
Opcode Fuzzy Hash: 80953fcea2f5e65f47b2bfcce665b24a560528847c4dacf1e94a3a9a248f8e97
Instruction Fuzzy Hash: 46C08C300032108BEB1C5B38BA482683712AA0276A3F01B8CF1328A8F1CB36C94BCB10

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report g082Q9DajU.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Threatname: Vidar

Threatname: Amadey

Threatname: Cryptbot

Threatname: RedLine

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\AAEHDAAKEHJECBFHCBKFHCAEGC

C:\ProgramData\AFCBFIJEHDHCBGDGDGCB

C:\ProgramData\AKEGDHJD

C:\ProgramData\BAEGCGCGIEGDHIDHJJEH

C:\ProgramData\BKFHCGIDBAAFHIDHDAAE

Windows Analysis Report
g082Q9DajU.exe

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre