Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1546667
MD5: aa78aafb0a66c7ddf96d87d24b5c3afc
SHA1: 29c96a9c0c5cb916ca8c09db1c4b2f7c3d4d7ffa
SHA256: cd5327ade58bdcbd9e18407525a8c54ae311c97c512f0931173432f83d4d4d4a
Tags: exeuser-Bitsight
Infos:

Detection

LummaC, Amadey, LummaC Stealer, Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Search for Antivirus process
Yara detected Amadeys stealer DLL
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to start a terminal service
Creates multiple autostart registry keys
Drops PE files with a suspicious file extension
Found evasive API chain (may stop execution after checking locale)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
PE file has a writeable .text section
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes many files with high entropy
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: SCR File Write Event
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Suspicious Screensaver Binary File Creation
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\new_v8[1].exe Avira: detection malicious, Label: HEUR/AGEN.1313486
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\stealc_default2[1].exe Avira: detection malicious, Label: TR/AD.Stealc.cucnc
Found malware configuration
Source: 00000001.00000002.1758351370.0000000000841000.00000040.00000001.01000000.00000007.sdmp Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.16/Jo89Ku7d/index.php", "Version": "4.41", "Install Folder": "44111dbc49", "Install File": "axplong.exe"}
Source: 6.2.stealc_default2.exe.f10000.0.unpack Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.17/2fb6c2cc8dce150a.php", "Botnet": "default_valenciga"}
Source: 6.2.stealc_default2.exe.f10000.0.unpack Malware Configuration Extractor: Vidar {"C2 url": "http://185.215.113.17/2fb6c2cc8dce150a.php", "Botnet": "default_valenciga"}
Source: 36.0.RDX123456.exe.940000.0.unpack Malware Configuration Extractor: LummaC {"C2 url": ["computeryrati.site", "goalyfeastz.site", "servicedny.site", "authorisev.site", "seallysl.site", "opposezmny.site", "faulteyotk.site", "contemteny.site", "dilemmadu.site"], "Build id": "4SD0y4--RLREBORN"}
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\LgAmARwZ\Application.exe ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\RDX123456[1].exe ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\stealc_default2[1].exe ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\GOLD1234[1].exe ReversingLabs: Detection: 62%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\new_v8[1].exe ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\Offnewhere[1].exe ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\shop[1].exe ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe ReversingLabs: Detection: 76%
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe ReversingLabs: Detection: 62%
Source: C:\Users\user\AppData\Local\Temp\1001096001\RDX123456.exe ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Temp\1001507001\1bd0484d71.exe ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\CC7V0PUTO3B4JOR1523VPRJQN904A.exe ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Temp\J4EDANXSATRMSXZUEQ.exe ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Temp\POSMOJBFP9W4F4JKM6CCW190HW6F0P.exe ReversingLabs: Detection: 36%
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 47%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\GOLD1234[1].exe Joe Sandbox ML: detected
Source: C:\ProgramData\LgAmARwZ\Application.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\new_v8[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\shop[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\RDX123456[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\stealc_default2[1].exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: INSERT_KEY_HERE
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: 01
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: 03
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: 20
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: 25
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: GetProcAddress
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: LoadLibraryA
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: lstrcatA
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: OpenEventA
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: CreateEventA
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: CloseHandle
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: Sleep
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: GetUserDefaultLangID
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: VirtualAllocExNuma
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: VirtualFree
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: GetSystemInfo
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: VirtualAlloc
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: HeapAlloc
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: GetComputerNameA
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: lstrcpyA
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: GetProcessHeap
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: GetCurrentProcess
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: lstrlenA
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: ExitProcess
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: GlobalMemoryStatusEx
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: GetSystemTime
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: SystemTimeToFileTime
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: advapi32.dll
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: gdi32.dll
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: user32.dll
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: crypt32.dll
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: ntdll.dll
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: GetUserNameA
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: CreateDCA
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: GetDeviceCaps
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: ReleaseDC
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: CryptStringToBinaryA
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: sscanf
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: VMwareVMware
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: HAL9TH
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: JohnDoe
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: DISPLAY
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: %hu/%hu/%hu
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: http://185.215.113.17
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: 00x00
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: !|
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: /2fb6c2cc8dce150a.php
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: /f1ddeb6592c03206/
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: default_valenciga
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: GetEnvironmentVariableA
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: GetFileAttributesA
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: GlobalLock
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: HeapFree
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: GetFileSize
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: GlobalSize
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: CreateToolhelp32Snapshot
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: IsWow64Process
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: Process32Next
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: GetLocalTime
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: FreeLibrary
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: GetTimeZoneInformation
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: GetSystemPowerStatus
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: GetVolumeInformationA
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: GetWindowsDirectoryA
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: Process32First
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: GetLocaleInfoA
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: GetUserDefaultLocaleName
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: GetModuleFileNameA
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: DeleteFileA
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: FindNextFileA
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: LocalFree
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: FindClose
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: SetEnvironmentVariableA
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: LocalAlloc
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: GetFileSizeEx
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: ReadFile
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: SetFilePointer
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: WriteFile
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: CreateFileA
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: FindFirstFileA
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: CopyFileA
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: VirtualProtect
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: GetLogicalProcessorInformationEx
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: GetLastError
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: lstrcpynA
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: MultiByteToWideChar
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: GlobalFree
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: WideCharToMultiByte
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: GlobalAlloc
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: OpenProcess
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: TerminateProcess
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: GetCurrentProcessId
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: gdiplus.dll
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: ole32.dll
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: bcrypt.dll
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: wininet.dll
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: shlwapi.dll
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: shell32.dll
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: psapi.dll
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: rstrtmgr.dll
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: CreateCompatibleBitmap
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: SelectObject
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: BitBlt
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: DeleteObject
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: CreateCompatibleDC
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: GdipGetImageEncodersSize
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: GdipGetImageEncoders
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: GdipCreateBitmapFromHBITMAP
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: GdiplusStartup
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: GdiplusShutdown
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: GdipSaveImageToStream
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: GdipDisposeImage
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: GdipFree
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: GetHGlobalFromStream
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: CreateStreamOnHGlobal
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: CoUninitialize
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: CoInitialize
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: CoCreateInstance
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: BCryptGenerateSymmetricKey
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: BCryptCloseAlgorithmProvider
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: BCryptDecrypt
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: BCryptSetProperty
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: BCryptDestroyKey
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: BCryptOpenAlgorithmProvider
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: GetWindowRect
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: GetDesktopWindow
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: GetDC
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: CloseWindow
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: wsprintfA
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: EnumDisplayDevicesA
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: GetKeyboardLayoutList
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: CharToOemW
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: wsprintfW
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: RegQueryValueExA
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: RegEnumKeyExA
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: RegOpenKeyExA
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: RegCloseKey
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: RegEnumValueA
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: CryptBinaryToStringA
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: CryptUnprotectData
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: SHGetFolderPathA
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: ShellExecuteExA
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: InternetOpenUrlA
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: InternetConnectA
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: InternetCloseHandle
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: InternetOpenA
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: HttpSendRequestA
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: HttpOpenRequestA
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: InternetReadFile
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: InternetCrackUrlA
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: StrCmpCA
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: StrStrA
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: StrCmpCW
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: PathMatchSpecA
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: GetModuleFileNameExA
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: RmStartSession
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: RmRegisterResources
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: RmGetList
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: RmEndSession
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: sqlite3_open
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: sqlite3_prepare_v2
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: sqlite3_step
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: sqlite3_column_text
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: sqlite3_finalize
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: sqlite3_close
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: sqlite3_column_bytes
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: sqlite3_column_blob
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: encrypted_key
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: PATH
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: C:\ProgramData\nss3.dll
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: NSS_Init
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: NSS_Shutdown
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: PK11_GetInternalKeySlot
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: PK11_FreeSlot
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: PK11_Authenticate
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: PK11SDR_Decrypt
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: C:\ProgramData\
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: SELECT origin_url, username_value, password_value FROM logins
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: browser:
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: profile:
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: url:
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: login:
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: password:
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: Opera
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: OperaGX
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: Network
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: cookies
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: .txt
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: SELECT HOST_KEY, is_httponly, path, is_secure, (expires_utc/1000000)-11644480800, name, encrypted_value from cookies
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: TRUE
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: FALSE
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: autofill
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: SELECT name, value FROM autofill
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: history
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: SELECT url FROM urls LIMIT 1000
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: cc
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cards
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: name:
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: month:
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: year:
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: card:
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: Cookies
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: Login Data
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: Web Data
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: History
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: logins.json
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: formSubmitURL
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: usernameField
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: encryptedUsername
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: encryptedPassword
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: guid
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: SELECT host, isHttpOnly, path, isSecure, expiry, name, value FROM moz_cookies
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: cookies.sqlite
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: formhistory.sqlite
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: places.sqlite
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: plugins
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: Local Extension Settings
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: Sync Extension Settings
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: IndexedDB
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: Opera Stable
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: Opera GX Stable
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: CURRENT
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: chrome-extension_
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: _0.indexeddb.leveldb
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: Local State
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: profiles.ini
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: chrome
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: opera
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: firefox
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: wallets
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: %08lX%04lX%lu
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: ProductName
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: x32
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: x64
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: %d/%d/%d %d:%d:%d
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: ProcessorNameString
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: DisplayName
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: DisplayVersion
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: Network Info:
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: - IP: IP?
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: - Country: ISO?
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: System Summary:
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: - HWID:
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: - OS:
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: - Architecture:
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: - UserName:
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: - Computer Name:
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: - Local Time:
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: - UTC:
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: - Language:
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: - Keyboards:
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: - Laptop:
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: - Running Path:
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: - CPU:
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: - Threads:
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: - Cores:
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: - RAM:
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: - Display Resolution:
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: - GPU:
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: User Agents:
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: Installed Apps:
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: All Users:
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: Current User:
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: Process List:
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: system_info.txt
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: freebl3.dll
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: mozglue.dll
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: msvcp140.dll
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: nss3.dll
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: softokn3.dll
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: vcruntime140.dll
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: \Temp\
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: .exe
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: runas
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: open
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: /c start
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: %DESKTOP%
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: %APPDATA%
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: %LOCALAPPDATA%
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: %USERPROFILE%
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: %DOCUMENTS%
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: %PROGRAMFILES%
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: %PROGRAMFILES_86%
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: %RECENT%
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: *.lnk
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: files
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: \discord\
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: \Local Storage\leveldb\CURRENT
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: \Local Storage\leveldb
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: \Telegram Desktop\
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: key_datas
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: D877F783D5D3EF8C*
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: map*
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: A7FDF864FBC10B77*
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: A92DAA6EA6F891F2*
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: F8806DD0C461824F*
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: Telegram
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: Tox
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: *.tox
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: *.ini
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: Password
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: oftware\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676\
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: 00000001
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: 00000002
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: 00000003
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: 00000004
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: \Outlook\accounts.txt
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: Pidgin
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: \.purple\
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: accounts.xml
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: dQw4w9WgXcQ
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: token:
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: Software\Valve\Steam
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: SteamPath
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: \config\
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: ssfn*
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: config.vdf
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: DialogConfig.vdf
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: DialogConfigOverlay*.vdf
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: libraryfolders.vdf
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: loginusers.vdf
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: \Steam\
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: sqlite3.dll
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: browsers
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: done
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: soft
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: \Discord\tokens.txt
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: /c timeout /t 5 & del /f /q "
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: " & del "C:\ProgramData\*.dll"" & exit
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: C:\Windows\system32\cmd.exe
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: https
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: POST
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: HTTP/1.1
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: Content-Disposition: form-data; name="
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: hwid
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: build
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: token
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: file_name
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: file
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: message
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 6.2.stealc_default2.exe.f10000.0.unpack String decryptor: screenshot.jpg
Source: 36.0.RDX123456.exe.940000.0.unpack String decryptor: servicedny.site
Source: 36.0.RDX123456.exe.940000.0.unpack String decryptor: authorisev.site
Source: 36.0.RDX123456.exe.940000.0.unpack String decryptor: faulteyotk.site
Source: 36.0.RDX123456.exe.940000.0.unpack String decryptor: dilemmadu.site
Source: 36.0.RDX123456.exe.940000.0.unpack String decryptor: contemteny.site
Source: 36.0.RDX123456.exe.940000.0.unpack String decryptor: goalyfeastz.site
Source: 36.0.RDX123456.exe.940000.0.unpack String decryptor: opposezmny.site
Source: 36.0.RDX123456.exe.940000.0.unpack String decryptor: seallysl.site
Source: 36.0.RDX123456.exe.940000.0.unpack String decryptor: computeryrati.site
Source: 36.0.RDX123456.exe.940000.0.unpack String decryptor: lid=%s&j=%s&ver=4.0
Source: 36.0.RDX123456.exe.940000.0.unpack String decryptor: TeslaBrowser/5.5
Source: 36.0.RDX123456.exe.940000.0.unpack String decryptor: - Screen Resoluton:
Source: 36.0.RDX123456.exe.940000.0.unpack String decryptor: - Physical Installed Memory:
Source: 36.0.RDX123456.exe.940000.0.unpack String decryptor: Workgroup: -
Source: 36.0.RDX123456.exe.940000.0.unpack String decryptor: 4SD0y4--RLREBORN
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_00F19B60 CryptUnprotectData,LocalAlloc,memcpy,LocalFree, 6_2_00F19B60
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_00F1C820 memset,lstrlenA,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,memcpy,lstrcatA,lstrcatA,PK11_FreeSlot,lstrcatA, 6_2_00F1C820
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_00F19AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, 6_2_00F19AC0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_00F28EA0 CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA, 6_2_00F28EA0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_00F17240 GetProcessHeap,HeapAlloc,CryptUnprotectData,WideCharToMultiByte,LocalFree, 6_2_00F17240
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BF66C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer, 6_2_6BF66C80
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C0BA9A0 PK11SDR_Decrypt,PORT_NewArena_Util,SEC_QuickDERDecodeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_GetInternalKeySlot,PK11_Authenticate,PORT_FreeArena_Util,PK11_ListFixedKeysInSlot,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PK11_FreeSymKey,PORT_FreeArena_Util,PK11_FreeSymKey,SECITEM_ZfreeItem_Util, 6_2_6C0BA9A0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C084420 SECKEY_DestroyEncryptedPrivateKeyInfo,memset,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,SECITEM_ZfreeItem_Util,free, 6_2_6C084420
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C0B4440 PK11_PrivDecrypt, 6_2_6C0B4440
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C0B44C0 PK11_PubEncrypt, 6_2_6C0B44C0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C1025B0 PK11_Encrypt,memcpy,PR_SetError,PK11_Encrypt, 6_2_6C1025B0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C0BA650 PK11SDR_Encrypt,PORT_NewArena_Util,PK11_GetInternalKeySlot,PK11_Authenticate,SECITEM_ZfreeItem_Util,TlsGetValue,EnterCriticalSection,PR_Unlock,PK11_CreateContextBySymKey,PK11_GetBlockSize,PORT_Alloc_Util,memcpy,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,SECITEM_ZfreeItem_Util,PK11_FreeSymKey,PORT_ArenaAlloc_Util,PK11_CipherOp,SEC_ASN1EncodeItem_Util,SECITEM_ZfreeItem_Util,PORT_FreeArena_Util,PK11_DestroyContext, 6_2_6C0BA650
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C098670 PK11_ExportEncryptedPrivKeyInfo, 6_2_6C098670
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C09E6E0 PK11_AEADOp,TlsGetValue,EnterCriticalSection,PORT_Alloc_Util,PK11_Encrypt,PORT_Alloc_Util,memcpy,memcpy,PR_SetError,PR_SetError,PR_Unlock,PR_SetError,PR_Unlock,PK11_Decrypt,PR_GetCurrentThread,PK11_Decrypt,PK11_Encrypt,memcpy,memcpy,PR_SetError,free, 6_2_6C09E6E0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C0DA730 SEC_PKCS12AddCertAndKey,PORT_ArenaMark_Util,PORT_ArenaMark_Util,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,PR_SetError,PR_SetError,PK11_GetInternalKeySlot,PK11_FindKeyByAnyCert,SECKEY_DestroyPrivateKey,PORT_ArenaAlloc_Util,SECKEY_DestroyEncryptedPrivateKeyInfo,strlen,PR_SetError,PORT_FreeArena_Util,PORT_FreeArena_Util,PORT_ArenaAlloc_Util,PR_SetError, 6_2_6C0DA730
Source: Offnewhere.exe, 00000007.00000000.2483037403.000000000087B000.00000002.00000001.01000000.0000000A.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_2361c7a5-e
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: mozglue.pdbP source: stealc_default2.exe, 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmp, mozglue[1].dll.6.dr
Source: Binary string: nss3.pdb@ source: stealc_default2.exe, 00000006.00000002.2675137486.000000006C18F000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: my_library.pdbU source: f6f4816752.exe, 00000031.00000003.3036164555.0000000004C2B000.00000004.00001000.00020000.00000000.sdmp, f6f4816752.exe, 00000031.00000002.3149193410.000000000031C000.00000040.00000001.01000000.0000001D.sdmp
Source: Binary string: my_library.pdb source: f6f4816752.exe, 00000031.00000003.3036164555.0000000004C2B000.00000004.00001000.00020000.00000000.sdmp, f6f4816752.exe, 00000031.00000002.3149193410.000000000031C000.00000040.00000001.01000000.0000001D.sdmp
Source: Binary string: nss3.pdb source: stealc_default2.exe, 00000006.00000002.2675137486.000000006C18F000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: mozglue.pdb source: stealc_default2.exe, 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmp, mozglue[1].dll.6.dr
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: number of queries: 1001
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_00F1E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 6_2_00F1E430
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_00F24910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 6_2_00F24910
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_00F116D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 6_2_00F116D0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_00F1F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 6_2_00F1F6B0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_00F23EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose, 6_2_00F23EA0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_00F1DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 6_2_00F1DA80
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_00F1BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 6_2_00F1BE70
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_00F238B0 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose, 6_2_00F238B0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_00F24570 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA, 6_2_00F24570
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_00F1ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose, 6_2_00F1ED20
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_00F1DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 6_2_00F1DE10
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Code function: 9_2_004062D5 FindFirstFileW,FindClose, 9_2_004062D5
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Code function: 9_2_00402E18 FindFirstFileW, 9_2_00402E18
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Code function: 9_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 9_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://185.215.113.17/2fb6c2cc8dce150a.php
Source: Malware configuration extractor URLs: computeryrati.site
Source: Malware configuration extractor URLs: goalyfeastz.site
Source: Malware configuration extractor URLs: servicedny.site
Source: Malware configuration extractor URLs: authorisev.site
Source: Malware configuration extractor URLs: seallysl.site
Source: Malware configuration extractor URLs: opposezmny.site
Source: Malware configuration extractor URLs: faulteyotk.site
Source: Malware configuration extractor URLs: contemteny.site
Source: Malware configuration extractor URLs: dilemmadu.site
Source: Malware configuration extractor URLs: http://185.215.113.17/2fb6c2cc8dce150a.php
Source: Malware configuration extractor IPs: 185.215.113.16
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 1.1.1.1 1.1.1.1
Source: Joe Sandbox View IP Address: 20.42.65.92 20.42.65.92
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_00F160A0 InternetOpenA,StrCmpCA,InternetOpenUrlA,CreateFileA,InternetReadFile,WriteFile,CloseHandle,InternetCloseHandle,InternetCloseHandle, 6_2_00F160A0
Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: Offnewhere.exe, 00000007.00000000.2483037403.000000000087B000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: http://.css
Source: Offnewhere.exe, 00000007.00000000.2483037403.000000000087B000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: http://.jpg
Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:27060
Source: GOLD1234.exe, 00000025.00000003.3476176212.0000000000F8B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/
Source: axplong.exe, 00000005.00000003.3274795036.00000000014EF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku
Source: axplong.exe, 00000005.00000003.3271971261.0000000005FD7000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000005.00000003.2905390578.00000000014F5000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000005.00000003.3271971261.0000000005FE1000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000005.00000003.3274795036.00000000014F4000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000005.00000003.3274226781.0000000005FD7000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000005.00000003.3273657100.0000000005FA7000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000005.00000003.2912523697.0000000005F85000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000005.00000003.3273887118.0000000005FE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php
Source: axplong.exe, 00000005.00000003.3273657100.0000000005FA7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php#
Source: axplong.exe, 00000005.00000003.3271971261.0000000005FE1000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000005.00000003.3273887118.0000000005FE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php1507001
Source: axplong.exe, 00000005.00000003.3271971261.0000000005FE1000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000005.00000003.3273887118.0000000005FE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php4
Source: axplong.exe, 00000005.00000003.3271971261.0000000005FE1000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000005.00000003.3273887118.0000000005FE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php:y
Source: axplong.exe, 00000005.00000003.3271971261.0000000005FE1000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000005.00000003.3273887118.0000000005FE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpAppData
Source: axplong.exe, 00000005.00000003.3273657100.0000000005FA7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpded
Source: axplong.exe, 00000005.00000003.3273657100.0000000005FA7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncoded
Source: axplong.exe, 00000005.00000003.3273657100.0000000005FA7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncoded5
Source: axplong.exe, 00000005.00000003.3273887118.0000000005FE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpnu
Source: axplong.exe, 00000005.00000003.3271971261.0000000005FE1000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000005.00000003.3273887118.0000000005FE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpppData
Source: new_v8.exe String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: new_v8.exe, 0000001B.00000003.3586627682.0000000001238000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.3586761744.0000000001241000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/mine/random.exep
Source: new_v8.exe, new_v8.exe, 0000001B.00000003.3586809787.000000000123A000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.3586627682.0000000001238000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3489672229.0000000000F6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exe
Source: stealc_default2.exe, 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmp, stealc_default2.exe, 00000006.00000002.2615206943.000000000176E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017B0000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000006.00000002.2615206943.000000000176E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.php
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.php)
Source: stealc_default2.exe, 00000006.00000002.2615206943.0000000001760000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.php3
Source: stealc_default2.exe, 00000006.00000002.2615206943.0000000001760000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.php7
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.php=
Source: stealc_default2.exe, 00000006.00000002.2615206943.0000000001760000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpA
Source: stealc_default2.exe, 00000006.00000002.2615206943.0000000001760000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpC:q
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpCoinomi
Source: stealc_default2.exe, 00000006.00000002.2615206943.0000000001760000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpEx9
Source: stealc_default2.exe, 00000006.00000002.2615206943.0000000001760000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpJS
Source: stealc_default2.exe, 00000006.00000002.2615206943.0000000001760000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpS=o
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpU
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpZ
Source: stealc_default2.exe, 00000006.00000002.2615206943.0000000001760000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpdo%
Source: stealc_default2.exe, 00000006.00000002.2615206943.0000000001760000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpm
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpmainnet
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpnomi
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpq
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phpsimple-storage.json
Source: stealc_default2.exe, 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmp String found in binary or memory: http://185.215.113.17/2fb6c2cc8dce150a.phption:
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/freebl3.dll
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/mozglue.dll
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/mozglue.dll$
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/mozglue.dllb
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/mozglue.dlln
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/msvcp140.dll
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/msvcp140.dllp
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/msvcp140.dllt
Source: stealc_default2.exe, 00000006.00000002.2615206943.000000000176E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/nss3.dll6=
Source: stealc_default2.exe, 00000006.00000002.2615206943.000000000176E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/nss3.dllL=
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/softokn3.dll
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/softokn3.dll6
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/softokn3.dll8
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/softokn3.dllJ
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/softokn3.dllN
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/softokn3.dllP
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/sqlite3.dll
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/vcruntime140.dllO
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/f1ddeb6592c03206/vcruntime140.dlla
Source: stealc_default2.exe, 00000006.00000002.2615206943.000000000176E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17/yR
Source: stealc_default2.exe, 00000006.00000002.2613116477.00000000010DB000.00000004.00000001.01000000.00000009.sdmp String found in binary or memory: http://185.215.113.172fb6c2cc8dce150a.phption:
Source: stealc_default2.exe, 00000006.00000002.2615206943.000000000176E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17S
Source: stealc_default2.exe, 00000006.00000002.2615206943.000000000176E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.17iR
Source: f6f4816752.exe, 00000031.00000002.3155168475.0000000000F2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206
Source: f6f4816752.exe, 00000031.00000002.3155168475.0000000000F87000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/
Source: f6f4816752.exe, 00000031.00000002.3155168475.0000000000F87000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php
Source: f6f4816752.exe, 00000031.00000002.3155168475.0000000000F2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php#k
Source: f6f4816752.exe, 00000031.00000002.3155168475.0000000000F87000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php/
Source: f6f4816752.exe, 00000031.00000002.3155168475.0000000000F87000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpI
Source: f6f4816752.exe, 00000031.00000002.3155168475.0000000000F87000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpe
Source: f6f4816752.exe, 00000031.00000002.3155168475.0000000000F2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpq
Source: f6f4816752.exe, 00000031.00000002.3155168475.0000000000F87000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/I
Source: f6f4816752.exe, 00000031.00000002.3155168475.0000000000F2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/bG
Source: f6f4816752.exe, 00000031.00000002.3155168475.0000000000F87000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/j
Source: axplong.exe, 00000005.00000003.3271971261.0000000005FB9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: splwow64[1].exe.5.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: new_v8.exe, 0000001B.00000003.2781801201.00000000039B5000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3018781566.00000000059FD000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3063024023.00000000039C0000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3181587075.0000000003B42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: new_v8.exe, 0000001B.00000003.2781801201.00000000039B5000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3018781566.00000000059FD000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3063024023.00000000039C0000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3181587075.0000000003B42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: axplong.exe, 00000005.00000003.3271971261.0000000005FB9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: axplong.exe, 00000005.00000003.3271971261.0000000005FB9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: splwow64[1].exe.5.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: splwow64[1].exe.5.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: splwow64[1].exe.5.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: splwow64.exe, 00000009.00000003.2554001535.0000000002905000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 00000013.00000003.2606591118.00000000040D0000.00000004.00000800.00020000.00000000.sdmp, 0b44ippu.exe, 0000002E.00000003.2964754545.00000000027F2000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif.10.dr String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: splwow64.exe, 00000009.00000003.2554001535.0000000002905000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 00000013.00000003.2606591118.00000000040D0000.00000004.00000800.00020000.00000000.sdmp, 0b44ippu.exe, 0000002E.00000003.2964754545.00000000027F2000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif.10.dr String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: splwow64.exe, 00000009.00000003.2554001535.0000000002905000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000009.00000002.2607696656.000000000041F000.00000004.00000001.01000000.0000000B.sdmp, Jurisdiction.pif, 00000013.00000003.2606591118.00000000040D0000.00000004.00000800.00020000.00000000.sdmp, 0b44ippu.exe, 0000002E.00000003.2964754545.00000000027F2000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif.10.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: splwow64.exe, 00000009.00000003.2554001535.0000000002905000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 00000013.00000003.2606591118.00000000040D0000.00000004.00000800.00020000.00000000.sdmp, 0b44ippu.exe, 0000002E.00000003.2964754545.00000000027F2000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif.10.dr String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: new_v8.exe, 0000001B.00000003.2781801201.00000000039B5000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3018781566.00000000059FD000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3063024023.00000000039C0000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3181587075.0000000003B42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: splwow64[1].exe.5.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: axplong.exe, 00000005.00000003.3271971261.0000000005FB9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: axplong.exe, 00000005.00000003.3271971261.0000000005FB9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: new_v8.exe, 0000001B.00000003.2781801201.00000000039B5000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3018781566.00000000059FD000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3063024023.00000000039C0000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3181587075.0000000003B42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: new_v8.exe, 0000001B.00000003.2781801201.00000000039B5000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3018781566.00000000059FD000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3063024023.00000000039C0000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3181587075.0000000003B42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: splwow64[1].exe.5.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: splwow64[1].exe.5.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: splwow64[1].exe.5.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: axplong.exe, 00000005.00000003.3271971261.0000000005FB9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: axplong.exe, 00000005.00000003.3271971261.0000000005FB9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: axplong.exe, 00000005.00000003.3271971261.0000000005FB9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: new_v8.exe, 0000001B.00000003.2781801201.00000000039B5000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3018781566.00000000059FD000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3063024023.00000000039C0000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3181587075.0000000003B42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: splwow64[1].exe.5.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: axplong.exe, 00000005.00000003.3271971261.0000000005FB9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: axplong.exe, 00000005.00000003.3271971261.0000000005FB9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: new_v8.exe, 0000001B.00000003.2781801201.00000000039B5000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3018781566.00000000059FD000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3063024023.00000000039C0000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3181587075.0000000003B42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: Offnewhere.exe, 00000007.00000000.2483037403.000000000087B000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: http://home.sevjoi17sr.top/TCQEoezkVqyvrJjqBhZs12
Source: Offnewhere.exe, 00000007.00000000.2483037403.000000000087B000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: http://html4/loose.dtd
Source: splwow64.exe, 00000009.00000002.2607663846.0000000000408000.00000002.00000001.01000000.0000000B.sdmp, splwow64.exe, 00000009.00000000.2544251638.0000000000408000.00000002.00000001.01000000.0000000B.sdmp, 0b44ippu.exe, 0000002E.00000002.3064076642.0000000000408000.00000002.00000001.01000000.0000001C.sdmp, 0b44ippu.exe, 0000002E.00000000.2955036581.0000000000408000.00000002.00000001.01000000.0000001C.sdmp, splwow64[1].exe.5.dr String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: new_v8.exe, 0000001B.00000003.2781801201.00000000039B5000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3018781566.00000000059FD000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3063024023.00000000039C0000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3181587075.0000000003B42000.00000004.00000800.00020000.00000000.sdmp, splwow64[1].exe.5.dr String found in binary or memory: http://ocsp.digicert.com0
Source: splwow64[1].exe.5.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: axplong.exe, 00000005.00000003.3271971261.0000000005FB9000.00000004.00000020.00020000.00000000.sdmp, splwow64[1].exe.5.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: axplong.exe, 00000005.00000003.3271971261.0000000005FB9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0N
Source: axplong.exe, 00000005.00000003.3271971261.0000000005FB9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0O
Source: splwow64[1].exe.5.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: new_v8.exe, 0000001B.00000003.2781801201.00000000039B5000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3018781566.00000000059FD000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3063024023.00000000039C0000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3181587075.0000000003B42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: splwow64.exe, 00000009.00000003.2554001535.0000000002905000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 00000013.00000003.2606591118.00000000040D0000.00000004.00000800.00020000.00000000.sdmp, 0b44ippu.exe, 0000002E.00000003.2964754545.00000000027F2000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif.10.dr String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: splwow64.exe, 00000009.00000003.2554001535.0000000002905000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 00000013.00000003.2606591118.00000000040D0000.00000004.00000800.00020000.00000000.sdmp, 0b44ippu.exe, 0000002E.00000003.2964754545.00000000027F2000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif.10.dr String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: splwow64.exe, 00000009.00000003.2554001535.0000000002905000.00000004.00000020.00020000.00000000.sdmp, splwow64.exe, 00000009.00000002.2607696656.000000000041F000.00000004.00000001.01000000.0000000B.sdmp, Jurisdiction.pif, 00000013.00000003.2606591118.00000000040D0000.00000004.00000800.00020000.00000000.sdmp, 0b44ippu.exe, 0000002E.00000003.2964754545.00000000027F2000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif.10.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: splwow64.exe, 00000009.00000003.2554001535.0000000002905000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 00000013.00000003.2606591118.00000000040D0000.00000004.00000800.00020000.00000000.sdmp, 0b44ippu.exe, 0000002E.00000003.2964754545.00000000027F2000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif.10.dr String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: splwow64.exe, 00000009.00000003.2554001535.0000000002905000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 00000013.00000003.2606591118.00000000040D0000.00000004.00000800.00020000.00000000.sdmp, 0b44ippu.exe, 0000002E.00000003.2964754545.00000000027F2000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif.10.dr String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: splwow64.exe, 00000009.00000003.2554001535.0000000002905000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 00000013.00000003.2606591118.00000000040D0000.00000004.00000800.00020000.00000000.sdmp, Jurisdiction.pif, 00000013.00000000.2596749853.0000000000E79000.00000002.00000001.01000000.0000000E.sdmp, EcoCraft.scr, 0000001C.00000000.2676298828.00000000007E9000.00000002.00000001.01000000.00000011.sdmp, EcoCraft.scr, 00000020.00000002.2778743195.00000000007E9000.00000002.00000001.01000000.00000011.sdmp, 0b44ippu.exe, 0000002E.00000003.2964754545.00000000027F2000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif.10.dr String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: axplong.exe, 00000005.00000003.3271971261.0000000005FB9000.00000004.00000020.00020000.00000000.sdmp, splwow64[1].exe.5.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: shop.exe, 00000032.00000003.3571108803.0000000001640000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3237340411.0000000001631000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.cH
Source: stealc_default2.exe, stealc_default2.exe, 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmp, mozglue[1].dll.6.dr String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: stealc_default2.exe, 00000006.00000002.2674136604.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000006.00000002.2642192619.000000001BAF3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: dac4554719.exe, 0000001D.00000002.3179400913.000000001C672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: new_v8.exe, 0000001B.00000003.2781801201.00000000039B5000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3018781566.00000000059FD000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3063024023.00000000039C0000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3181587075.0000000003B42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: new_v8.exe, 0000001B.00000003.2781801201.00000000039B5000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3018781566.00000000059FD000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3063024023.00000000039C0000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3181587075.0000000003B42000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: new_v8.exe, 0000001B.00000003.2734376814.00000000039BC000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2733596178.00000000039BE000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2733888758.00000000039BC000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.2913098718.000000000591F000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2944595083.00000000039CC000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2953869224.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2949495792.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3106922930.0000000003B5B000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3105886803.0000000003B5D000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3107663794.0000000003B5B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Offnewhere.exe, 00000007.00000000.2483037403.000000000087B000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: https://ace-snapper-privately.ngrok-free.app/test/test
Source: Offnewhere.exe, 00000007.00000000.2483037403.000000000087B000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: https://ace-snapper-privately.ngrok-free.app/test/testFailed
Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.steampowered.com/
Source: new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2785879104.000000000123B000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3102164882.0000000003981000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3218081015.0000000001655000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, new_v8.exe, 0000001B.00000003.2806388505.0000000001237000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2804901138.0000000001234000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2879371414.000000000123A000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3218081015.0000000001655000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/
Source: new_v8.exe, 0000001B.00000003.2734376814.00000000039BC000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2733596178.00000000039BE000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2733888758.00000000039BC000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.2913098718.000000000591F000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2944595083.00000000039CC000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2953869224.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2949495792.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3106922930.0000000003B5B000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3105886803.0000000003B5D000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3107663794.0000000003B5B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ep
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.epnacl
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2734376814.00000000039BC000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2733596178.00000000039BE000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2733888758.00000000039BC000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.2913098718.000000000591F000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2944595083.00000000039CC000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2953869224.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2949495792.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3106922930.0000000003B5B000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3105886803.0000000003B5D000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3107663794.0000000003B5B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2734376814.00000000039BC000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2733596178.00000000039BE000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2733888758.00000000039BC000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.2913098718.000000000591F000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2944595083.00000000039CC000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2953869224.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2949495792.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3106922930.0000000003B5B000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3105886803.0000000003B5D000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3107663794.0000000003B5B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkout.steampowered.com/
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic
Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=ljhW-PbGuX
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&l=english&am
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp7oNwVPK
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&l=engli
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1&
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&l=en
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=uDUW
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=bOP7RorZq4_W&l=englis
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=UuGFpt56D9L4&l=
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=engli
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=KkhJqW2NGKiM&l=engli
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=GfA42_x2_aub&
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=2UcHUv7TDL_s&amp
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&l=engl
Source: new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&l=
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=Ff_1prscqzeu&
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&amp
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2785879104.000000000123B000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3102164882.0000000003981000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3218081015.0000000001655000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2806388505.0000000001237000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2804901138.0000000001234000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2879371414.000000000123A000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3218081015.0000000001655000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: Offnewhere.exe, 00000007.00000000.2483037403.000000000087B000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: Offnewhere.exe, 00000007.00000000.2483037403.000000000087B000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: https://curl.se/docs/hsts.html
Source: Offnewhere.exe, 00000007.00000000.2483037403.000000000087B000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: f6f4816752.exe, 00000031.00000003.3036164555.0000000004C2B000.00000004.00001000.00020000.00000000.sdmp, f6f4816752.exe, 00000031.00000002.3149193410.000000000031C000.00000040.00000001.01000000.0000001D.sdmp String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support
Source: new_v8.exe, 0000001B.00000003.2734376814.00000000039BC000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2733596178.00000000039BE000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2733888758.00000000039BC000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.2913098718.000000000591F000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2944595083.00000000039CC000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2953869224.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2949495792.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3106922930.0000000003B5B000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3105886803.0000000003B5D000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3107663794.0000000003B5B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: new_v8.exe, 0000001B.00000003.2734376814.00000000039BC000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2733596178.00000000039BE000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2733888758.00000000039BC000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.2913098718.000000000591F000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2944595083.00000000039CC000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2953869224.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2949495792.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3106922930.0000000003B5B000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3105886803.0000000003B5D000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3107663794.0000000003B5B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: new_v8.exe, 0000001B.00000003.2734376814.00000000039BC000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2733596178.00000000039BE000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2733888758.00000000039BC000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.2913098718.000000000591F000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2944595083.00000000039CC000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2953869224.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2949495792.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3106922930.0000000003B5B000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3105886803.0000000003B5D000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3107663794.0000000003B5B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: shop.exe, 00000032.00000003.3571302943.00000000015BC000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000002.3575188417.000000000164B000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3137226821.0000000001656000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3573133874.000000000164A000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3318669001.00000000015CD000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3385557240.0000000003B23000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3132876164.0000000003B20000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3361156674.0000000001652000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3172906832.0000000001652000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3137274134.000000000165E000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000002.3577128165.0000000003B23000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3318239726.0000000003B20000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3175294707.0000000003B22000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3146895960.0000000003B20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://goalyfeastz.site/
Source: shop.exe, 00000032.00000003.3160434239.0000000003B28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://goalyfeastz.site/8
Source: shop.exe, 00000032.00000003.3161659780.0000000003B28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://goalyfeastz.site/=
Source: GOLD1234.exe, 00000025.00000003.3420299008.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3234339463.0000000000F13000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://goalyfeastz.site/?
Source: shop.exe, 00000032.00000003.3160434239.0000000003B28000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3161659780.0000000003B28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://goalyfeastz.site/?m
Source: shop.exe, 00000032.00000003.3571108803.0000000001646000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000002.3575188417.000000000164B000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3573133874.000000000164A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://goalyfeastz.site/B
Source: GOLD1234.exe, 00000025.00000003.3234339463.0000000000F06000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://goalyfeastz.site/KCz
Source: shop.exe, 00000032.00000002.3574945711.00000000015F0000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3398055770.0000000001670000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3571302943.00000000015BC000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3365556478.00000000015F0000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3571302943.00000000015CD000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3161598485.0000000001655000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://goalyfeastz.site/api
Source: shop.exe, 00000032.00000003.3571302943.00000000015F0000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000002.3574945711.00000000015F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://goalyfeastz.site/api0-Q
Source: GOLD1234.exe, 00000025.00000003.3420299008.0000000000F06000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://goalyfeastz.site/api:
Source: GOLD1234.exe, 00000025.00000003.2981305297.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3127124077.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3098957154.0000000000F6F000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3126824181.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3048486160.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3226982086.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3147801023.0000000000F6F000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3420863597.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3269711303.0000000000F89000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2993220330.0000000000F6F000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3156872332.0000000000F6F000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3419949484.0000000000F89000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3157231448.0000000000F87000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3284579257.000000000165F000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3318306833.0000000001669000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000002.3575346038.0000000001673000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3570754221.0000000001673000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3396975066.0000000001670000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3178681399.000000000165E000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3134934395.0000000001652000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3313436090.000000000165F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://goalyfeastz.site/apiDk
Source: shop.exe, 00000032.00000003.3237340411.00000000015F0000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3365556478.00000000015F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://goalyfeastz.site/apiU-
Source: GOLD1234.exe, 00000025.00000003.2981305297.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://goalyfeastz.site/apihq
Source: GOLD1234.exe, 00000025.00000003.3420863597.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3269711303.0000000000F89000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3476176212.0000000000F8B000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3419949484.0000000000F89000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://goalyfeastz.site/apila=q
Source: GOLD1234.exe, 00000025.00000003.3476176212.0000000000F8B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://goalyfeastz.site/apilaZq
Source: GOLD1234.exe, 00000025.00000003.3420299008.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3234339463.0000000000F13000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://goalyfeastz.site/apin
Source: shop.exe, 00000032.00000003.3396975066.0000000001670000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000002.3575305695.0000000001670000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3572763992.0000000001670000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3398055770.0000000001670000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://goalyfeastz.site/apiop4
Source: shop.exe, 00000032.00000002.3575346038.0000000001673000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3570754221.0000000001673000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3573096106.0000000001673000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://goalyfeastz.site/h
Source: GOLD1234.exe, 00000025.00000003.3098957154.0000000000F6F000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3048486160.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://goalyfeastz.site/mm
Source: GOLD1234.exe, 00000025.00000003.2971601719.0000000003990000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://goalyfeastz.site/o
Source: shop.exe, 00000032.00000003.3160434239.0000000003B28000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3161659780.0000000003B28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://goalyfeastz.site/rpwls
Source: shop.exe, 00000032.00000003.3396975066.0000000001670000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3546805059.0000000001673000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3398055770.0000000001670000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://goalyfeastz.site/u
Source: GOLD1234.exe, 00000025.00000003.3420863597.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3269711303.0000000000F89000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3476176212.0000000000F8B000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3419949484.0000000000F89000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://goalyfeastz.site/x
Source: GOLD1234.exe, 00000025.00000003.3234339463.0000000000F06000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3420299008.0000000000F06000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3134934395.0000000001652000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3396975066.000000000168C000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3237340411.00000000015F0000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3137226821.0000000001656000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3397635245.000000000168C000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3161598485.0000000001655000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://goalyfeastz.site:443/api
Source: GOLD1234.exe, 00000025.00000003.3234339463.0000000000F06000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3420299008.0000000000F06000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://goalyfeastz.site:443/api2o4p.default-release/key4.dbPK
Source: GOLD1234.exe, 00000025.00000003.3234339463.0000000000F06000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3420299008.0000000000F06000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://goalyfeastz.site:443/apitxtPK
Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/en/
Source: shop.exe, 00000032.00000003.3218081015.0000000001655000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.steampowered.com/
Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lv.queniujq.cn
Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://medal.tv
Source: c1a4d3220c.exe, 00000021.00000003.3197330580.00000000012E4000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.2995423907.00000000012F1000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.2894968481.00000000012F5000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.2895449754.00000000012F6000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3426244522.00000000012E4000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3124289253.00000000012F7000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.2999744421.00000000012F5000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.2996701233.00000000012F5000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3052777343.00000000012F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/
Source: c1a4d3220c.exe, 00000021.00000003.2995423907.00000000012F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/88
Source: c1a4d3220c.exe, 00000021.00000003.2995423907.00000000012F1000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3239817137.0000000001317000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.2907838165.00000000012F2000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3125524590.0000000001316000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3124989679.0000000001312000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3261286984.0000000001309000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3426244522.00000000012E4000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.2894968481.00000000012EF000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3124289253.00000000012F7000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.2924863746.00000000012F2000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3124530510.0000000001309000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3026321552.00000000012EF000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3124800918.000000000130E000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.2996701233.00000000012F5000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3147328851.0000000001317000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3052777343.00000000012F6000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3099529730.00000000012F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/api
Source: c1a4d3220c.exe, 00000021.00000003.2995423907.00000000012F1000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.2996701233.00000000012F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/api&O
Source: c1a4d3220c.exe, 00000021.00000003.3261447035.0000000001304000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3240812796.0000000001304000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/api1
Source: c1a4d3220c.exe, 00000021.00000003.3026321552.00000000012EF000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3052777343.00000000012F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/apiA
Source: c1a4d3220c.exe, 00000021.00000003.3148528207.00000000012E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/apiL
Source: c1a4d3220c.exe, 00000021.00000003.3197330580.00000000012E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/d
Source: c1a4d3220c.exe, 00000021.00000003.3026321552.00000000012EF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/i
Source: c1a4d3220c.exe, 00000021.00000003.3099529730.00000000012F5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store/n
Source: c1a4d3220c.exe, 00000021.00000003.2907838165.00000000012F2000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.2894968481.00000000012EF000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.2924863746.00000000012F2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store:443/api
Source: c1a4d3220c.exe, 00000021.00000003.2986190918.00000000058FF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://necklacedmny.store:443/apij
Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://player.vimeo.com
Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net
Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s.ytimg.com;
Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sketchfab.com
Source: axplong.exe, 00000005.00000003.3273657100.0000000005FA7000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000005.00000003.2912523697.0000000005F85000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sosipisos.cc/
Source: axplong.exe, 00000005.00000003.3273657100.0000000005FA7000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000005.00000003.2912523697.0000000005F85000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sosipisos.cc/G
Source: axplong.exe, 00000005.00000003.2912523697.0000000005F85000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sosipisos.cc/shop.exe
Source: axplong.exe, 00000005.00000003.2912523697.0000000005F85000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sosipisos.cc/shop.exe6
Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steam.tv/
Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast.akamaized.net
Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/
Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/-
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/discussions/
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/market/
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/workshop/
Source: new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/
Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;
Source: new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/about/
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/explore/
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/legal/
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/mobile
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/news/
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/points/shop/
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/stats/
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: new_v8.exe, 0000001B.00000003.2729333036.00000000039D3000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.2895711976.000000000594E000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2935060816.00000000039E1000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3094923714.0000000003B72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.microsof
Source: shop.exe, 00000032.00000003.3207526089.0000000003C35000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: shop.exe, 00000032.00000003.3207526089.0000000003C35000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: stealc_default2.exe, 00000006.00000003.2581126375.0000000027DD7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp, stealc_default2.exe, 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmp, stealc_default2.exe, 00000006.00000003.2475599150.0000000021A81000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2731706429.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2730636393.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2729333036.00000000039D1000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.2895711976.000000000594C000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2935060816.00000000039DF000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3098799656.0000000003B69000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3094923714.0000000003B70000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp, stealc_default2.exe, 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK201621kbG1nY
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Ed1aWxkV
Source: new_v8.exe, 0000001B.00000003.2729694255.00000000039A5000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3098799656.0000000003B44000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp, stealc_default2.exe, 00000006.00000003.2475599150.0000000021A81000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2731706429.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2730636393.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2729333036.00000000039D1000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.2895711976.000000000594C000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2935060816.00000000039DF000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3098799656.0000000003B69000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3094923714.0000000003B70000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: new_v8.exe, 0000001B.00000003.2729694255.00000000039A5000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3098799656.0000000003B44000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17WdsYWhtbmRlZHwxfDB8MHxab2hvIF
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17date
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17mluIFdhbGxldHxmbmpobWtoaG1rYm
Source: new_v8.exe, 0000001B.00000003.2753208386.0000000001234000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.3586761744.0000000001241000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2804141187.0000000003978000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2781723606.0000000003978000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2752826624.0000000003978000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2804564424.0000000003978000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://villagedguy.cyou/
Source: new_v8.exe, 0000001B.00000003.2732256893.0000000001237000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2732759831.000000000123B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://villagedguy.cyou/((
Source: new_v8.exe, 0000001B.00000003.3586627682.0000000001238000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.3361161851.0000000001238000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://villagedguy.cyou/E
Source: new_v8.exe, 0000001B.00000003.2731444217.0000000001234000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://villagedguy.cyou/EZP
Source: new_v8.exe, 0000001B.00000003.2806388505.0000000001237000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2804901138.0000000001234000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://villagedguy.cyou/H
Source: new_v8.exe, 0000001B.00000003.3361161851.0000000001238000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.3013166216.0000000001234000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2912344103.0000000001234000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://villagedguy.cyou/M
Source: new_v8.exe, 0000001B.00000003.3051791237.0000000003986000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2804806549.000000000124A000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2912107738.0000000001267000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2753208386.000000000124A000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2780168317.000000000124A000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2912344103.0000000001234000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.3585890980.0000000003986000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.3049757259.0000000001267000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2912258369.000000000123C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://villagedguy.cyou/api
Source: new_v8.exe, 0000001B.00000003.2912258369.000000000123C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://villagedguy.cyou/apiE
Source: new_v8.exe, 0000001B.00000003.2753208386.000000000124A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://villagedguy.cyou/apier
Source: new_v8.exe, 0000001B.00000003.3051791237.0000000003986000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://villagedguy.cyou/apihZP
Source: new_v8.exe, 0000001B.00000003.3051791237.0000000003986000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://villagedguy.cyou/apik
Source: new_v8.exe, 0000001B.00000003.2754649701.000000000124A000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2785879104.000000000124A000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2753208386.000000000124A000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2780168317.000000000124A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://villagedguy.cyou/apilXY
Source: new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://villagedguy.cyou/jZP
Source: new_v8.exe, 0000001B.00000003.2780397423.0000000001234000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2754940849.0000000001237000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2780481802.0000000001237000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2753208386.0000000001234000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://villagedguy.cyou/m
Source: new_v8.exe, 0000001B.00000003.2804141187.0000000003978000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2804564424.0000000003978000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://villagedguy.cyou/pI
Source: new_v8.exe, 0000001B.00000003.3013166216.0000000001234000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2912344103.0000000001234000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://villagedguy.cyou/s
Source: new_v8.exe, 0000001B.00000003.2732256893.0000000001237000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2731444217.0000000001234000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2732759831.000000000123B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://villagedguy.cyou:443/api
Source: new_v8.exe, 0000001B.00000003.2753208386.000000000124A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://villagedguy.cyou:443/apiwWarningViaUpgradechunkedTransfer-EncodingTrailerno-cachePragmaKeep-
Source: new_v8.exe String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2806388505.0000000001237000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2804901138.0000000001234000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2879371414.000000000123A000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3218081015.0000000001655000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: splwow64.exe, 00000009.00000003.2554001535.0000000002905000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 00000013.00000003.2606591118.00000000040D0000.00000004.00000800.00020000.00000000.sdmp, 0b44ippu.exe, 0000002E.00000003.2964754545.00000000027F2000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif.10.dr String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: axplong.exe, 00000005.00000003.3271971261.0000000005FB9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2734376814.00000000039BC000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2733596178.00000000039BE000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2733888758.00000000039BC000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.2913098718.000000000591F000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2944595083.00000000039CC000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2953869224.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2949495792.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3106922930.0000000003B5B000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3105886803.0000000003B5D000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3107663794.0000000003B5B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: new_v8.exe, new_v8.exe, 0000001B.00000003.2806388505.0000000001237000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2804901138.0000000001234000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2879371414.000000000123A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.expedia.com/?locale=en_US&sitei
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3218081015.0000000001655000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: Jurisdiction.pif.10.dr String found in binary or memory: https://www.globalsign.com/repository/0
Source: splwow64.exe, 00000009.00000003.2554001535.0000000002905000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 00000013.00000003.2606591118.00000000040D0000.00000004.00000800.00020000.00000000.sdmp, 0b44ippu.exe, 0000002E.00000003.2964754545.00000000027F2000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif.10.dr String found in binary or memory: https://www.globalsign.com/repository/06
Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: new_v8.exe, 0000001B.00000003.2734376814.00000000039BC000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2733596178.00000000039BE000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2733888758.00000000039BC000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.2913098718.000000000591F000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2944595083.00000000039CC000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2953869224.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2949495792.00000000039CA000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3106922930.0000000003B5B000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3105886803.0000000003B5D000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3107663794.0000000003B5B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/recaptcha/
Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: shop.exe, 00000032.00000003.3207526089.0000000003C35000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: shop.exe, 00000032.00000003.3207526089.0000000003C35000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: stealc_default2.exe, 00000006.00000003.2581126375.0000000027DD7000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2785326300.0000000003A8F000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3067850619.0000000005C19000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3099294872.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3207526089.0000000003C35000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/ZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58MXwwfDB8SmF4eCBM
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/lvYnwxfDB8MHxMYXN0UGFzc3xoZG9raWVqbnBpbWFrZWRoYWpoZGxj
Source: shop.exe, 00000032.00000003.3207526089.0000000003C35000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: stealc_default2.exe, 00000006.00000003.2581126375.0000000027DD7000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2785326300.0000000003A8F000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3067850619.0000000005C19000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3099294872.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3207526089.0000000003C35000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: new_v8.exe, 0000001B.00000003.2697182708.0000000001227000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2713217839.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com
Source: new_v8.exe, 0000001B.00000003.2701683074.00000000011F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Code function: 9_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 9_2_004050CD
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Code function: 9_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 9_2_004044A5

Spam, unwanted Advertisements and Ransom Demands
barindex
Writes many files with high entropy
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe File created: C:\Users\user\AppData\Local\Temp\Molecular entropy: 7.99747464851 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe File created: C:\Users\user\AppData\Local\Temp\Twisted entropy: 7.99807294997 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe File created: C:\Users\user\AppData\Local\Temp\Various entropy: 7.9982397133 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe File created: C:\Users\user\AppData\Local\Temp\Fitting entropy: 7.99675888177 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe File created: C:\Users\user\AppData\Local\Temp\Spirit entropy: 7.99770041409 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe File created: C:\Users\user\AppData\Local\Temp\Sponsorship entropy: 7.99748128877 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe File created: C:\Users\user\AppData\Local\Temp\See entropy: 7.99720857135 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe File created: C:\Users\user\AppData\Local\Temp\Witch entropy: 7.99656691556 Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\197036\T entropy: 7.99966491393 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif File created: C:\Users\user\AppData\Local\GreenTech Dynamics\O entropy: 7.99966491393 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe File created: C:\Users\user\AppData\Local\Temp\Suitable entropy: 7.99688273383 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe File created: C:\Users\user\AppData\Local\Temp\Invalid entropy: 7.99816543384 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe File created: C:\Users\user\AppData\Local\Temp\Firmware entropy: 7.99826271782 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe File created: C:\Users\user\AppData\Local\Temp\Hop entropy: 7.99728199081 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe File created: C:\Users\user\AppData\Local\Temp\Bar entropy: 7.99699428009 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe File created: C:\Users\user\AppData\Local\Temp\Ruled entropy: 7.99803142953 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe File created: C:\Users\user\AppData\Local\Temp\Clearance entropy: 7.99663802819 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe File created: C:\Users\user\AppData\Local\Temp\January entropy: 7.99693481432 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe File created: C:\Users\user\AppData\Local\Temp\Denmark entropy: 7.99686693968 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe File created: C:\Users\user\AppData\Local\Temp\Wisdom entropy: 7.99692465234 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe File created: C:\Users\user\AppData\Local\Temp\Gay entropy: 7.998406841 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe File created: C:\Users\user\AppData\Local\Temp\Baby entropy: 7.99787388214 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe File created: C:\Users\user\AppData\Local\Temp\July entropy: 7.99793110694 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe File created: C:\Users\user\AppData\Local\Temp\Johnson entropy: 7.99814673503 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe File created: C:\Users\user\AppData\Local\Temp\Continental entropy: 7.99795128412 Jump to dropped file

System Summary
barindex
.NET source code contains very large array initializations
Source: 29.2.dac4554719.exe.12831a78.1.raw.unpack, searchX64LPVOIDhierarchy.cs Large array initialization: GetGuidArrayRestrictedSkipVisibilityChecks: array initializer size 440832
Source: 29.0.dac4554719.exe.5e408e.1.raw.unpack, searchX64LPVOIDhierarchy.cs Large array initialization: GetGuidArrayRestrictedSkipVisibilityChecks: array initializer size 440832
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: axplong.exe.0.dr Static PE information: section name:
Source: axplong.exe.0.dr Static PE information: section name: .idata
Source: axplong.exe.0.dr Static PE information: section name:
Source: random[2].exe.5.dr Static PE information: section name:
Source: random[2].exe.5.dr Static PE information: section name: .idata
Source: 1bd0484d71.exe.5.dr Static PE information: section name:
Source: 1bd0484d71.exe.5.dr Static PE information: section name: .idata
Source: new_v8[1].exe.5.dr Static PE information: section name: .vmp+
Source: new_v8[1].exe.5.dr Static PE information: section name: .vmp+
Source: new_v8[1].exe.5.dr Static PE information: section name: .vmp+
Source: new_v8.exe.5.dr Static PE information: section name: .vmp+
Source: new_v8.exe.5.dr Static PE information: section name: .vmp+
Source: new_v8.exe.5.dr Static PE information: section name: .vmp+
Source: random[1].exe0.5.dr Static PE information: section name:
Source: random[1].exe0.5.dr Static PE information: section name: .rsrc
Source: random[1].exe0.5.dr Static PE information: section name: .idata
Source: c1a4d3220c.exe.5.dr Static PE information: section name:
Source: c1a4d3220c.exe.5.dr Static PE information: section name: .rsrc
Source: c1a4d3220c.exe.5.dr Static PE information: section name: .idata
Source: random[1].exe1.5.dr Static PE information: section name:
Source: random[1].exe1.5.dr Static PE information: section name: .rsrc
Source: random[1].exe1.5.dr Static PE information: section name: .idata
Source: random[1].exe1.5.dr Static PE information: section name:
Source: f6f4816752.exe.5.dr Static PE information: section name:
Source: f6f4816752.exe.5.dr Static PE information: section name: .rsrc
Source: f6f4816752.exe.5.dr Static PE information: section name: .idata
Source: f6f4816752.exe.5.dr Static PE information: section name:
Source: POSMOJBFP9W4F4JKM6CCW190HW6F0P.exe.27.dr Static PE information: section name:
Source: POSMOJBFP9W4F4JKM6CCW190HW6F0P.exe.27.dr Static PE information: section name: .idata
Source: XLN9V631J4Y45UE4.exe.27.dr Static PE information: section name:
Source: XLN9V631J4Y45UE4.exe.27.dr Static PE information: section name: .idata
Source: XLN9V631J4Y45UE4.exe.27.dr Static PE information: section name:
PE file has a writeable .text section
Source: stealc_default2[1].exe.5.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: stealc_default2.exe.5.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}
Wscript called in batch mode (surpress errors)
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js"
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BF5F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 6_2_6BF5F280
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BFBB910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError, 6_2_6BFBB910
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BFBB8C0 rand_s,NtQueryVirtualMemory, 6_2_6BFBB8C0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BFBB700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 6_2_6BFBB700
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BF7ED10 malloc,NtFlushVirtualMemory,memset,memset,memset,memset,memset,memcpy,free,memset,memset,memcpy,memset,memset,memset,memset,memset, 6_2_6BF7ED10
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Code function: 9_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx, 9_2_00403883
Creates files inside the system directory
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\axplong.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe File created: C:\Windows\LuggageRepresentations Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe File created: C:\Windows\AdditionsSalvation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe File created: C:\Windows\SixCream Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe File created: C:\Windows\HomelessLaser Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe File created: C:\Windows\ActuallyFtp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe File created: C:\Windows\EauOfficial Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe File created: C:\Windows\SanyoToday
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe File created: C:\Windows\DeletedWilliam
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe File created: C:\Windows\BookmarkRolling
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe File created: C:\Windows\HimselfConsumption
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BF535A0 6_2_6BF535A0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BFC53C8 6_2_6BFC53C8
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BF5F380 6_2_6BF5F380
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BF6C370 6_2_6BF6C370
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BF55340 6_2_6BF55340
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BF9D320 6_2_6BF9D320
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BF71AF0 6_2_6BF71AF0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BF9E2F0 6_2_6BF9E2F0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BF98AC0 6_2_6BF98AC0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BF6CAB0 6_2_6BF6CAB0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BFC2AB0 6_2_6BFC2AB0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BF522A0 6_2_6BF522A0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BF84AA0 6_2_6BF84AA0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BFCBA90 6_2_6BFCBA90
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BF99A60 6_2_6BF99A60
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BF8D9B0 6_2_6BF8D9B0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BF5C9A0 6_2_6BF5C9A0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BF95190 6_2_6BF95190
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BFB2990 6_2_6BFB2990
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BFAB970 6_2_6BFAB970
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BFCB170 6_2_6BFCB170
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BF6D960 6_2_6BF6D960
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BF7A940 6_2_6BF7A940
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BF7C0E0 6_2_6BF7C0E0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BF958E0 6_2_6BF958E0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BFC50C7 6_2_6BFC50C7
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BF860A0 6_2_6BF860A0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BF9F070 6_2_6BF9F070
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BF78850 6_2_6BF78850
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BF7D850 6_2_6BF7D850
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BF9B820 6_2_6BF9B820
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BFA4820 6_2_6BFA4820
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BF67810 6_2_6BF67810
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BF86FF0 6_2_6BF86FF0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BF5DFE0 6_2_6BF5DFE0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BFA77A0 6_2_6BFA77A0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BF97710 6_2_6BF97710
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BF69F00 6_2_6BF69F00
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BF5BEF0 6_2_6BF5BEF0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BF6FEF0 6_2_6BF6FEF0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BFC76E3 6_2_6BFC76E3
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BFB4EA0 6_2_6BFB4EA0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BF75E90 6_2_6BF75E90
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BFBE680 6_2_6BFBE680
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BF5C670 6_2_6BF5C670
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BFC6E63 6_2_6BFC6E63
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BF79E50 6_2_6BF79E50
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BF93E50 6_2_6BF93E50
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BFA2E4E 6_2_6BFA2E4E
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BF74640 6_2_6BF74640
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BFB9E30 6_2_6BFB9E30
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BF97E10 6_2_6BF97E10
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BFA5600 6_2_6BFA5600
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BFB85F0 6_2_6BFB85F0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BF90DD0 6_2_6BF90DD0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BF7ED10 6_2_6BF7ED10
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BF80512 6_2_6BF80512
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BF6FD00 6_2_6BF6FD00
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BF96CF0 6_2_6BF96CF0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BF5D4E0 6_2_6BF5D4E0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BF7D4D0 6_2_6BF7D4D0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BF664C0 6_2_6BF664C0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BFB34A0 6_2_6BFB34A0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BFBC4A0 6_2_6BFBC4A0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BF66C80 6_2_6BF66C80
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BFC545C 6_2_6BFC545C
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BF65440 6_2_6BF65440
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BFC542B 6_2_6BFC542B
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BF95C10 6_2_6BF95C10
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BFA2C10 6_2_6BFA2C10
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BFCAC00 6_2_6BFCAC00
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C0C6C00 6_2_6C0C6C00
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C0DAC30 6_2_6C0DAC30
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C00AC60 6_2_6C00AC60
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C05ECD0 6_2_6C05ECD0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C188D20 6_2_6C188D20
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C12AD50 6_2_6C12AD50
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C0CED70 6_2_6C0CED70
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C096D90 6_2_6C096D90
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C004DB0 6_2_6C004DB0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C18CDC0 6_2_6C18CDC0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C0E0E20 6_2_6C0E0E20
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C09EE70 6_2_6C09EE70
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C086E90 6_2_6C086E90
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C00AEC0 6_2_6C00AEC0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C0A0EC0 6_2_6C0A0EC0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C006F10 6_2_6C006F10
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C140F20 6_2_6C140F20
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C06EF40 6_2_6C06EF40
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C0C2F70 6_2_6C0C2F70
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C148FB0 6_2_6C148FB0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C00EFB0 6_2_6C00EFB0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C000FE0 6_2_6C000FE0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C0DEFF0 6_2_6C0DEFF0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C050820 6_2_6C050820
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C08A820 6_2_6C08A820
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C0D4840 6_2_6C0D4840
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C1068E0 6_2_6C1068E0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C056900 6_2_6C056900
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C038960 6_2_6C038960
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C0909A0 6_2_6C0909A0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C0BA9A0 6_2_6C0BA9A0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C0C09B0 6_2_6C0C09B0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C11C9E0 6_2_6C11C9E0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C0349F0 6_2_6C0349F0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C0AEA00 6_2_6C0AEA00
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C0B8A30 6_2_6C0B8A30
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C07CA70 6_2_6C07CA70
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C07EA80 6_2_6C07EA80
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BFFECC0 6_2_6BFFECC0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C0A0BA0 6_2_6C0A0BA0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C106BE0 6_2_6C106BE0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C064420 6_2_6C064420
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C08A430 6_2_6C08A430
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C018460 6_2_6C018460
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C12A480 6_2_6C12A480
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C0464D0 6_2_6C0464D0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C09A4D0 6_2_6C09A4D0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C148550 6_2_6C148550
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C058540 6_2_6C058540
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C104540 6_2_6C104540
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C062560 6_2_6C062560
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C0A0570 6_2_6C0A0570
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C0CA5E0 6_2_6C0CA5E0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C08E5F0 6_2_6C08E5F0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C05C650 6_2_6C05C650
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C0246D0 6_2_6C0246D0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C05E6E0 6_2_6C05E6E0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C09E6E0 6_2_6C09E6E0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C080700 6_2_6C080700
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BFF8090 6_2_6BFF8090
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C02A7D0 6_2_6C02A7D0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C0CC000 6_2_6C0CC000
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C0C8010 6_2_6C0C8010
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C04E070 6_2_6C04E070
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Code function: 9_2_0040497C 9_2_0040497C
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Code function: 9_2_00406ED2 9_2_00406ED2
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Code function: 9_2_004074BB 9_2_004074BB
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\LgAmARwZ\Application.exe 8521A1F4D523A2A9E7F8DDF01147E65E7F3FF54B268E9B40F91E07DC01FA148F
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: String function: 00F145C0 appears 316 times
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: String function: 6BF8CBE8 appears 134 times
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: String function: 6BF994D0 appears 90 times
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: String function: 6C023620 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: String function: 6C029B10 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Code function: String function: 004062A3 appears 58 times
One or more processes crash
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7128 -s 272
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: random[1].exe.5.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: dac4554719.exe.5.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Application.exe.29.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: file.exe Static PE information: Section: ZLIB complexity 0.9971687670299727
Source: file.exe Static PE information: Section: keanncem ZLIB complexity 0.994250135140173
Source: axplong.exe.0.dr Static PE information: Section: ZLIB complexity 0.9971687670299727
Source: axplong.exe.0.dr Static PE information: Section: keanncem ZLIB complexity 0.994250135140173
Source: random[2].exe.5.dr Static PE information: Section: ZLIB complexity 0.9980836108934169
Source: 1bd0484d71.exe.5.dr Static PE information: Section: ZLIB complexity 0.9980836108934169
Source: random[1].exe0.5.dr Static PE information: Section: ZLIB complexity 0.9980897335423198
Source: c1a4d3220c.exe.5.dr Static PE information: Section: ZLIB complexity 0.9980897335423198
Source: GOLD1234[1].exe.5.dr Static PE information: Section: .call ZLIB complexity 1.0003314936926606
Source: GOLD1234.exe.5.dr Static PE information: Section: .call ZLIB complexity 1.0003314936926606
Source: random[1].exe1.5.dr Static PE information: Section: dcpywpmo ZLIB complexity 0.994637644070367
Source: f6f4816752.exe.5.dr Static PE information: Section: dcpywpmo ZLIB complexity 0.994637644070367
Source: shop[1].exe.5.dr Static PE information: Section: .bss ZLIB complexity 1.0003314936926606
Source: shop.exe.5.dr Static PE information: Section: .bss ZLIB complexity 1.0003314936926606
Source: XLN9V631J4Y45UE4.exe.27.dr Static PE information: Section: ZLIB complexity 0.9981905653950953
Source: XLN9V631J4Y45UE4.exe.27.dr Static PE information: Section: npluczcb ZLIB complexity 0.9944600974718245
Source: random[1].exe1.5.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: f6f4816752.exe.5.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: 29.2.dac4554719.exe.12831a78.1.raw.unpack, searchX64LPVOIDhierarchy.cs Cryptographic APIs: 'CreateDecryptor'
Source: 29.0.dac4554719.exe.5e408e.1.raw.unpack, searchX64LPVOIDhierarchy.cs Cryptographic APIs: 'CreateDecryptor'
Source: classification engine Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@83/101@0/13
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BFB7030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree, 6_2_6BFB7030
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Code function: 9_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 9_2_004044A5
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_00F28680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 6_2_00F28680
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_00F23720 CoCreateInstance,MultiByteToWideChar,lstrcpyn, 6_2_00F23720
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\stealc_default2[1].exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Mutant created: NULL
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5124:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6216:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3264:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Mutant created: \Sessions\1\BaseNamedObjects\c1ec479e5342a25940592acf24703eb2
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7128
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5080:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3352:120:WilError_03
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\44111dbc49 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Beijing Beijing.bat & Beijing.bat
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: stealc_default2.exe, 00000006.00000002.2673896402.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000006.00000002.2642192619.000000001BAF3000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000006.00000002.2675137486.000000006C18F000.00000002.00000001.01000000.0000000C.sdmp Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: stealc_default2.exe, 00000006.00000002.2673896402.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000006.00000002.2642192619.000000001BAF3000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000006.00000002.2675137486.000000006C18F000.00000002.00000001.01000000.0000000C.sdmp Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: stealc_default2.exe, 00000006.00000002.2673896402.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000006.00000002.2642192619.000000001BAF3000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000006.00000002.2675137486.000000006C18F000.00000002.00000001.01000000.0000000C.sdmp Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: stealc_default2.exe, 00000006.00000002.2673896402.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000006.00000002.2642192619.000000001BAF3000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000006.00000002.2675137486.000000006C18F000.00000002.00000001.01000000.0000000C.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: stealc_default2.exe, stealc_default2.exe, 00000006.00000002.2673896402.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000006.00000002.2642192619.000000001BAF3000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000006.00000002.2675137486.000000006C18F000.00000002.00000001.01000000.0000000C.sdmp Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: stealc_default2.exe, 00000006.00000002.2673896402.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000006.00000002.2642192619.000000001BAF3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: stealc_default2.exe, 00000006.00000002.2673896402.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000006.00000002.2642192619.000000001BAF3000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000006.00000002.2675137486.000000006C18F000.00000002.00000001.01000000.0000000C.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: stealc_default2.exe, 00000006.00000003.2480124295.0000000021A79000.00000004.00000020.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2733024762.00000000039A9000.00000004.00000800.00020000.00000000.sdmp, new_v8.exe, 0000001B.00000003.2733888758.000000000398E000.00000004.00000800.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.2895920185.0000000005924000.00000004.00000800.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.2949495792.0000000003998000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3102266896.0000000003B48000.00000004.00000800.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3106922930.0000000003B2A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: stealc_default2.exe, 00000006.00000002.2673896402.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000006.00000002.2642192619.000000001BAF3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: stealc_default2.exe, 00000006.00000002.2673896402.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, stealc_default2.exe, 00000006.00000002.2642192619.000000001BAF3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: file.exe ReversingLabs: Detection: 47%
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: new_v8.exe String found in binary or memory: "app.update.lastUpdateTime.recipe-client-addon-run", 1696333830); user_pref("app.update.lastUpdateTime.region-update-timer", 0); user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696333856); user_pref("app.update.lastUpdateTime.xpi-signatur
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe "C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe "C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe "C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe"
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Beijing Beijing.bat & Beijing.bat
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 197036
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "CRAWFORDFILLEDVERIFYSCALE" Mtv
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Twisted + ..\Molecular + ..\Sponsorship + ..\Various + ..\Witch + ..\Spirit + ..\See + ..\Fitting T
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif Jurisdiction.pif T
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoCraft.url" & echo URL="C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoCraft.url" & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe "C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr" "C:\Users\user\AppData\Local\GreenTech Dynamics\O"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe "C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe"
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr" "C:\Users\user\AppData\Local\GreenTech Dynamics\O"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe "C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe "C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe"
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1001096001\RDX123456.exe "C:\Users\user\AppData\Local\Temp\1001096001\RDX123456.exe"
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Process created: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe "C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe"
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7128 -s 272
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe "C:\Users\user\AppData\Local\Temp\1001425001\shop.exe"
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe "C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe"
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe Process created: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe "C:\Users\user\AppData\Local\Temp\1001425001\shop.exe"
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe Process created: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe "C:\Users\user\AppData\Local\Temp\1001425001\shop.exe"
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe "C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe"
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe Process created: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe "C:\Users\user\AppData\Local\Temp\1001425001\shop.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe "C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe "C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe "C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe "C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe "C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe "C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe "C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1001096001\RDX123456.exe "C:\Users\user\AppData\Local\Temp\1001096001\RDX123456.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe "C:\Users\user\AppData\Local\Temp\1001425001\shop.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe "C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe "C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Beijing Beijing.bat & Beijing.bat Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 197036
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "CRAWFORDFILLEDVERIFYSCALE" Mtv
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Twisted + ..\Molecular + ..\Sponsorship + ..\Various + ..\Witch + ..\Spirit + ..\See + ..\Fitting T
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif Jurisdiction.pif T
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoCraft.url" & echo URL="C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoCraft.url" & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr" "C:\Users\user\AppData\Local\GreenTech Dynamics\O"
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr" "C:\Users\user\AppData\Local\GreenTech Dynamics\O"
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Process created: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe "C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe"
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe Process created: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe "C:\Users\user\AppData\Local\Temp\1001425001\shop.exe"
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe Process created: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe "C:\Users\user\AppData\Local\Temp\1001425001\shop.exe"
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe Process created: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe "C:\Users\user\AppData\Local\Temp\1001425001\shop.exe"
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif Section loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\choice.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr Section loaded: version.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Section loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Section loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Section loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr Section loaded: version.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1001096001\RDX123456.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1001096001\RDX123456.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: apphelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: aclayers.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mpr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc_os.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wininet.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sspicli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: uxtheme.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: windowscodecs.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: windows.storage.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: wldp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: profapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winhttp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: mswsock.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: winnsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe Section loaded: riched20.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe Section loaded: usp10.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe Section loaded: msls31.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: file.exe Static file information: File size 1920512 > 1048576
Source: file.exe Static PE information: Raw size of keanncem is bigger than: 0x100000 < 0x1a3200
Source: Binary string: mozglue.pdbP source: stealc_default2.exe, 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmp, mozglue[1].dll.6.dr
Source: Binary string: nss3.pdb@ source: stealc_default2.exe, 00000006.00000002.2675137486.000000006C18F000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: my_library.pdbU source: f6f4816752.exe, 00000031.00000003.3036164555.0000000004C2B000.00000004.00001000.00020000.00000000.sdmp, f6f4816752.exe, 00000031.00000002.3149193410.000000000031C000.00000040.00000001.01000000.0000001D.sdmp
Source: Binary string: my_library.pdb source: f6f4816752.exe, 00000031.00000003.3036164555.0000000004C2B000.00000004.00001000.00020000.00000000.sdmp, f6f4816752.exe, 00000031.00000002.3149193410.000000000031C000.00000040.00000001.01000000.0000001D.sdmp
Source: Binary string: nss3.pdb source: stealc_default2.exe, 00000006.00000002.2675137486.000000006C18F000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: mozglue.pdb source: stealc_default2.exe, 00000006.00000002.2674484590.000000006BFCD000.00000002.00000001.01000000.0000000D.sdmp, mozglue[1].dll.6.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.cd0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;keanncem:EW;dteokgfa:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;keanncem:EW;dteokgfa:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Unpacked PE file: 1.2.axplong.exe.840000.0.unpack :EW;.rsrc:W;.idata :W; :EW;keanncem:EW;dteokgfa:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;keanncem:EW;dteokgfa:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe Unpacked PE file: 49.2.f6f4816752.exe.2f0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;dcpywpmo:EW;ghlarfhj:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;dcpywpmo:EW;ghlarfhj:EW;.taggant:EW;
.NET source code contains potential unpacker
Source: 29.2.dac4554719.exe.12831a78.1.raw.unpack, searchX64LPVOIDhierarchy.cs .Net Code: WaitDelegatesetLatencyMode
Source: 29.0.dac4554719.exe.5e408e.1.raw.unpack, searchX64LPVOIDhierarchy.cs .Net Code: WaitDelegatesetLatencyMode
Binary contains a suspicious time stamp
Source: random[1].exe.5.dr Static PE information: 0x9C4597AB [Wed Jan 29 23:35:07 2053 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_00F29860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 6_2_00F29860
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: random[1].exe1.5.dr Static PE information: real checksum: 0x215252 should be: 0x21306d
Source: RDX123456[1].exe.5.dr Static PE information: real checksum: 0x0 should be: 0x5876f
Source: stealc_default2.exe.5.dr Static PE information: real checksum: 0x0 should be: 0x516aa
Source: Application.exe.29.dr Static PE information: real checksum: 0x0 should be: 0x86b26
Source: GOLD1234[1].exe.5.dr Static PE information: real checksum: 0x0 should be: 0xacdea
Source: RDX123456.exe.5.dr Static PE information: real checksum: 0x0 should be: 0x5876f
Source: random[2].exe.5.dr Static PE information: real checksum: 0x2d5f17 should be: 0x2d1b47
Source: 1bd0484d71.exe.5.dr Static PE information: real checksum: 0x2d5f17 should be: 0x2d1b47
Source: random[1].exe.5.dr Static PE information: real checksum: 0x0 should be: 0x86b26
Source: shop.exe.5.dr Static PE information: real checksum: 0x0 should be: 0xa36fe
Source: XLN9V631J4Y45UE4.exe.27.dr Static PE information: real checksum: 0x1d8d5d should be: 0x1d1ab0
Source: c1a4d3220c.exe.5.dr Static PE information: real checksum: 0x2d80f0 should be: 0x2e27f0
Source: shop[1].exe.5.dr Static PE information: real checksum: 0x0 should be: 0xa36fe
Source: axplong.exe.0.dr Static PE information: real checksum: 0x1d86c2 should be: 0x1de36c
Source: f6f4816752.exe.5.dr Static PE information: real checksum: 0x215252 should be: 0x21306d
Source: POSMOJBFP9W4F4JKM6CCW190HW6F0P.exe.27.dr Static PE information: real checksum: 0x2b2e4b should be: 0x2ac679
Source: stealc_default2[1].exe.5.dr Static PE information: real checksum: 0x0 should be: 0x516aa
Source: file.exe Static PE information: real checksum: 0x1d86c2 should be: 0x1de36c
Source: dac4554719.exe.5.dr Static PE information: real checksum: 0x0 should be: 0x86b26
Source: GOLD1234.exe.5.dr Static PE information: real checksum: 0x0 should be: 0xacdea
Source: random[1].exe0.5.dr Static PE information: real checksum: 0x2d80f0 should be: 0x2e27f0
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: keanncem
Source: file.exe Static PE information: section name: dteokgfa
Source: file.exe Static PE information: section name: .taggant
Source: axplong.exe.0.dr Static PE information: section name:
Source: axplong.exe.0.dr Static PE information: section name: .idata
Source: axplong.exe.0.dr Static PE information: section name:
Source: axplong.exe.0.dr Static PE information: section name: keanncem
Source: axplong.exe.0.dr Static PE information: section name: dteokgfa
Source: axplong.exe.0.dr Static PE information: section name: .taggant
Source: random[2].exe.5.dr Static PE information: section name:
Source: random[2].exe.5.dr Static PE information: section name: .idata
Source: random[2].exe.5.dr Static PE information: section name: rdpqavxy
Source: random[2].exe.5.dr Static PE information: section name: vlmkkwpy
Source: random[2].exe.5.dr Static PE information: section name: .taggant
Source: 1bd0484d71.exe.5.dr Static PE information: section name:
Source: 1bd0484d71.exe.5.dr Static PE information: section name: .idata
Source: 1bd0484d71.exe.5.dr Static PE information: section name: rdpqavxy
Source: 1bd0484d71.exe.5.dr Static PE information: section name: vlmkkwpy
Source: 1bd0484d71.exe.5.dr Static PE information: section name: .taggant
Source: Offnewhere[1].exe.5.dr Static PE information: section name: .eh_fram
Source: Offnewhere.exe.5.dr Static PE information: section name: .eh_fram
Source: new_v8[1].exe.5.dr Static PE information: section name: .vmp+
Source: new_v8[1].exe.5.dr Static PE information: section name: .vmp+
Source: new_v8[1].exe.5.dr Static PE information: section name: .vmp+
Source: new_v8.exe.5.dr Static PE information: section name: .vmp+
Source: new_v8.exe.5.dr Static PE information: section name: .vmp+
Source: new_v8.exe.5.dr Static PE information: section name: .vmp+
Source: random[1].exe0.5.dr Static PE information: section name:
Source: random[1].exe0.5.dr Static PE information: section name: .rsrc
Source: random[1].exe0.5.dr Static PE information: section name: .idata
Source: random[1].exe0.5.dr Static PE information: section name: rqvxxcuy
Source: random[1].exe0.5.dr Static PE information: section name: yqyviqkw
Source: random[1].exe0.5.dr Static PE information: section name: .taggant
Source: c1a4d3220c.exe.5.dr Static PE information: section name:
Source: c1a4d3220c.exe.5.dr Static PE information: section name: .rsrc
Source: c1a4d3220c.exe.5.dr Static PE information: section name: .idata
Source: c1a4d3220c.exe.5.dr Static PE information: section name: rqvxxcuy
Source: c1a4d3220c.exe.5.dr Static PE information: section name: yqyviqkw
Source: c1a4d3220c.exe.5.dr Static PE information: section name: .taggant
Source: GOLD1234[1].exe.5.dr Static PE information: section name: .00cfg
Source: GOLD1234[1].exe.5.dr Static PE information: section name: .call
Source: GOLD1234.exe.5.dr Static PE information: section name: .00cfg
Source: GOLD1234.exe.5.dr Static PE information: section name: .call
Source: random[1].exe1.5.dr Static PE information: section name:
Source: random[1].exe1.5.dr Static PE information: section name: .rsrc
Source: random[1].exe1.5.dr Static PE information: section name: .idata
Source: random[1].exe1.5.dr Static PE information: section name:
Source: random[1].exe1.5.dr Static PE information: section name: dcpywpmo
Source: random[1].exe1.5.dr Static PE information: section name: ghlarfhj
Source: random[1].exe1.5.dr Static PE information: section name: .taggant
Source: f6f4816752.exe.5.dr Static PE information: section name:
Source: f6f4816752.exe.5.dr Static PE information: section name: .rsrc
Source: f6f4816752.exe.5.dr Static PE information: section name: .idata
Source: f6f4816752.exe.5.dr Static PE information: section name:
Source: f6f4816752.exe.5.dr Static PE information: section name: dcpywpmo
Source: f6f4816752.exe.5.dr Static PE information: section name: ghlarfhj
Source: f6f4816752.exe.5.dr Static PE information: section name: .taggant
Source: shop[1].exe.5.dr Static PE information: section name: .00cfg
Source: shop.exe.5.dr Static PE information: section name: .00cfg
Source: freebl3.dll.6.dr Static PE information: section name: .00cfg
Source: freebl3[1].dll.6.dr Static PE information: section name: .00cfg
Source: mozglue.dll.6.dr Static PE information: section name: .00cfg
Source: mozglue[1].dll.6.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.6.dr Static PE information: section name: .didat
Source: msvcp140[1].dll.6.dr Static PE information: section name: .didat
Source: nss3.dll.6.dr Static PE information: section name: .00cfg
Source: nss3[1].dll.6.dr Static PE information: section name: .00cfg
Source: softokn3.dll.6.dr Static PE information: section name: .00cfg
Source: softokn3[1].dll.6.dr Static PE information: section name: .00cfg
Source: POSMOJBFP9W4F4JKM6CCW190HW6F0P.exe.27.dr Static PE information: section name:
Source: POSMOJBFP9W4F4JKM6CCW190HW6F0P.exe.27.dr Static PE information: section name: .idata
Source: POSMOJBFP9W4F4JKM6CCW190HW6F0P.exe.27.dr Static PE information: section name: ziejvuqc
Source: POSMOJBFP9W4F4JKM6CCW190HW6F0P.exe.27.dr Static PE information: section name: vpkhfhix
Source: POSMOJBFP9W4F4JKM6CCW190HW6F0P.exe.27.dr Static PE information: section name: .taggant
Source: XLN9V631J4Y45UE4.exe.27.dr Static PE information: section name:
Source: XLN9V631J4Y45UE4.exe.27.dr Static PE information: section name: .idata
Source: XLN9V631J4Y45UE4.exe.27.dr Static PE information: section name:
Source: XLN9V631J4Y45UE4.exe.27.dr Static PE information: section name: npluczcb
Source: XLN9V631J4Y45UE4.exe.27.dr Static PE information: section name: cveucipf
Source: XLN9V631J4Y45UE4.exe.27.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_00F2B035 push ecx; ret 6_2_00F2B048
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BF8B536 push ecx; ret 6_2_6BF8B549
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Code function: 27_3_0123D82A push ebx; ret 27_3_0123D879
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Code function: 27_3_0123D82A push ebx; ret 27_3_0123D879
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Code function: 27_3_0123D82A push ebx; ret 27_3_0123D879
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Code function: 27_3_0123D82A push ebx; ret 27_3_0123D879
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Code function: 27_3_0123C230 push ss; retf 27_3_0123C239
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Code function: 27_3_0123C230 push ss; retf 27_3_0123C239
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Code function: 27_3_0123FE16 push eax; iretd 27_3_0123FF73
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Code function: 27_3_0123FE16 push eax; iretd 27_3_0123FF73
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Code function: 27_3_0123FE16 push eax; iretd 27_3_0123FF73
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Code function: 27_3_0123FE16 push eax; iretd 27_3_0123FF73
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Code function: 27_3_0123FF70 push eax; iretd 27_3_0123FF73
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Code function: 27_3_0123FF70 push eax; iretd 27_3_0123FF73
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Code function: 27_3_0123FF70 push eax; iretd 27_3_0123FF73
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Code function: 27_3_0123FF70 push eax; iretd 27_3_0123FF73
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Code function: 27_3_0123D82A push ebx; ret 27_3_0123D879
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Code function: 27_3_0123D82A push ebx; ret 27_3_0123D879
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Code function: 27_3_0123D82A push ebx; ret 27_3_0123D879
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Code function: 27_3_0123D82A push ebx; ret 27_3_0123D879
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Code function: 27_3_0123C230 push ss; retf 27_3_0123C239
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Code function: 27_3_0123C230 push ss; retf 27_3_0123C239
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Code function: 27_3_0123FE16 push eax; iretd 27_3_0123FF73
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Code function: 27_3_0123FE16 push eax; iretd 27_3_0123FF73
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Code function: 27_3_0123FE16 push eax; iretd 27_3_0123FF73
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Code function: 27_3_0123FE16 push eax; iretd 27_3_0123FF73
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Code function: 27_3_0123FF70 push eax; iretd 27_3_0123FF73
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Code function: 27_3_0123FF70 push eax; iretd 27_3_0123FF73
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Code function: 27_3_0123FF70 push eax; iretd 27_3_0123FF73
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Code function: 27_3_0123FF70 push eax; iretd 27_3_0123FF73
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Code function: 27_3_0124C7AA push 0000003Bh; retf 27_3_0124C7AC
Source: file.exe Static PE information: section name: entropy: 7.980336240605662
Source: file.exe Static PE information: section name: keanncem entropy: 7.953870003541859
Source: axplong.exe.0.dr Static PE information: section name: entropy: 7.980336240605662
Source: axplong.exe.0.dr Static PE information: section name: keanncem entropy: 7.953870003541859
Source: random[2].exe.5.dr Static PE information: section name: entropy: 7.981028282456901
Source: 1bd0484d71.exe.5.dr Static PE information: section name: entropy: 7.981028282456901
Source: random[1].exe.5.dr Static PE information: section name: .text entropy: 7.82060659626259
Source: dac4554719.exe.5.dr Static PE information: section name: .text entropy: 7.82060659626259
Source: random[1].exe0.5.dr Static PE information: section name: entropy: 7.978125552990028
Source: c1a4d3220c.exe.5.dr Static PE information: section name: entropy: 7.978125552990028
Source: GOLD1234[1].exe.5.dr Static PE information: section name: .text entropy: 7.010787961155337
Source: GOLD1234.exe.5.dr Static PE information: section name: .text entropy: 7.010787961155337
Source: random[1].exe1.5.dr Static PE information: section name: dcpywpmo entropy: 7.953610135953472
Source: f6f4816752.exe.5.dr Static PE information: section name: dcpywpmo entropy: 7.953610135953472
Source: shop[1].exe.5.dr Static PE information: section name: .text entropy: 7.0240622903518135
Source: shop.exe.5.dr Static PE information: section name: .text entropy: 7.0240622903518135
Source: POSMOJBFP9W4F4JKM6CCW190HW6F0P.exe.27.dr Static PE information: section name: entropy: 7.801926370917028
Source: XLN9V631J4Y45UE4.exe.27.dr Static PE information: section name: entropy: 7.983780159268144
Source: XLN9V631J4Y45UE4.exe.27.dr Static PE information: section name: npluczcb entropy: 7.953091087271067
Source: Application.exe.29.dr Static PE information: section name: .text entropy: 7.82060659626259

Persistence and Installation Behavior
barindex
Drops PE files with a suspicious file extension
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif File created: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif Jump to dropped file
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\stealc_default2[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\RDX123456[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\0b44ippu[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif File created: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe File created: C:\Users\user\AppData\Local\Temp\XLN9V631J4Y45UE4.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\GOLD1234[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\Offnewhere[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Temp\1001507001\1bd0484d71.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe File created: C:\Users\user\AppData\Local\Temp\ZWAE2K096DYFL3DZL5I.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe File created: C:\ProgramData\LgAmARwZ\Application.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\shop[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe File created: C:\Users\user\AppData\Local\Temp\POSMOJBFP9W4F4JKM6CCW190HW6F0P.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe File created: C:\Users\user\AppData\Local\Temp\J4EDANXSATRMSXZUEQ.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\splwow64[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vcruntime140[1].dll Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Temp\1001096001\RDX123456.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe File created: C:\Users\user\AppData\Local\Temp\CC7V0PUTO3B4JOR1523VPRJQN904A.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\new_v8[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe File created: C:\ProgramData\LgAmARwZ\Application.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 1bd0484d71.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run f6f4816752.exe Jump to behavior
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe Window searched: window name: Regmonclass
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoCraft.url
Creates job files (autostart)
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\axplong.job Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoCraft.url
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LgAmARwZ.url
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run f6f4816752.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run f6f4816752.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 1bd0484d71.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 1bd0484d71.exe Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_00F29860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 6_2_00F29860
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking locale)
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Evasive API call chain: GetUserDefaultLangID, ExitProcess
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe System information queried: FirmwareTableInformation
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe API/Special instruction interceptor: Address: 785364
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe API/Special instruction interceptor: Address: BFF62F
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe API/Special instruction interceptor: Address: 7CDA53
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe API/Special instruction interceptor: Address: 7D5AD4
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe API/Special instruction interceptor: Address: BE8559
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe API/Special instruction interceptor: Address: B11707
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe API/Special instruction interceptor: Address: 85BB4B
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe API/Special instruction interceptor: Address: 8AF1DA
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBAD58 second address: EBAD7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jmp 00007FAF78D3F536h 0x0000000b jng 00007FAF78D3F526h 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBAD7E second address: EBAD83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBAF26 second address: EBAF2C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBAF2C second address: EBAF49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jc 00007FAF7914BEC6h 0x0000000d jmp 00007FAF7914BECFh 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBD5CB second address: EBD5CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBD5CF second address: EBD63F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FAF7914BECFh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FAF7914BED5h 0x00000013 pop edx 0x00000014 nop 0x00000015 sbb esi, 4F1C3EF6h 0x0000001b push 00000000h 0x0000001d push edx 0x0000001e pop esi 0x0000001f call 00007FAF7914BEC9h 0x00000024 push edx 0x00000025 push edx 0x00000026 jmp 00007FAF7914BED8h 0x0000002b pop edx 0x0000002c pop edx 0x0000002d push eax 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 jmp 00007FAF7914BECDh 0x00000036 pop eax 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBD63F second address: EBD682 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF78D3F537h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007FAF78D3F52Fh 0x00000012 mov eax, dword ptr [eax] 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FAF78D3F531h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBD7F8 second address: EBD816 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF7914BED1h 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBD816 second address: EBD81B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBD81B second address: EBD820 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBD820 second address: EBD826 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBD826 second address: EBD86D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jmp 00007FAF7914BED2h 0x00000010 mov eax, dword ptr [eax] 0x00000012 jp 00007FAF7914BED0h 0x00000018 pushad 0x00000019 ja 00007FAF7914BEC6h 0x0000001f push ecx 0x00000020 pop ecx 0x00000021 popad 0x00000022 mov dword ptr [esp+04h], eax 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007FAF7914BED2h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBD86D second address: EBD873 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBD873 second address: EBD877 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBD877 second address: EBD903 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 push 00000000h 0x0000000b push esi 0x0000000c call 00007FAF78D3F528h 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], esi 0x00000016 add dword ptr [esp+04h], 0000001Ch 0x0000001e inc esi 0x0000001f push esi 0x00000020 ret 0x00000021 pop esi 0x00000022 ret 0x00000023 pushad 0x00000024 mov edi, dword ptr [ebp+122D29D1h] 0x0000002a movzx ecx, ax 0x0000002d popad 0x0000002e push 00000003h 0x00000030 mov edx, dword ptr [ebp+122D2925h] 0x00000036 push 00000000h 0x00000038 mov edi, edx 0x0000003a push 00000003h 0x0000003c push 00000000h 0x0000003e push ebx 0x0000003f call 00007FAF78D3F528h 0x00000044 pop ebx 0x00000045 mov dword ptr [esp+04h], ebx 0x00000049 add dword ptr [esp+04h], 00000014h 0x00000051 inc ebx 0x00000052 push ebx 0x00000053 ret 0x00000054 pop ebx 0x00000055 ret 0x00000056 call 00007FAF78D3F529h 0x0000005b jmp 00007FAF78D3F536h 0x00000060 push eax 0x00000061 push eax 0x00000062 push edx 0x00000063 jnl 00007FAF78D3F528h 0x00000069 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBD903 second address: EBD909 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBD909 second address: EBD90D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBD90D second address: EBD911 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBD911 second address: EBD985 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jmp 00007FAF78D3F52Ah 0x00000011 mov eax, dword ptr [eax] 0x00000013 jmp 00007FAF78D3F534h 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c jmp 00007FAF78D3F52Fh 0x00000021 pop eax 0x00000022 movsx ecx, dx 0x00000025 lea ebx, dword ptr [ebp+12452442h] 0x0000002b call 00007FAF78D3F538h 0x00000030 add dword ptr [ebp+122D1D34h], esi 0x00000036 pop edi 0x00000037 xchg eax, ebx 0x00000038 jp 00007FAF78D3F530h 0x0000003e pushad 0x0000003f pushad 0x00000040 popad 0x00000041 push eax 0x00000042 push edx 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBD9FF second address: EBDA05 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBDAA1 second address: EBDADD instructions: 0x00000000 rdtsc 0x00000002 js 00007FAF78D3F528h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c add dword ptr [esp], 5F626312h 0x00000013 jmp 00007FAF78D3F537h 0x00000018 lea ebx, dword ptr [ebp+1245244Dh] 0x0000001e stc 0x0000001f and si, E340h 0x00000024 xchg eax, ebx 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 pop eax 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBDADD second address: EBDAE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBDAE1 second address: EBDAEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBDAEB second address: EBDAEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EDF514 second address: EDF518 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EDD4AC second address: EDD4B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FAF7914BEC6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EDD4B7 second address: EDD4BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EDD4BD second address: EDD4E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FAF7914BED3h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f jnc 00007FAF7914BEC6h 0x00000015 pop edi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EDD4E1 second address: EDD4F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAF78D3F532h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EDD8F2 second address: EDD8F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EDD8F6 second address: EDD8FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EDE122 second address: EDE12F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jg 00007FAF7914BEC6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EDE3F2 second address: EDE3F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EDEEFD second address: EDEF4B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BED1h 0x00000007 jmp 00007FAF7914BED9h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 jns 00007FAF7914BEC6h 0x00000016 pushad 0x00000017 popad 0x00000018 jmp 00007FAF7914BECBh 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 jng 00007FAF7914BEC6h 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EDF388 second address: EDF393 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FAF78D3F526h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE1624 second address: EE165F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FAF7914BED5h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d jl 00007FAF7914BED2h 0x00000013 jmp 00007FAF7914BECCh 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FAF7914BECAh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE165F second address: EE1663 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE2EB7 second address: EE2EBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EE2EBB second address: EE2ECA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jg 00007FAF78D3F526h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA3295 second address: EA329F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA329F second address: EA32A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA32A3 second address: EA32BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BED5h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA32BE second address: EA32EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF78D3F52Eh 0x00000007 push eax 0x00000008 pushad 0x00000009 popad 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jg 00007FAF78D3F526h 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 jmp 00007FAF78D3F52Ch 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA32EC second address: EA3300 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAF7914BECDh 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E9FCD7 second address: E9FCDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E9FCDB second address: E9FCE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E9FCE1 second address: E9FD0D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF78D3F531h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jmp 00007FAF78D3F530h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E9FD0D second address: E9FD29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF7914BED3h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E9FD29 second address: E9FD33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FAF78D3F526h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E9FD33 second address: E9FD3F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jg 00007FAF7914BEC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E9FD3F second address: E9FD4A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 je 00007FAF78D3F526h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEA6C6 second address: EEA6D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jo 00007FAF7914BEC6h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEA6D3 second address: EEA6D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEA866 second address: EEA89B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FAF7914BED1h 0x0000000a popad 0x0000000b jo 00007FAF7914BEF8h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FAF7914BED6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEA9FE second address: EEAA07 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEAA07 second address: EEAA2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 pushad 0x00000008 jng 00007FAF7914BEC6h 0x0000000e pushad 0x0000000f popad 0x00000010 je 00007FAF7914BEC6h 0x00000016 push edx 0x00000017 pop edx 0x00000018 popad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c ja 00007FAF7914BEC8h 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEAB5A second address: EEABA1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jo 00007FAF78D3F526h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FAF78D3F537h 0x00000011 jmp 00007FAF78D3F537h 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 jng 00007FAF78D3F52Ah 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEAE51 second address: EEAE59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEAE59 second address: EEAE5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEAE5D second address: EEAE63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEAE63 second address: EEAE71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007FAF78D3F526h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEAFC9 second address: EEAFFA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BECEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b js 00007FAF7914BEC6h 0x00000011 jmp 00007FAF7914BED7h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EECAB7 second address: EECABD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EECABD second address: EECAC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EECAC2 second address: EECAF2 instructions: 0x00000000 rdtsc 0x00000002 js 00007FAF78D3F538h 0x00000008 jmp 00007FAF78D3F52Ch 0x0000000d jl 00007FAF78D3F526h 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 jbe 00007FAF78D3F526h 0x0000001e jmp 00007FAF78D3F52Bh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EECAF2 second address: EECAF8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EECAF8 second address: EECB1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FAF78D3F52Dh 0x0000000b pushad 0x0000000c jl 00007FAF78D3F526h 0x00000012 pushad 0x00000013 popad 0x00000014 jne 00007FAF78D3F526h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB223B second address: EB2265 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 popad 0x00000008 push ecx 0x00000009 jmp 00007FAF7914BED9h 0x0000000e js 00007FAF7914BECCh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EED266 second address: EED26B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EED26B second address: EED2A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BECDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push ebx 0x0000000c jng 00007FAF7914BEC6h 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FAF7914BED9h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EED3E6 second address: EED3F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push esi 0x0000000e pop esi 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EED5B1 second address: EED5B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EED838 second address: EED858 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FAF78D3F534h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EED858 second address: EED86A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BECEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EED9D2 second address: EED9D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EED9D6 second address: EED9FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e js 00007FAF7914BEC6h 0x00000014 jmp 00007FAF7914BED4h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEDF61 second address: EEDF7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jne 00007FAF78D3F526h 0x0000000c pop esi 0x0000000d popad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 jnc 00007FAF78D3F526h 0x00000018 pop edi 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEE181 second address: EEE193 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b jng 00007FAF7914BEC6h 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEE193 second address: EEE198 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEE375 second address: EEE37A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEE37A second address: EEE3E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edx 0x0000000b call 00007FAF78D3F528h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], edx 0x00000015 add dword ptr [esp+04h], 00000019h 0x0000001d inc edx 0x0000001e push edx 0x0000001f ret 0x00000020 pop edx 0x00000021 ret 0x00000022 mov si, cx 0x00000025 xchg eax, ebx 0x00000026 jbe 00007FAF78D3F53Ch 0x0000002c pushad 0x0000002d jmp 00007FAF78D3F52Eh 0x00000032 jno 00007FAF78D3F526h 0x00000038 popad 0x00000039 push eax 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d jmp 00007FAF78D3F52Ah 0x00000042 jmp 00007FAF78D3F536h 0x00000047 popad 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEF350 second address: EEF354 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEF354 second address: EEF3C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 nop 0x00000008 mov si, dx 0x0000000b push 00000000h 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007FAF78D3F528h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 00000014h 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push eax 0x0000002c call 00007FAF78D3F528h 0x00000031 pop eax 0x00000032 mov dword ptr [esp+04h], eax 0x00000036 add dword ptr [esp+04h], 0000001Bh 0x0000003e inc eax 0x0000003f push eax 0x00000040 ret 0x00000041 pop eax 0x00000042 ret 0x00000043 call 00007FAF78D3F52Fh 0x00000048 jbe 00007FAF78D3F526h 0x0000004e pop esi 0x0000004f mov esi, dword ptr [ebp+122D256Ch] 0x00000055 xchg eax, ebx 0x00000056 pushad 0x00000057 pushad 0x00000058 jnp 00007FAF78D3F526h 0x0000005e push eax 0x0000005f push edx 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEF3C9 second address: EEF3D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007FAF7914BEC6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF0570 second address: EF0577 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF0577 second address: EF05AD instructions: 0x00000000 rdtsc 0x00000002 jl 00007FAF7914BED1h 0x00000008 jmp 00007FAF7914BECBh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f nop 0x00000010 push 00000000h 0x00000012 clc 0x00000013 mov esi, dword ptr [ebp+122D29ADh] 0x00000019 push 00000000h 0x0000001b mov si, D8E6h 0x0000001f mov dword ptr [ebp+122D2465h], edx 0x00000025 xchg eax, ebx 0x00000026 push eax 0x00000027 push edx 0x00000028 jbe 00007FAF7914BEC8h 0x0000002e pushad 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF05AD second address: EF05D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAF78D3F52Ch 0x00000008 jnc 00007FAF78D3F526h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 ja 00007FAF78D3F526h 0x0000001b pop edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF05D0 second address: EF05DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FAF7914BEC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF05DA second address: EF05DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF1B58 second address: EF1B72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BED6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF1B72 second address: EF1BF1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FAF78D3F52Eh 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007FAF78D3F528h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 0000001Ah 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 clc 0x00000029 mov dword ptr [ebp+122D2F1Ah], eax 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push ebx 0x00000034 call 00007FAF78D3F528h 0x00000039 pop ebx 0x0000003a mov dword ptr [esp+04h], ebx 0x0000003e add dword ptr [esp+04h], 00000016h 0x00000046 inc ebx 0x00000047 push ebx 0x00000048 ret 0x00000049 pop ebx 0x0000004a ret 0x0000004b mov di, 8A55h 0x0000004f jng 00007FAF78D3F528h 0x00000055 mov edi, edx 0x00000057 mov di, BBF0h 0x0000005b push 00000000h 0x0000005d mov esi, dword ptr [ebp+122D3568h] 0x00000063 xchg eax, ebx 0x00000064 push eax 0x00000065 push edx 0x00000066 push esi 0x00000067 push eax 0x00000068 pop eax 0x00000069 pop esi 0x0000006a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF1BF1 second address: EF1C09 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FAF7914BECBh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF1C09 second address: EF1C0F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF328F second address: EF3293 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF3293 second address: EF3299 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF3299 second address: EF32A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FAF7914BEC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF6DEF second address: EF6DF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF6DF3 second address: EF6DF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF6DF7 second address: EF6E49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 nop 0x00000008 jns 00007FAF78D3F53Ch 0x0000000e jnp 00007FAF78D3F536h 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push ecx 0x00000019 call 00007FAF78D3F528h 0x0000001e pop ecx 0x0000001f mov dword ptr [esp+04h], ecx 0x00000023 add dword ptr [esp+04h], 00000017h 0x0000002b inc ecx 0x0000002c push ecx 0x0000002d ret 0x0000002e pop ecx 0x0000002f ret 0x00000030 push 00000000h 0x00000032 add bx, A305h 0x00000037 push eax 0x00000038 push ecx 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c pop eax 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF6E49 second address: EF6E4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF7E04 second address: EF7E17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c ja 00007FAF78D3F526h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF6FAE second address: EF7039 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FAF7914BEC8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d clc 0x0000000e push dword ptr fs:[00000000h] 0x00000015 call 00007FAF7914BED3h 0x0000001a jno 00007FAF7914BEDEh 0x00000020 pop ebx 0x00000021 mov dword ptr fs:[00000000h], esp 0x00000028 push edx 0x00000029 sbb ebx, 4D259897h 0x0000002f pop ebx 0x00000030 mov ebx, dword ptr [ebp+122D29CDh] 0x00000036 mov eax, dword ptr [ebp+122D0F0Dh] 0x0000003c push FFFFFFFFh 0x0000003e sub dword ptr [ebp+122D24C0h], ebx 0x00000044 nop 0x00000045 jmp 00007FAF7914BECFh 0x0000004a push eax 0x0000004b push eax 0x0000004c push edx 0x0000004d jnp 00007FAF7914BECCh 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF7039 second address: EF704B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAF78D3F52Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF9B99 second address: EF9C36 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BED8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push esi 0x0000000f call 00007FAF7914BEC8h 0x00000014 pop esi 0x00000015 mov dword ptr [esp+04h], esi 0x00000019 add dword ptr [esp+04h], 0000001Dh 0x00000021 inc esi 0x00000022 push esi 0x00000023 ret 0x00000024 pop esi 0x00000025 ret 0x00000026 movsx edi, ax 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push edi 0x0000002e call 00007FAF7914BEC8h 0x00000033 pop edi 0x00000034 mov dword ptr [esp+04h], edi 0x00000038 add dword ptr [esp+04h], 00000015h 0x00000040 inc edi 0x00000041 push edi 0x00000042 ret 0x00000043 pop edi 0x00000044 ret 0x00000045 mov dword ptr [ebp+122D2370h], ecx 0x0000004b push 00000000h 0x0000004d mov ebx, 7F28D7A1h 0x00000052 sbb edi, 74828020h 0x00000058 xchg eax, esi 0x00000059 jnl 00007FAF7914BEDDh 0x0000005f push esi 0x00000060 jmp 00007FAF7914BED5h 0x00000065 pop esi 0x00000066 push eax 0x00000067 pushad 0x00000068 push eax 0x00000069 push edx 0x0000006a pushad 0x0000006b popad 0x0000006c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF9C36 second address: EF9C40 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF9C40 second address: EF9C44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF8E1D second address: EF8E21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF8E21 second address: EF8E25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF8E25 second address: EF8E2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFAB97 second address: EFAB9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFBBE8 second address: EFBBEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFBBEC second address: EFBBFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jc 00007FAF7914BEC6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFAE63 second address: EFAE6D instructions: 0x00000000 rdtsc 0x00000002 jo 00007FAF78D3F52Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFBD13 second address: EFBD2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF7914BED7h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFBD2F second address: EFBD4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAF78D3F538h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F00857 second address: F00861 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F029AE second address: F029C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 js 00007FAF78D3F528h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jnl 00007FAF78D3F528h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFEB18 second address: EFEB22 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FAF7914BEC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F029C7 second address: F029D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FAF78D3F526h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFEB22 second address: EFEB27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F029D1 second address: F02A13 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FAF78D3F526h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d jmp 00007FAF78D3F539h 0x00000012 push 00000000h 0x00000014 sub dword ptr [ebp+12481856h], ebx 0x0000001a push 00000000h 0x0000001c mov dword ptr [ebp+1247ABA3h], esi 0x00000022 xor bx, 6A62h 0x00000027 xchg eax, esi 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFEB27 second address: EFEB2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F02A13 second address: F02A19 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F00A86 second address: F00A9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FAF7914BED1h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F02A19 second address: F02A36 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FAF78D3F533h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F02A36 second address: F02A3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F01B7A second address: F01B7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F01B7E second address: F01B84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F05ACE second address: F05AD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F09004 second address: F09011 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FAF7914BEC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1068E second address: F106A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FAF78D3F532h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0FD33 second address: F0FD39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0FD39 second address: F0FD3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0FD3E second address: F0FD44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F0FD44 second address: F0FD59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FAF78D3F52Ch 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F10185 second address: F1018F instructions: 0x00000000 rdtsc 0x00000002 jo 00007FAF7914BECEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1018F second address: F1019D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007FAF78D3F526h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1019D second address: F101A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F159C6 second address: F159CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1AC31 second address: F1AC35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1AC35 second address: F1AC4F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF78D3F530h 0x00000007 jc 00007FAF78D3F526h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1AC4F second address: F1AC54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1A11E second address: F1A12A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FAF78D3F526h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1A12A second address: F1A12E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1A52F second address: F1A559 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF78D3F52Eh 0x00000009 pop ecx 0x0000000a push edi 0x0000000b push edx 0x0000000c pop edx 0x0000000d pop edi 0x0000000e push eax 0x0000000f pushad 0x00000010 popad 0x00000011 pop eax 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 je 00007FAF78D3F52Ch 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1A559 second address: F1A563 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FAF7914BECCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1A563 second address: F1A56A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1A819 second address: F1A821 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1A821 second address: F1A825 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F206BF second address: F206DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FAF7914BEC6h 0x0000000a pop edx 0x0000000b jmp 00007FAF7914BECAh 0x00000010 jng 00007FAF7914BECEh 0x00000016 push esi 0x00000017 pop esi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1FA30 second address: F1FA3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007FAF78D3F526h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1FA3B second address: F1FA5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FAF7914BED4h 0x0000000b popad 0x0000000c push edx 0x0000000d jnc 00007FAF7914BEC6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1FA5F second address: F1FA76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jnp 00007FAF78D3F53Ah 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pop edx 0x00000011 jg 00007FAF78D3F526h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1FA76 second address: F1FA7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1FBFD second address: F1FC01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA9C3B second address: EA9C41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA9C41 second address: EA9C55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FAF78D3F52Dh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA9C55 second address: EA9C59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA9C59 second address: EA9C6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF78D3F52Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA9C6D second address: EA9C72 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA9C72 second address: EA9C78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA9C78 second address: EA9C80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F2D7F4 second address: F2D7F9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF4ED0 second address: EF4EDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF4EDA second address: EF4F3F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF78D3F537h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jg 00007FAF78D3F52Eh 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push ebx 0x00000015 call 00007FAF78D3F528h 0x0000001a pop ebx 0x0000001b mov dword ptr [esp+04h], ebx 0x0000001f add dword ptr [esp+04h], 00000015h 0x00000027 inc ebx 0x00000028 push ebx 0x00000029 ret 0x0000002a pop ebx 0x0000002b ret 0x0000002c or dword ptr [ebp+122D23EDh], esi 0x00000032 lea eax, dword ptr [ebp+12489C53h] 0x00000038 add di, 7672h 0x0000003d and di, 6AD8h 0x00000042 nop 0x00000043 pushad 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF4F3F second address: EF4F43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF4F43 second address: EF4F5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jmp 00007FAF78D3F52Dh 0x0000000c pop esi 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF4F5F second address: EF4F63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF5037 second address: EF503B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF503B second address: EF5055 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FAF7914BECDh 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF5055 second address: EF5152 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FAF78D3F526h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jng 00007FAF78D3F533h 0x00000010 jmp 00007FAF78D3F52Dh 0x00000015 popad 0x00000016 xchg eax, ebx 0x00000017 push ecx 0x00000018 jmp 00007FAF78D3F534h 0x0000001d pop edx 0x0000001e push dword ptr fs:[00000000h] 0x00000025 sub dword ptr [ebp+122D2D77h], ebx 0x0000002b mov dword ptr fs:[00000000h], esp 0x00000032 jmp 00007FAF78D3F52Ch 0x00000037 mov dword ptr [ebp+12489CABh], esp 0x0000003d jmp 00007FAF78D3F52Fh 0x00000042 cmp dword ptr [ebp+122D298Dh], 00000000h 0x00000049 jne 00007FAF78D3F629h 0x0000004f push 00000000h 0x00000051 push ebx 0x00000052 call 00007FAF78D3F528h 0x00000057 pop ebx 0x00000058 mov dword ptr [esp+04h], ebx 0x0000005c add dword ptr [esp+04h], 0000001Bh 0x00000064 inc ebx 0x00000065 push ebx 0x00000066 ret 0x00000067 pop ebx 0x00000068 ret 0x00000069 push eax 0x0000006a mov edi, 7032F900h 0x0000006f pop ecx 0x00000070 mov byte ptr [ebp+122D2414h], 00000047h 0x00000077 jp 00007FAF78D3F52Bh 0x0000007d sub di, E5ECh 0x00000082 mov eax, D49AA7D2h 0x00000087 call 00007FAF78D3F52Ah 0x0000008c pop edx 0x0000008d nop 0x0000008e jc 00007FAF78D3F53Eh 0x00000094 jmp 00007FAF78D3F538h 0x00000099 push eax 0x0000009a push eax 0x0000009b push edx 0x0000009c push eax 0x0000009d push edx 0x0000009e jmp 00007FAF78D3F536h 0x000000a3 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF5152 second address: EF5158 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF560F second address: EF5614 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF5614 second address: EF561A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF5812 second address: EF5818 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF5818 second address: EF5835 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BED1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d push esi 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF5A19 second address: EF5A8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FAF78D3F526h 0x0000000a popad 0x0000000b jmp 00007FAF78D3F537h 0x00000010 popad 0x00000011 mov dword ptr [esp], eax 0x00000014 push 00000000h 0x00000016 push ecx 0x00000017 call 00007FAF78D3F528h 0x0000001c pop ecx 0x0000001d mov dword ptr [esp+04h], ecx 0x00000021 add dword ptr [esp+04h], 0000001Bh 0x00000029 inc ecx 0x0000002a push ecx 0x0000002b ret 0x0000002c pop ecx 0x0000002d ret 0x0000002e mov edi, dword ptr [ebp+12453751h] 0x00000034 push 00000004h 0x00000036 mov ecx, dword ptr [ebp+122D224Eh] 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007FAF78D3F539h 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF5F17 second address: EF5F1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF5F1D second address: EF5F23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF5F23 second address: EF5F27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF6138 second address: EF61C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF78D3F530h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jg 00007FAF78D3F52Ch 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push ebx 0x00000014 call 00007FAF78D3F528h 0x00000019 pop ebx 0x0000001a mov dword ptr [esp+04h], ebx 0x0000001e add dword ptr [esp+04h], 00000015h 0x00000026 inc ebx 0x00000027 push ebx 0x00000028 ret 0x00000029 pop ebx 0x0000002a ret 0x0000002b add dword ptr [ebp+122D32D0h], edx 0x00000031 movsx edx, di 0x00000034 lea eax, dword ptr [ebp+12489C97h] 0x0000003a push 00000000h 0x0000003c push eax 0x0000003d call 00007FAF78D3F528h 0x00000042 pop eax 0x00000043 mov dword ptr [esp+04h], eax 0x00000047 add dword ptr [esp+04h], 00000018h 0x0000004f inc eax 0x00000050 push eax 0x00000051 ret 0x00000052 pop eax 0x00000053 ret 0x00000054 jmp 00007FAF78D3F533h 0x00000059 nop 0x0000005a push eax 0x0000005b push edx 0x0000005c jnl 00007FAF78D3F52Ch 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF61C8 second address: EF61CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F2CA2A second address: F2CA4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF78D3F52Eh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c jmp 00007FAF78D3F52Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F2CA4F second address: F2CA53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F2CA53 second address: F2CA57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F2CA57 second address: F2CA6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007FAF7914BECDh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F2CEE3 second address: F2CEE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F2CEE7 second address: F2CF1B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BED7h 0x00000007 jmp 00007FAF7914BED9h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F2CF1B second address: F2CF3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007FAF78D3F526h 0x00000009 jmp 00007FAF78D3F538h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F2D1F9 second address: F2D22E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007FAF7914BED8h 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007FAF7914BED1h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F33497 second address: F3349D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3349D second address: F334B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FAF7914BECEh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F334B0 second address: F334B5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F31FAB second address: F31FAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F31FAF second address: F31FE2 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FAF78D3F526h 0x00000008 jne 00007FAF78D3F526h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007FAF78D3F52Ah 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FAF78D3F537h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F31FE2 second address: F31FF2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BECCh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F32424 second address: F3242D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F32563 second address: F32567 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F32567 second address: F3256B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3256B second address: F32571 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F32571 second address: F3257C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3257C second address: F32581 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F32581 second address: F3259D instructions: 0x00000000 rdtsc 0x00000002 jne 00007FAF78D3F52Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FAF78D3F52Ah 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3259D second address: F325AE instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FAF7914BECCh 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F325AE second address: F325B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F32DA4 second address: F32DCC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FAF7914BED4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b ja 00007FAF7914BED2h 0x00000011 jbe 00007FAF7914BEC6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F32DCC second address: F32DE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 jno 00007FAF78D3F526h 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 jne 00007FAF78D3F526h 0x00000016 pop eax 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3331A second address: F3331E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F31CF2 second address: F31D02 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FAF78D3F526h 0x00000008 jnp 00007FAF78D3F526h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F372BD second address: F372C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F375F9 second address: F375FF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F375FF second address: F37604 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F37604 second address: F3760A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA4CA1 second address: EA4CC4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007FAF7914BED1h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jc 00007FAF7914BEC6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA4CC4 second address: EA4CC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F39AC3 second address: F39AC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3EB0A second address: F3EB12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3E115 second address: F3E119 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3E119 second address: F3E134 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF78D3F533h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3E134 second address: F3E138 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3E138 second address: F3E142 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FAF78D3F526h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3E68D second address: F3E6CA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007FAF7914BECCh 0x0000000c jbe 00007FAF7914BEC6h 0x00000012 jmp 00007FAF7914BECDh 0x00000017 jmp 00007FAF7914BED3h 0x0000001c popad 0x0000001d pushad 0x0000001e push edx 0x0000001f push edx 0x00000020 pop edx 0x00000021 push ebx 0x00000022 pop ebx 0x00000023 pop edx 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F43F91 second address: F43F97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F43F97 second address: F43F9D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F43F9D second address: F43FAD instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FAF78D3F532h 0x00000008 jns 00007FAF78D3F526h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F44117 second address: F4411C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F44262 second address: F44266 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F44266 second address: F4427A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FAF7914BECEh 0x0000000c jnp 00007FAF7914BEC6h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F4427A second address: F44291 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007FAF78D3F531h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F44291 second address: F44295 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F44295 second address: F4429F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF5C18 second address: EF5C1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF5C1C second address: EF5CB1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push ecx 0x00000009 je 00007FAF78D3F528h 0x0000000f pushad 0x00000010 popad 0x00000011 pop ecx 0x00000012 nop 0x00000013 call 00007FAF78D3F52Dh 0x00000018 mov di, F4AFh 0x0000001c pop ecx 0x0000001d mov ebx, dword ptr [ebp+12489C92h] 0x00000023 push 00000000h 0x00000025 push edi 0x00000026 call 00007FAF78D3F528h 0x0000002b pop edi 0x0000002c mov dword ptr [esp+04h], edi 0x00000030 add dword ptr [esp+04h], 00000017h 0x00000038 inc edi 0x00000039 push edi 0x0000003a ret 0x0000003b pop edi 0x0000003c ret 0x0000003d add eax, ebx 0x0000003f push 00000000h 0x00000041 push ecx 0x00000042 call 00007FAF78D3F528h 0x00000047 pop ecx 0x00000048 mov dword ptr [esp+04h], ecx 0x0000004c add dword ptr [esp+04h], 0000001Ah 0x00000054 inc ecx 0x00000055 push ecx 0x00000056 ret 0x00000057 pop ecx 0x00000058 ret 0x00000059 nop 0x0000005a jmp 00007FAF78D3F536h 0x0000005f push eax 0x00000060 je 00007FAF78D3F534h 0x00000066 pushad 0x00000067 jnp 00007FAF78D3F526h 0x0000006d push eax 0x0000006e push edx 0x0000006f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F4804C second address: F48068 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FAF7914BEC6h 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FAF7914BECCh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F481E8 second address: F48200 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnl 00007FAF78D3F526h 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jnp 00007FAF78D3F526h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F4F2F0 second address: F4F2F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F4F2F4 second address: F4F2FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F4F460 second address: F4F464 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F4F464 second address: F4F468 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5054B second address: F50551 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F50AEF second address: F50AF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F59BE9 second address: F59BED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F58DA1 second address: F58DB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF78D3F52Eh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F591F9 second address: F591FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F591FD second address: F59209 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FAF78D3F526h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F598FC second address: F59900 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F59900 second address: F5990A instructions: 0x00000000 rdtsc 0x00000002 jns 00007FAF78D3F526h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5990A second address: F5990F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F61C76 second address: F61C7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F61C7C second address: F61C86 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FAF7914BEC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F61C86 second address: F61C8B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F61C8B second address: F61CA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FAF7914BECCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F61CA4 second address: F61CA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F603C9 second address: F603D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F60544 second address: F6055E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF78D3F534h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F6055E second address: F60563 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F60563 second address: F6056B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F6056B second address: F6056F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F6056F second address: F60573 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F60929 second address: F6092D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F6092D second address: F60933 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F60BFD second address: F60C28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007FAF7914BED8h 0x0000000b jno 00007FAF7914BEC6h 0x00000011 pop eax 0x00000012 pop edi 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F60C28 second address: F60C37 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F61340 second address: F61344 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F61344 second address: F61357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pushad 0x0000000a popad 0x0000000b jg 00007FAF78D3F526h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F61357 second address: F6135C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F6135C second address: F61363 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F61363 second address: F61381 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF7914BED6h 0x00000009 popad 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F5F9BA second address: F5F9C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F696F0 second address: F696F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F696F4 second address: F696F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F696F8 second address: F6971B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FAF7914BEC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f pop edx 0x00000010 pushad 0x00000011 jl 00007FAF7914BEC6h 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 pushad 0x0000001a popad 0x0000001b push edx 0x0000001c pop edx 0x0000001d popad 0x0000001e popad 0x0000001f pushad 0x00000020 push edi 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F6971B second address: F69724 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F69724 second address: F6972A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F6972A second address: F6972E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F69266 second address: F692BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF7914BED0h 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c jmp 00007FAF7914BECDh 0x00000011 push edi 0x00000012 jmp 00007FAF7914BED9h 0x00000017 pop edi 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b jne 00007FAF7914BED6h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F692BE second address: F692CA instructions: 0x00000000 rdtsc 0x00000002 je 00007FAF78D3F52Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F693F7 second address: F69400 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F69400 second address: F69428 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF78D3F539h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F69428 second address: F69444 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BED8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F69444 second address: F6945D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FAF78D3F531h 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F6945D second address: F69461 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F8BB39 second address: F8BB3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F8BB3F second address: F8BB43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F8BB43 second address: F8BB8D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF78D3F531h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jno 00007FAF78D3F540h 0x0000000f jnp 00007FAF78D3F52Eh 0x00000015 pushad 0x00000016 push edi 0x00000017 pop edi 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F8E02E second address: F8E064 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BED4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FAF7914BED0h 0x0000000e push eax 0x0000000f push edx 0x00000010 jbe 00007FAF7914BEC6h 0x00000016 jp 00007FAF7914BEC6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F95D3D second address: F95D43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F95D43 second address: F95D48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F945A1 second address: F945BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jl 00007FAF78D3F526h 0x0000000c jmp 00007FAF78D3F52Eh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F945BB second address: F945D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BED4h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F945D5 second address: F945DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F945DD second address: F945F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BED3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9475C second address: F94760 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F95083 second address: F9509F instructions: 0x00000000 rdtsc 0x00000002 jns 00007FAF7914BECCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnp 00007FAF7914BEE6h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9AAD4 second address: F9AAE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FAF78D3F526h 0x0000000a pop edx 0x0000000b push ebx 0x0000000c push edx 0x0000000d pop edx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F9AAE3 second address: F9AB0A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BECCh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FAF7914BECAh 0x0000000e jmp 00007FAF7914BECDh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FAB49B second address: FAB4AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 jbe 00007FAF78D3F526h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FAB4AB second address: FAB4C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF7914BED4h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FAB4C4 second address: FAB4C9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FAB4C9 second address: FAB4E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c jmp 00007FAF7914BECBh 0x00000011 pop ebx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FAB4E4 second address: FAB4EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FAB4EA second address: FAB503 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF7914BED4h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FA8A2B second address: FA8A37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FAF78D3F526h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FA8A37 second address: FA8A3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FA8A3B second address: FA8A3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FB8053 second address: FB8059 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FB7EC7 second address: FB7ECB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FBA8DD second address: FBA944 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BED6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c pushad 0x0000000d popad 0x0000000e push esi 0x0000000f pop esi 0x00000010 push edx 0x00000011 pop edx 0x00000012 popad 0x00000013 pushad 0x00000014 jmp 00007FAF7914BED4h 0x00000019 jc 00007FAF7914BEC6h 0x0000001f push eax 0x00000020 pop eax 0x00000021 popad 0x00000022 pushad 0x00000023 jmp 00007FAF7914BECAh 0x00000028 jmp 00007FAF7914BECEh 0x0000002d jnl 00007FAF7914BEC6h 0x00000033 popad 0x00000034 popad 0x00000035 push esi 0x00000036 push esi 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FBA780 second address: FBA78B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FBA78B second address: FBA78F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FBD805 second address: FBD819 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FAF78D3F526h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jc 00007FAF78D3F528h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FBD37A second address: FBD385 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jl 00007FAF7914BEC6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FBD385 second address: FBD38E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FBD38E second address: FBD3BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BED8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jno 00007FAF7914BEC6h 0x00000015 jnl 00007FAF7914BEC6h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FBD3BC second address: FBD3DC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FAF78D3F536h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FBD3DC second address: FBD3E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FBD3E0 second address: FBD3E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FBFD44 second address: FBFD50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jne 00007FAF7914BEC6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD848A second address: FD8494 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FAF78D3F526h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD72A2 second address: FD72A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD72A6 second address: FD72AC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD72AC second address: FD72B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD740F second address: FD7414 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD76A8 second address: FD76AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD76AE second address: FD76BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push edi 0x00000007 pop edi 0x00000008 pushad 0x00000009 popad 0x0000000a pop esi 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD7828 second address: FD782C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD782C second address: FD7839 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD7839 second address: FD7848 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 jg 00007FAF7914BECCh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD7848 second address: FD7857 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007FAF78D3F52Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD7857 second address: FD785B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD785B second address: FD786D instructions: 0x00000000 rdtsc 0x00000002 jc 00007FAF78D3F52Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD786D second address: FD7873 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD7AFC second address: FD7B00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD7B00 second address: FD7B20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007FAF7914BECEh 0x0000000c jmp 00007FAF7914BECAh 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD7B20 second address: FD7B25 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD7B25 second address: FD7B41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF7914BED6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD7CE2 second address: FD7CE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD7CE8 second address: FD7D2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF7914BED8h 0x00000009 popad 0x0000000a jmp 00007FAF7914BECDh 0x0000000f jnc 00007FAF7914BED2h 0x00000015 js 00007FAF7914BECEh 0x0000001b push esi 0x0000001c pop esi 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD7D2E second address: FD7D4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007FAF78D3F53Fh 0x0000000b jmp 00007FAF78D3F52Fh 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD7E96 second address: FD7EA2 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FAF7914BEC6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FD7EA2 second address: FD7EC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 jnp 00007FAF78D3F526h 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ebx 0x0000000f pushad 0x00000010 jmp 00007FAF78D3F52Dh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FDAE09 second address: FDAE13 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FAF7914BEC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FDAEB7 second address: FDAEBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FDC6BC second address: FDC6D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF7914BED5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FDC6D5 second address: FDC6E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF78D3F52Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FDC6E7 second address: FDC6FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF7914BED1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: FDFFCE second address: FDFFD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B101A4 second address: 4B101CC instructions: 0x00000000 rdtsc 0x00000002 call 00007FAF7914BED2h 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FAF7914BECDh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B101CC second address: 4B101D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B101D2 second address: 4B101D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B00008 second address: 4B0000C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B0000C second address: 4B00027 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BED7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B00027 second address: 4B0004B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF78D3F539h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B0004B second address: 4B0004F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B0004F second address: 4B00053 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B00053 second address: 4B00059 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B00059 second address: 4B0005F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B0005F second address: 4B00063 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B00063 second address: 4B00067 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B40039 second address: 4B4003D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B4003D second address: 4B40050 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF78D3F52Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B40050 second address: 4B400C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FAF7914BECFh 0x00000009 and eax, 0E6EDE4Eh 0x0000000f jmp 00007FAF7914BED9h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007FAF7914BED0h 0x0000001b add si, AAC8h 0x00000020 jmp 00007FAF7914BECBh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 mov ebp, esp 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007FAF7914BED5h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AD00DE second address: 4AD012A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF78D3F531h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b movsx edx, cx 0x0000000e mov eax, 081F33BFh 0x00000013 popad 0x00000014 xchg eax, ebp 0x00000015 pushad 0x00000016 mov ebx, ecx 0x00000018 pushfd 0x00000019 jmp 00007FAF78D3F52Ch 0x0000001e adc ecx, 73E5DAA8h 0x00000024 jmp 00007FAF78D3F52Bh 0x00000029 popfd 0x0000002a popad 0x0000002b mov ebp, esp 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AD012A second address: 4AD012E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AD012E second address: 4AD0134 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AD0134 second address: 4AD017D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FAF7914BED8h 0x00000009 add ecx, 06088838h 0x0000000f jmp 00007FAF7914BECBh 0x00000014 popfd 0x00000015 push eax 0x00000016 pop edx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push dword ptr [ebp+04h] 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FAF7914BED1h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AD017D second address: 4AD0183 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AD0183 second address: 4AD0187 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AD0187 second address: 4AD018B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AF0CBF second address: 4AF0CEF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BED1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov edx, eax 0x0000000d mov ch, DEh 0x0000000f popad 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FAF7914BED1h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AF0CEF second address: 4AF0D64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop esi 0x00000005 pushfd 0x00000006 jmp 00007FAF78D3F533h 0x0000000b and esi, 714FFB5Eh 0x00000011 jmp 00007FAF78D3F539h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007FAF78D3F533h 0x00000024 add ecx, 70AC956Eh 0x0000002a jmp 00007FAF78D3F539h 0x0000002f popfd 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AF079B second address: 4AF07A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AF07A1 second address: 4AF07E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF78D3F532h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FAF78D3F52Dh 0x00000015 add cx, 9816h 0x0000001a jmp 00007FAF78D3F531h 0x0000001f popfd 0x00000020 mov cx, 2287h 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AF07E7 second address: 4AF07ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AF07ED second address: 4AF07F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AF07F1 second address: 4AF07F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AF07F5 second address: 4AF082D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b call 00007FAF78D3F531h 0x00000010 pop edx 0x00000011 mov edi, esi 0x00000013 popad 0x00000014 pop ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FAF78D3F535h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AF0531 second address: 4AF056D instructions: 0x00000000 rdtsc 0x00000002 movzx ecx, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushfd 0x00000008 jmp 00007FAF7914BED5h 0x0000000d or si, F366h 0x00000012 jmp 00007FAF7914BED1h 0x00000017 popfd 0x00000018 popad 0x00000019 xchg eax, ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AF056D second address: 4AF0571 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AF0571 second address: 4AF0577 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AF0577 second address: 4AF05DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FAF78D3F52Ah 0x0000000e xchg eax, ebp 0x0000000f jmp 00007FAF78D3F530h 0x00000014 mov ebp, esp 0x00000016 jmp 00007FAF78D3F530h 0x0000001b pop ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007FAF78D3F52Dh 0x00000025 adc ah, FFFFFF86h 0x00000028 jmp 00007FAF78D3F531h 0x0000002d popfd 0x0000002e mov ecx, 0AD05937h 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B003F9 second address: 4B0043D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop esi 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 jmp 00007FAF7914BED4h 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 call 00007FAF7914BECDh 0x00000019 pop eax 0x0000001a call 00007FAF7914BED1h 0x0000001f pop esi 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B0043D second address: 4B00443 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B00443 second address: 4B00447 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B105B1 second address: 4B105B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B105B5 second address: 4B105BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B105BB second address: 4B105C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B105C1 second address: 4B105C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B105C5 second address: 4B105F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007FAF78D3F52Dh 0x0000000e mov ebp, esp 0x00000010 jmp 00007FAF78D3F52Eh 0x00000015 mov eax, dword ptr [ebp+08h] 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b movsx edi, cx 0x0000001e mov si, F555h 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AF071C second address: 4AF0736 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BECBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov ecx, ebx 0x00000010 movsx ebx, ax 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B100C7 second address: 4B100D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx ecx, bx 0x00000006 mov ax, di 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B100D9 second address: 4B100F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF7914BED9h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B100F7 second address: 4B10102 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 xchg eax, ebp 0x00000007 pushad 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B10102 second address: 4B10149 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push ebx 0x00000006 pushfd 0x00000007 jmp 00007FAF7914BECAh 0x0000000c and ecx, 237E1758h 0x00000012 jmp 00007FAF7914BECBh 0x00000017 popfd 0x00000018 pop ecx 0x00000019 popad 0x0000001a mov ebp, esp 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f mov ah, A6h 0x00000021 pushfd 0x00000022 jmp 00007FAF7914BECDh 0x00000027 jmp 00007FAF7914BECBh 0x0000002c popfd 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B1036B second address: 4B10424 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov edi, eax 0x00000008 popad 0x00000009 mov dword ptr [esp], ebp 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FAF78D3F52Ch 0x00000013 add eax, 07513D58h 0x00000019 jmp 00007FAF78D3F52Bh 0x0000001e popfd 0x0000001f mov si, E20Fh 0x00000023 popad 0x00000024 mov ebp, esp 0x00000026 pushad 0x00000027 pushfd 0x00000028 jmp 00007FAF78D3F530h 0x0000002d xor ax, 47B8h 0x00000032 jmp 00007FAF78D3F52Bh 0x00000037 popfd 0x00000038 mov edi, esi 0x0000003a popad 0x0000003b pop ebp 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f pushfd 0x00000040 jmp 00007FAF78D3F537h 0x00000045 sbb ecx, 5470662Eh 0x0000004b jmp 00007FAF78D3F539h 0x00000050 popfd 0x00000051 pushfd 0x00000052 jmp 00007FAF78D3F530h 0x00000057 sub ecx, 3379E3A8h 0x0000005d jmp 00007FAF78D3F52Bh 0x00000062 popfd 0x00000063 popad 0x00000064 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B10424 second address: 4B1042A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B1042A second address: 4B1042E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B1042E second address: 4B10432 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B306F9 second address: 4B3071E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF78D3F531h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FAF78D3F52Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B3071E second address: 4B3072E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAF7914BECCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B3072E second address: 4B30745 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF78D3F52Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B30745 second address: 4B3074C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ebx, esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B3074C second address: 4B307FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FAF78D3F533h 0x00000009 and cx, 29DEh 0x0000000e jmp 00007FAF78D3F539h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007FAF78D3F530h 0x0000001a sbb ecx, 24B8E1D8h 0x00000020 jmp 00007FAF78D3F52Bh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 xchg eax, ecx 0x0000002a jmp 00007FAF78D3F536h 0x0000002f mov eax, dword ptr [76FB65FCh] 0x00000034 jmp 00007FAF78D3F530h 0x00000039 test eax, eax 0x0000003b jmp 00007FAF78D3F530h 0x00000040 je 00007FAFEB1426A6h 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a jmp 00007FAF78D3F52Ah 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B307FA second address: 4B307FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B307FE second address: 4B30804 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B30804 second address: 4B30831 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BECEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, eax 0x0000000b jmp 00007FAF7914BED0h 0x00000010 xor eax, dword ptr [ebp+08h] 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B30831 second address: 4B30835 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B30835 second address: 4B30839 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B30839 second address: 4B3083F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B3083F second address: 4B3086A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BED5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and ecx, 1Fh 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FAF7914BECDh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B3086A second address: 4B308DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF78D3F531h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ror eax, cl 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FAF78D3F52Ch 0x00000012 adc al, 00000018h 0x00000015 jmp 00007FAF78D3F52Bh 0x0000001a popfd 0x0000001b mov ax, BBCFh 0x0000001f popad 0x00000020 leave 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007FAF78D3F530h 0x00000028 sbb cl, 00000078h 0x0000002b jmp 00007FAF78D3F52Bh 0x00000030 popfd 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007FAF78D3F536h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B308DD second address: 4B30903 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 retn 0004h 0x0000000a nop 0x0000000b mov esi, eax 0x0000000d lea eax, dword ptr [ebp-08h] 0x00000010 xor esi, dword ptr [00D32014h] 0x00000016 push eax 0x00000017 push eax 0x00000018 push eax 0x00000019 lea eax, dword ptr [ebp-10h] 0x0000001c push eax 0x0000001d call 00007FAF7CF8C7BDh 0x00000022 push FFFFFFFEh 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007FAF7914BED6h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B30903 second address: 4B30909 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B30909 second address: 4B30942 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FAF7914BECCh 0x00000009 adc eax, 457AE668h 0x0000000f jmp 00007FAF7914BECBh 0x00000014 popfd 0x00000015 movzx esi, bx 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b pop eax 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FAF7914BECEh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B30942 second address: 4B30948 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B30948 second address: 4B30984 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BECDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b ret 0x0000000c nop 0x0000000d push eax 0x0000000e call 00007FAF7CF8C82Bh 0x00000013 mov edi, edi 0x00000015 pushad 0x00000016 mov eax, 23B33ED3h 0x0000001b mov di, si 0x0000001e popad 0x0000001f xchg eax, ebp 0x00000020 jmp 00007FAF7914BED2h 0x00000025 push eax 0x00000026 pushad 0x00000027 push eax 0x00000028 push edx 0x00000029 mov edx, 2FFD2822h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B30984 second address: 4B309AF instructions: 0x00000000 rdtsc 0x00000002 mov bh, A4h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 pushad 0x00000009 mov cx, di 0x0000000c call 00007FAF78D3F533h 0x00000011 pushad 0x00000012 popad 0x00000013 pop ecx 0x00000014 popad 0x00000015 mov ebp, esp 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B309AF second address: 4B309B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B309B5 second address: 4B309BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B309BB second address: 4B309E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BECBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FAF7914BED5h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE001F second address: 4AE0025 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE0025 second address: 4AE005B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BECEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FAF7914BECBh 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FAF7914BED5h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE005B second address: 4AE0078 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF78D3F531h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE0078 second address: 4AE008B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BECFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE008B second address: 4AE010C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FAF78D3F52Fh 0x00000008 pushfd 0x00000009 jmp 00007FAF78D3F538h 0x0000000e adc esi, 2D4BD7F8h 0x00000014 jmp 00007FAF78D3F52Bh 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d and esp, FFFFFFF8h 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 mov ecx, ebx 0x00000025 pushfd 0x00000026 jmp 00007FAF78D3F537h 0x0000002b adc eax, 02B8386Eh 0x00000031 jmp 00007FAF78D3F539h 0x00000036 popfd 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE010C second address: 4AE0184 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BED1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a pushad 0x0000000b mov ebx, eax 0x0000000d mov ah, EFh 0x0000000f popad 0x00000010 push eax 0x00000011 jmp 00007FAF7914BED2h 0x00000016 xchg eax, ecx 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007FAF7914BECEh 0x0000001e sub si, 6178h 0x00000023 jmp 00007FAF7914BECBh 0x00000028 popfd 0x00000029 mov ecx, 0971A0AFh 0x0000002e popad 0x0000002f xchg eax, ebx 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 jmp 00007FAF7914BED7h 0x00000038 mov esi, 6B6D228Fh 0x0000003d popad 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE0184 second address: 4AE0198 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAF78D3F530h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE0198 second address: 4AE01C0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BECBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FAF7914BED4h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE01C0 second address: 4AE01C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE01C6 second address: 4AE01CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE01CA second address: 4AE01FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FAF78D3F532h 0x00000012 or ecx, 5765EAF8h 0x00000018 jmp 00007FAF78D3F52Bh 0x0000001d popfd 0x0000001e movzx eax, bx 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE01FF second address: 4AE029D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BED2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebx, dword ptr [ebp+10h] 0x0000000c pushad 0x0000000d movzx esi, bx 0x00000010 mov eax, edx 0x00000012 popad 0x00000013 push eax 0x00000014 jmp 00007FAF7914BED2h 0x00000019 mov dword ptr [esp], esi 0x0000001c pushad 0x0000001d mov esi, 1BB055CDh 0x00000022 pushfd 0x00000023 jmp 00007FAF7914BECAh 0x00000028 add cx, 16E8h 0x0000002d jmp 00007FAF7914BECBh 0x00000032 popfd 0x00000033 popad 0x00000034 mov esi, dword ptr [ebp+08h] 0x00000037 jmp 00007FAF7914BED6h 0x0000003c xchg eax, edi 0x0000003d push eax 0x0000003e push edx 0x0000003f pushad 0x00000040 pushfd 0x00000041 jmp 00007FAF7914BECDh 0x00000046 adc cx, 0BB6h 0x0000004b jmp 00007FAF7914BED1h 0x00000050 popfd 0x00000051 mov bl, al 0x00000053 popad 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE029D second address: 4AE02E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF78D3F52Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007FAF78D3F52Bh 0x0000000f xchg eax, edi 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FAF78D3F534h 0x00000017 sub si, 5938h 0x0000001c jmp 00007FAF78D3F52Bh 0x00000021 popfd 0x00000022 pushad 0x00000023 push esi 0x00000024 pop ebx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE02E4 second address: 4AE031A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 test esi, esi 0x00000008 jmp 00007FAF7914BECEh 0x0000000d je 00007FAFEB59A1E1h 0x00000013 pushad 0x00000014 mov si, C22Dh 0x00000018 mov ch, 54h 0x0000001a popad 0x0000001b cmp dword ptr [esi+08h], DDEEDDEEh 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 mov ax, 909Dh 0x00000029 mov dx, si 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE031A second address: 4AE037C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FAF78D3F535h 0x00000009 xor eax, 5AC393E6h 0x0000000f jmp 00007FAF78D3F531h 0x00000014 popfd 0x00000015 mov edi, eax 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a je 00007FAFEB18D801h 0x00000020 jmp 00007FAF78D3F52Ah 0x00000025 mov edx, dword ptr [esi+44h] 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FAF78D3F537h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE037C second address: 4AE03F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BED9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 or edx, dword ptr [ebp+0Ch] 0x0000000c jmp 00007FAF7914BECEh 0x00000011 test edx, 61000000h 0x00000017 jmp 00007FAF7914BED0h 0x0000001c jne 00007FAFEB59A18Eh 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 pushfd 0x00000026 jmp 00007FAF7914BECDh 0x0000002b sub si, 5966h 0x00000030 jmp 00007FAF7914BED1h 0x00000035 popfd 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE03F0 second address: 4AE03F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE03F5 second address: 4AE042C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FAF7914BECDh 0x00000009 adc cx, 82C6h 0x0000000e jmp 00007FAF7914BED1h 0x00000013 popfd 0x00000014 mov bl, al 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 test byte ptr [esi+48h], 00000001h 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE042C second address: 4AE0432 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE0432 second address: 4AE047F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BED7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FAFEB59A11Ah 0x0000000f jmp 00007FAF7914BED6h 0x00000014 test bl, 00000007h 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a jmp 00007FAF7914BECDh 0x0000001f mov ch, 6Ch 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AD0721 second address: 4AD0789 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF78D3F539h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007FAF78D3F537h 0x00000010 push esi 0x00000011 mov edi, 1C602FAAh 0x00000016 pop edi 0x00000017 popad 0x00000018 xchg eax, ebp 0x00000019 jmp 00007FAF78D3F52Eh 0x0000001e mov ebp, esp 0x00000020 jmp 00007FAF78D3F530h 0x00000025 and esp, FFFFFFF8h 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AD0789 second address: 4AD078D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AD078D second address: 4AD0791 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AD0791 second address: 4AD0797 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AD0797 second address: 4AD07B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF78D3F534h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b push eax 0x0000000c mov eax, ebx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AD07B9 second address: 4AD07BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AD07BD second address: 4AD07FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF78D3F532h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007FAF78D3F52Bh 0x00000010 xchg eax, ebx 0x00000011 jmp 00007FAF78D3F536h 0x00000016 xchg eax, esi 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AD07FE second address: 4AD0802 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AD0802 second address: 4AD0806 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AD0806 second address: 4AD080C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AD080C second address: 4AD081B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAF78D3F52Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AD081B second address: 4AD087E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BED9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FAF7914BED1h 0x00000011 xchg eax, esi 0x00000012 jmp 00007FAF7914BECEh 0x00000017 mov esi, dword ptr [ebp+08h] 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d push edi 0x0000001e pop eax 0x0000001f call 00007FAF7914BED9h 0x00000024 pop eax 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AD087E second address: 4AD08E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, B623h 0x00000007 pushfd 0x00000008 jmp 00007FAF78D3F538h 0x0000000d adc si, 6168h 0x00000012 jmp 00007FAF78D3F52Bh 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b sub ebx, ebx 0x0000001d pushad 0x0000001e mov cx, di 0x00000021 call 00007FAF78D3F531h 0x00000026 push eax 0x00000027 pop ebx 0x00000028 pop eax 0x00000029 popad 0x0000002a test esi, esi 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f movzx eax, dx 0x00000032 call 00007FAF78D3F531h 0x00000037 pop ecx 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AD08E8 second address: 4AD0985 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FAF7914BECCh 0x00000008 pop esi 0x00000009 jmp 00007FAF7914BECBh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 je 00007FAFEB5A194Eh 0x00000017 pushad 0x00000018 mov bh, cl 0x0000001a pushfd 0x0000001b jmp 00007FAF7914BED1h 0x00000020 sbb eax, 79114CF6h 0x00000026 jmp 00007FAF7914BED1h 0x0000002b popfd 0x0000002c popad 0x0000002d cmp dword ptr [esi+08h], DDEEDDEEh 0x00000034 jmp 00007FAF7914BECEh 0x00000039 mov ecx, esi 0x0000003b jmp 00007FAF7914BED0h 0x00000040 je 00007FAFEB5A1908h 0x00000046 jmp 00007FAF7914BED0h 0x0000004b test byte ptr [76FB6968h], 00000002h 0x00000052 push eax 0x00000053 push edx 0x00000054 pushad 0x00000055 mov dx, cx 0x00000058 popad 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AD0985 second address: 4AD09B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF78D3F535h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FAFEB194F3Eh 0x0000000f pushad 0x00000010 push esi 0x00000011 pop edi 0x00000012 mov si, 1BABh 0x00000016 popad 0x00000017 mov edx, dword ptr [ebp+0Ch] 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d mov bh, 0Dh 0x0000001f mov dl, ch 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AD09B7 second address: 4AD0A14 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FAF7914BECCh 0x00000009 or ah, 00000068h 0x0000000c jmp 00007FAF7914BECBh 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007FAF7914BED8h 0x00000018 adc si, 06C8h 0x0000001d jmp 00007FAF7914BECBh 0x00000022 popfd 0x00000023 popad 0x00000024 pop edx 0x00000025 pop eax 0x00000026 xchg eax, ebx 0x00000027 pushad 0x00000028 pushad 0x00000029 mov ecx, ebx 0x0000002b popad 0x0000002c mov bx, C810h 0x00000030 popad 0x00000031 push eax 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AD0A14 second address: 4AD0A2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FAF78D3F531h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AD0A2A second address: 4AD0A6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edx 0x00000005 pushfd 0x00000006 jmp 00007FAF7914BED3h 0x0000000b add eax, 72BCC31Eh 0x00000011 jmp 00007FAF7914BED9h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AD0A6D second address: 4AD0A71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AD0A71 second address: 4AD0A84 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BECFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AD0A84 second address: 4AD0A9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FAF78D3F534h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AD0B30 second address: 4AD0B36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AD0B36 second address: 4AD0B3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AD0B3A second address: 4AD0B3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE0E7D second address: 4AE0E81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE0E81 second address: 4AE0E87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE0E87 second address: 4AE0EB3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF78D3F52Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FAF78D3F537h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE0EB3 second address: 4AE0EB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE0EB9 second address: 4AE0ED1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FAF78D3F52Dh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE0ED1 second address: 4AE0F26 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FAF7914BED7h 0x00000009 or ecx, 1FC8E6EEh 0x0000000f jmp 00007FAF7914BED9h 0x00000014 popfd 0x00000015 mov eax, 69CEB277h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d xchg eax, ebp 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 mov ecx, ebx 0x00000023 jmp 00007FAF7914BECBh 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE0F26 second address: 4AE0F2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE0F2C second address: 4AE0F30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE0F30 second address: 4AE0F58 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007FAF78D3F537h 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE0F58 second address: 4AE0F5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE0F5C second address: 4AE0F77 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF78D3F537h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE0B87 second address: 4AE0B8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE0B8B second address: 4AE0B8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE0B8F second address: 4AE0B95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE0B95 second address: 4AE0BB4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF78D3F534h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov dh, 30h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE0BB4 second address: 4AE0BD7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, A786h 0x00000007 mov eax, edi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FAF7914BED4h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AE0BD7 second address: 4AE0C0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 push ecx 0x00000007 pop edx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e push ecx 0x0000000f push edx 0x00000010 pop eax 0x00000011 pop edi 0x00000012 call 00007FAF78D3F52Ah 0x00000017 pop edx 0x00000018 popad 0x00000019 pop ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FAF78D3F533h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B60637 second address: 4B6063C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B6063C second address: 4B60665 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF78D3F534h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FAF78D3F52Eh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B60665 second address: 4B6066B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B50931 second address: 4B5094D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF78D3F52Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov dx, FB16h 0x00000011 mov bx, B2A2h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B5094D second address: 4B50972 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BED8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov eax, edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B50972 second address: 4B50977 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B50977 second address: 4B5098B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, cx 0x00000006 mov si, 65BDh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pop ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov ch, 68h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B50772 second address: 4B50776 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B50776 second address: 4B5077C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B5077C second address: 4B50782 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B50782 second address: 4B50786 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AF0317 second address: 4AF0349 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 0B6FFA8Bh 0x00000008 pushfd 0x00000009 jmp 00007FAF78D3F530h 0x0000000e add al, FFFFFF98h 0x00000011 jmp 00007FAF78D3F52Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4AF0349 second address: 4AF035B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FAF7914BECEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B50B55 second address: 4B50BB1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, ebx 0x00000005 pushfd 0x00000006 jmp 00007FAF78D3F52Bh 0x0000000b jmp 00007FAF78D3F533h 0x00000010 popfd 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 xchg eax, ebp 0x00000015 pushad 0x00000016 mov ax, 65DBh 0x0000001a mov cx, 84B7h 0x0000001e popad 0x0000001f push eax 0x00000020 jmp 00007FAF78D3F52Dh 0x00000025 xchg eax, ebp 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 mov al, dh 0x0000002b jmp 00007FAF78D3F534h 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B50BB1 second address: 4B50BCA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 07F366B4h 0x00000008 mov bx, 3A20h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 mov al, 1Dh 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B50BCA second address: 4B50BD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B50C31 second address: 4B50C37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B50C37 second address: 4B50C3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4B50C3B second address: 4B50C3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: EE17FC instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: EE1414 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: F6E689 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Special instruction interceptor: First address: A517FC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Special instruction interceptor: First address: A51414 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Special instruction interceptor: First address: ADE689 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Special instruction interceptor: First address: 88EC19 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Special instruction interceptor: First address: A54A91 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Special instruction interceptor: First address: ABEAD0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe Special instruction interceptor: First address: 78363E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe Special instruction interceptor: First address: 5DDB12 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe Special instruction interceptor: First address: 7944F2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe Special instruction interceptor: First address: 8149EF instructions caused by: Self-modifying code
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Memory allocated: DA0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Memory allocated: 1A820000 memory reserve | memory write watch
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04B50B29 rdtsc 0_2_04B50B29
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 180000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 180000
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window / User API: threadDelayed 716 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window / User API: threadDelayed 1160 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window / User API: threadDelayed 978 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window / User API: threadDelayed 1140 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window / User API: threadDelayed 1143 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window / User API: threadDelayed 1155 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window / User API: threadDelayed 1179 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Window / User API: threadDelayed 1135 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Window / User API: threadDelayed 1203
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Window / User API: threadDelayed 1188
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Window / User API: threadDelayed 1169
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Window / User API: threadDelayed 1203
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Window / User API: threadDelayed 1230
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Window / User API: threadDelayed 1168
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\POSMOJBFP9W4F4JKM6CCW190HW6F0P.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\J4EDANXSATRMSXZUEQ.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\XLN9V631J4Y45UE4.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\nss3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1001507001\1bd0484d71.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ZWAE2K096DYFL3DZL5I.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CC7V0PUTO3B4JOR1523VPRJQN904A.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe API coverage: 5.7 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 3604 Thread sleep count: 716 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 3604 Thread sleep time: -1432716s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 6104 Thread sleep count: 1160 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 6104 Thread sleep time: -2321160s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 4136 Thread sleep time: -44000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5544 Thread sleep count: 111 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5544 Thread sleep time: -3330000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5804 Thread sleep count: 978 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5804 Thread sleep time: -1956978s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 772 Thread sleep count: 1140 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 772 Thread sleep time: -2281140s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 3868 Thread sleep count: 1143 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 3868 Thread sleep time: -2287143s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1704 Thread sleep count: 1155 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1704 Thread sleep time: -2311155s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5436 Thread sleep count: 1179 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 5436 Thread sleep time: -2359179s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 6840 Thread sleep count: 1135 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 6840 Thread sleep time: -2271135s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 2232 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe TID: 5940 Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe TID: 5940 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe TID: 5000 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe TID: 6848 Thread sleep count: 1203 > 30
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe TID: 6848 Thread sleep time: -2407203s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe TID: 6876 Thread sleep count: 1188 > 30
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe TID: 6876 Thread sleep time: -2377188s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe TID: 6844 Thread sleep count: 1169 > 30
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe TID: 6844 Thread sleep time: -2339169s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe TID: 6192 Thread sleep time: -44000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe TID: 6320 Thread sleep time: -330000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe TID: 6868 Thread sleep count: 1203 > 30
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe TID: 6868 Thread sleep time: -2407203s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe TID: 6800 Thread sleep count: 1230 > 30
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe TID: 6800 Thread sleep time: -2461230s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe TID: 6864 Thread sleep count: 1168 > 30
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe TID: 6864 Thread sleep time: -2337168s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe TID: 2308 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2948 Thread sleep time: -4920000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3288 Thread sleep time: -360000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2720 Thread sleep time: -180000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2948 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe TID: 5084 Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe TID: 6108 Thread sleep time: -30000s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\file.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_00F1E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA, 6_2_00F1E430
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_00F24910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 6_2_00F24910
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_00F116D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 6_2_00F116D0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_00F1F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 6_2_00F1F6B0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_00F23EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose, 6_2_00F23EA0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_00F1DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 6_2_00F1DA80
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_00F1BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose, 6_2_00F1BE70
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_00F238B0 wsprintfA,FindFirstFileA,lstrcatA,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcatA,lstrlenA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose, 6_2_00F238B0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_00F24570 GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA, 6_2_00F24570
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_00F1ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,DeleteFileA,CopyFileA,FindNextFileA,FindClose, 6_2_00F1ED20
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_00F1DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 6_2_00F1DE10
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Code function: 9_2_004062D5 FindFirstFileW,FindClose, 9_2_004062D5
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Code function: 9_2_00402E18 FindFirstFileW, 9_2_00402E18
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Code function: 9_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 9_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_00F11160 GetSystemInfo,ExitProcess, 6_2_00F11160
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 30000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 180000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 180000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: file.exe, file.exe, 00000000.00000002.1730081745.0000000000EC2000.00000040.00000001.01000000.00000003.sdmp, axplong.exe, axplong.exe, 00000001.00000002.1758480704.0000000000A32000.00000040.00000001.01000000.00000007.sdmp, new_v8.exe, 0000001B.00000003.3578559500.0000000004363000.00000004.00000800.00020000.00000000.sdmp, f6f4816752.exe, 00000031.00000002.3151614668.0000000000764000.00000040.00000001.01000000.0000001D.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000003.1700960401.00000000006AF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017B0000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000006.00000002.2615206943.000000000176E000.00000004.00000020.00020000.00000000.sdmp, stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3197330580.000000000128C000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3426441376.000000000128C000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3148528207.000000000128C000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3420299008.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3234339463.0000000000F13000.00000004.00000020.00020000.00000000.sdmp, f6f4816752.exe, 00000031.00000002.3155168475.0000000000F74000.00000004.00000020.00020000.00000000.sdmp, f6f4816752.exe, 00000031.00000002.3155168475.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: f6f4816752.exe, 00000031.00000002.3155168475.0000000000F2E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: shop.exe, 00000032.00000003.3571302943.00000000015F0000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3237340411.00000000015F0000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000002.3574945711.00000000015F0000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3365556478.00000000015F0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW9
Source: stealc_default2.exe, 00000006.00000002.2615206943.000000000176E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMwareW
Source: file.exe, 00000000.00000002.1730081745.0000000000EC2000.00000040.00000001.01000000.00000003.sdmp, axplong.exe, 00000001.00000002.1758480704.0000000000A32000.00000040.00000001.01000000.00000007.sdmp, new_v8.exe, 0000001B.00000003.3578559500.0000000004363000.00000004.00000800.00020000.00000000.sdmp, f6f4816752.exe, 00000031.00000002.3151614668.0000000000764000.00000040.00000001.01000000.0000001D.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe Thread information set: HideFromDebugger
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04B50B29 rdtsc 0_2_04B50B29
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_00F2AD48 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_00F2AD48
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_00F145C0 VirtualProtect ?,00000004,00000100,00000000 6_2_00F145C0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_00F29860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 6_2_00F29860
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_00F29750 mov eax, dword ptr fs:[00000030h] 6_2_00F29750
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_00F278E0 GetProcessHeap,HeapAlloc,GetComputerNameA, 6_2_00F278E0
Enables debug privileges
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_00F2AD48 memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_00F2AD48
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_00F2CEEA SetUnhandledExceptionFilter, 6_2_00F2CEEA
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_00F2B33A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_00F2B33A
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BF8B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_6BF8B1F7
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BF8B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_6BF8B66C
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C13AC62 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_6C13AC62
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: stealc_default2.exe PID: 6660, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: f6f4816752.exe PID: 5472, type: MEMORYSTR
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Memory written: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe Memory written: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe base: 400000 value starts with: 4D5A
LummaC encrypted strings found
Source: c1a4d3220c.exe, 00000021.00000003.2810274920.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: scriptyprefej.store
Source: c1a4d3220c.exe, 00000021.00000003.2810274920.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: navygenerayk.store
Source: c1a4d3220c.exe, 00000021.00000003.2810274920.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: founpiuer.store
Source: c1a4d3220c.exe, 00000021.00000003.2810274920.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: necklacedmny.store
Source: c1a4d3220c.exe, 00000021.00000003.2810274920.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: thumbystriw.store
Source: c1a4d3220c.exe, 00000021.00000003.2810274920.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: fadehairucw.store
Source: c1a4d3220c.exe, 00000021.00000003.2810274920.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: crisiwarny.store
Source: c1a4d3220c.exe, 00000021.00000003.2810274920.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: presticitpo.store
Source: c1a4d3220c.exe, 00000021.00000003.2810274920.0000000004DF0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: opinieni.store
Source: GOLD1234.exe, 00000022.00000002.3206884173.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: servicedny.site
Source: GOLD1234.exe, 00000022.00000002.3206884173.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: authorisev.site
Source: GOLD1234.exe, 00000022.00000002.3206884173.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: faulteyotk.site
Source: GOLD1234.exe, 00000022.00000002.3206884173.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: dilemmadu.site
Source: GOLD1234.exe, 00000022.00000002.3206884173.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: contemteny.site
Source: GOLD1234.exe, 00000022.00000002.3206884173.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: goalyfeastz.site
Source: GOLD1234.exe, 00000022.00000002.3206884173.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: opposezmny.site
Source: GOLD1234.exe, 00000022.00000002.3206884173.0000000000E5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: seallysl.site
Source: RDX123456.exe, 00000024.00000002.3148059827.0000000000986000.00000002.00000001.01000000.00000019.sdmp String found in binary or memory: computeryrati.site
Source: shop.exe, 0000002C.00000002.3230063451.00000000013E5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: thighpecr.cyou
Searches for specific processes (likely to inject)
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_00F29600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle, 6_2_00F29600
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 451000
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 466000
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 46D000
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 46E000
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 710008
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe "C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe "C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe "C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe "C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe "C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe "C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe "C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1001096001\RDX123456.exe "C:\Users\user\AppData\Local\Temp\1001096001\RDX123456.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe "C:\Users\user\AppData\Local\Temp\1001425001\shop.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe "C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe "C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Beijing Beijing.bat & Beijing.bat Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 197036
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "CRAWFORDFILLEDVERIFYSCALE" Mtv
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Twisted + ..\Molecular + ..\Sponsorship + ..\Various + ..\Witch + ..\Spirit + ..\See + ..\Fitting T
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif Jurisdiction.pif T
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Wall" /tr "wscript //B 'C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.js'" /sc minute /mo 5 /F
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr" "C:\Users\user\AppData\Local\GreenTech Dynamics\O"
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr "C:\Users\user\AppData\Local\GreenTech Dynamics\EcoCraft.scr" "C:\Users\user\AppData\Local\GreenTech Dynamics\O"
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Process created: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe "C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe"
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe Process created: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe "C:\Users\user\AppData\Local\Temp\1001425001\shop.exe"
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe Process created: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe "C:\Users\user\AppData\Local\Temp\1001425001\shop.exe"
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe Process created: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe "C:\Users\user\AppData\Local\Temp\1001425001\shop.exe"
Source: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe Process created: unknown unknown
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\ecocraft.url" & echo url="c:\users\user\appdata\local\greentech dynamics\ecocraft.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\ecocraft.url" & exit
Source: C:\Users\user\AppData\Local\Temp\197036\Jurisdiction.pif Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\ecocraft.url" & echo url="c:\users\user\appdata\local\greentech dynamics\ecocraft.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\ecocraft.url" & exit
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C184760 malloc,InitializeSecurityDescriptor,SetSecurityDescriptorOwner,SetSecurityDescriptorGroup,GetLengthSid,GetLengthSid,GetLengthSid,malloc,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,PR_SetError,GetLastError,free,GetLastError,GetLastError,free,free,free, 6_2_6C184760
Source: splwow64.exe, 00000009.00000003.2554001535.00000000028F7000.00000004.00000020.00020000.00000000.sdmp, Jurisdiction.pif, 00000013.00000000.2596619246.0000000000E66000.00000002.00000001.01000000.0000000E.sdmp, Jurisdiction.pif, 00000013.00000003.2606591118.00000000040C2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe, axplong.exe Binary or memory string: n[=Program Manager
Source: file.exe, 00000000.00000002.1730081745.0000000000EC2000.00000040.00000001.01000000.00000003.sdmp, axplong.exe, 00000001.00000002.1758480704.0000000000A32000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: [=Program Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BF8B341 cpuid 6_2_6BF8B341
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree, 6_2_00F27B90
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1001096001\RDX123456.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1001096001\RDX123456.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1001172001\Set-up.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1001172001\Set-up.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1001475001\0b44ippu.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1001507001\1bd0484d71.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1001507001\1bd0484d71.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000833001\dac4554719.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Users\user\AppData\Local\Temp\246122658369 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001506001\f6f4816752.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_00F27980 GetProcessHeap,HeapAlloc,GetLocalTime,wsprintfA, 6_2_00F27980
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_00F27850 GetProcessHeap,HeapAlloc,GetUserNameA, 6_2_00F27850
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_00F27A30 GetProcessHeap,HeapAlloc,GetTimeZoneInformation,wsprintfA, 6_2_00F27A30
Source: C:\Users\user\AppData\Local\Temp\1000817001\splwow64.exe Code function: 9_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW, 9_2_00406805
Source: C:\Users\user\AppData\Local\Temp\1000477001\Offnewhere.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: new_v8.exe, 0000001B.00000003.3358715254.000000000123C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: les%\Windows Defender\MsMpeng.exe
Source: new_v8.exe, 0000001B.00000003.3026883187.000000000123C000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3197330580.000000000128C000.00000004.00000020.00020000.00000000.sdmp, c1a4d3220c.exe, 00000021.00000003.3426441376.000000000128C000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3234339463.0000000000F06000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3420299008.0000000000F06000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3226982086.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3420863597.0000000000F8A000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3269711303.0000000000F89000.00000004.00000020.00020000.00000000.sdmp, GOLD1234.exe, 00000025.00000003.3419949484.0000000000F89000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000002.3574767608.00000000015CD000.00000004.00000020.00020000.00000000.sdmp, shop.exe, 00000032.00000003.3571302943.00000000015CD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 1.2.axplong.exe.840000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.cd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.1758351370.0000000000841000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1688467424.0000000004940000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.2317904787.00000000052E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.1718075607.0000000005050000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1729894674.0000000000CD1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: new_v8.exe PID: 3340, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: c1a4d3220c.exe PID: 6604, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: GOLD1234.exe PID: 5676, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: shop.exe PID: 3888, type: MEMORYSTR
Yara detected Stealc
Source: Yara match File source: 6.2.stealc_default2.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.stealc_default2.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 49.2.f6f4816752.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000000.2360564124.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.2360588213.0000000000F2E000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000002.3155168475.0000000000F2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000002.3149193410.00000000002F1000.00000040.00000001.01000000.0000001D.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2615206943.000000000176E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000003.3036164555.0000000004C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: stealc_default2.exe PID: 6660, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: f6f4816752.exe PID: 5472, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\stealc_default2[1].exe, type: DROPPED
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: stealc_default2.exe PID: 6660, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp String found in binary or memory: Electrum
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmp String found in binary or memory: lockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp String found in binary or memory: \Electrum\wallets\
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp String found in binary or memory: window-state.json
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmp String found in binary or memory: Jaxx Desktop (old)
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp String found in binary or memory: exodus.conf.json
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp String found in binary or memory: \Exodus\
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp String found in binary or memory: info.seco
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp String found in binary or memory: ElectrumLTC
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp String found in binary or memory: passphrase.json
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmp String found in binary or memory: lockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp String found in binary or memory: \Ethereum\
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp String found in binary or memory: Exodus
Source: stealc_default2.exe, 00000006.00000002.2615206943.0000000001760000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Binance\.finger-print.fp
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp String found in binary or memory: Ethereum
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmp String found in binary or memory: lockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F5A000.00000004.00000001.01000000.00000009.sdmp String found in binary or memory: lockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp String found in binary or memory: \Exodus\exodus.wallet\
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F98000.00000004.00000001.01000000.00000009.sdmp String found in binary or memory: MultiDoge
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp String found in binary or memory: seed.seco
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp String found in binary or memory: keystore
Source: stealc_default2.exe, 00000006.00000002.2613116477.0000000000F6A000.00000004.00000001.01000000.00000009.sdmp String found in binary or memory: \Electrum-LTC\wallets\
Source: stealc_default2.exe, 00000006.00000002.2615206943.00000000017D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\*.*
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe File opened: C:\Users\user\AppData\Roaming\FTPRush
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 Jump to behavior
Searches for user specific document files
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\RAYHIWGKDI
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\RAYHIWGKDI
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\RAYHIWGKDI
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\RAYHIWGKDI
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\RAYHIWGKDI
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\NWTVCDUMOB
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\RAYHIWGKDI
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000857001\c1a4d3220c.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Directory queried: C:\Users\user\Documents\RAYHIWGKDI
Source: C:\Users\user\AppData\Local\Temp\1000965001\GOLD1234.exe Directory queried: C:\Users\user\Documents\RAYHIWGKDI
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe Directory queried: C:\Users\user\Documents\KATAXZVCPS
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe Directory queried: C:\Users\user\Documents\NIKHQAIQAU
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe Directory queried: C:\Users\user\Documents\QCFWYSKMHA
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe Directory queried: C:\Users\user\Documents\LSBIHQFDVT
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe Directory queried: C:\Users\user\Documents\LTKMYBSEYZ
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001425001\shop.exe Directory queried: C:\Users\user\Documents
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Source: C:\Users\user\AppData\Local\Temp\1000828001\new_v8.exe Directory queried: number of queries: 1001
Yara detected Credential Stealer
Source: Yara match File source: 27.3.new_v8.exe.124cff8.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.3.new_v8.exe.124cff8.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000021.00000003.3197330580.00000000012E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.2981305297.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.3098957154.0000000000F6F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.3127124077.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000032.00000003.3284579257.000000000165F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.2995423907.00000000012F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.3148528207.00000000012E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.3126824181.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000032.00000003.3178681399.000000000165E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000032.00000003.3134934395.0000000001652000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000032.00000003.3313436090.000000000165F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.3048486160.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.2894968481.00000000012F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000032.00000003.3170492805.0000000001657000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000032.00000003.3237340411.0000000001646000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.2732256893.000000000124A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2615206943.00000000017B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.2754649701.000000000124A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000032.00000003.3237340411.00000000015F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000032.00000003.3301700875.000000000165F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.2785879104.000000000124A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.3147801023.0000000000F6F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000032.00000003.3271528231.000000000165F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000032.00000003.3091934423.000000000165E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000032.00000003.3262647294.000000000165E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.2895449754.00000000012F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000032.00000003.3266871838.000000000165F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.2804806549.000000000124A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.2732759831.000000000124A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000032.00000003.3314956401.000000000165F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.2753208386.000000000124A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.2993220330.0000000000F6F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.3156872332.0000000000F6F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000032.00000003.3274426173.000000000165F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.3124289253.00000000012F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.3124530510.0000000001309000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000032.00000003.3261461567.0000000001652000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000032.00000003.3137226821.0000000001656000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.3026321552.00000000012EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.2954411937.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.2999744421.00000000012F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.2780168317.000000000124A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.2996701233.00000000012F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000032.00000003.3086928884.0000000001652000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.2953800369.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.2731444217.000000000124A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000032.00000003.3137274134.000000000165E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.2930322210.0000000000F6B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000032.00000003.3161598485.0000000001655000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.3052777343.00000000012F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.3099529730.00000000012F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000032.00000003.3292216008.000000000165F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.2877420998.000000000124E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: stealc_default2.exe PID: 6660, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: new_v8.exe PID: 3340, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: c1a4d3220c.exe PID: 6604, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: GOLD1234.exe PID: 5676, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: shop.exe PID: 3888, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected LummaC Stealer
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: new_v8.exe PID: 3340, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: c1a4d3220c.exe PID: 6604, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: GOLD1234.exe PID: 5676, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: shop.exe PID: 3888, type: MEMORYSTR
Yara detected Stealc
Source: Yara match File source: 6.2.stealc_default2.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.stealc_default2.exe.f10000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 49.2.f6f4816752.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000000.2360564124.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.2360588213.0000000000F2E000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000002.3155168475.0000000000F2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000002.3149193410.00000000002F1000.00000040.00000001.01000000.0000001D.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2612862964.0000000000F11000.00000080.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2615206943.000000000176E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000031.00000003.3036164555.0000000004C00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2612923701.0000000000F2E000.00000002.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: stealc_default2.exe PID: 6660, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: f6f4816752.exe PID: 5472, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\stealc_default2[1].exe, type: DROPPED
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: stealc_default2.exe PID: 6660, type: MEMORYSTR
Contains functionality to start a terminal service
Source: dac4554719.exe, 0000001D.00000002.3154971560.0000000002821000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: net start termservice
Source: dac4554719.exe, 0000001D.00000002.3154971560.0000000002821000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit set9808a67f01d2f0720518035acbde7521c1ec479e5342a25940592acf24703eb27c43933a6df6cc301ccfdb96c295ca9e1379cdKQ6YLeECCI7oRIIlBdu0JXCschRUJvTmfL1bOR7r2ybwLPTtMr==SvPibCQyHPQpdL==JPKpdL==XgagNuVoBJ1TRp==WZYvZSx5AcYV4F==SXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcWoYyPWW XN==SXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcTYkA8A0oXUy VSJq29EKfvRj1wrD1Urk1YMDS0GeciN62q==SjKqWZQhIx5IxvMEWthJxwZwAVygSXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcWoYyakKrZBtxBpL8SEysZYFm1NP=SXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0C QYRD2cYliuVc2hDm1UZcTYkA8A0oXUy UXdq1wz8Wb5jOALv2o==HSKQRQFVJabxXJtwyK==VButcv==SBYQVv==PXKR9TF3bkB3aZF3 0B3Wj 3WUx3aDB3bTT3XDP3WUN3 EN3 Z23agP=W0yiZx1p1wAZ3Rtg2wVh1yr8W0yiZx1p1wz=WZmmcx1p1wz=XAt=XQt=XQx=XQB=RTumbb==9EGXcykAAm==9EGXcCIaAoa=XU7iXDmpWZQhaEBu UCmcjatJ0uYaRR5NDB+NDF+JYqpdR u1dPmIvhoGt==dx==HkKraSMdNN==aZ7ibBsEB98bgvs=9ZKvbhRxBpLl4vtjPZKXThB50N2cZShq3ALqHOZmdx==SEysZYFm1KU9ivB4OSOyUWMlJSbdiw 92gK=OUOmchA=QZuwcBRD2SwWNtt9Na==PSCCVv==SDurZBAlJSYaiMFg3Ba=PDYgdB5Dxvgc36==OSOEKwNtVB55NMAK4LJS2gbX4I==OjaXZBRrOM8b4ME=RjYvdB5zSZYtaB5EOZYqbXNATZarRBRrOM8b4ME=KAtvMuM6C fVTF==ajx=bZx=OZYrdBRz3s4LjMxcDcrq3Or0cYEl9hHlXjYvbNXpNNU9Tnx 1XLrOyzygU3xHMRjJPPqLNWyBNeAbX15OM8RQJNg2Xrs2Uf0cXbyKcsc 0yqLRNm3wHYNv191QK6xeLhfHHmKssc9TmibhByOJ3 GdPHQX5z3wYlirXL4RriDavheIEw7QE8bDasbd5ANTUcirXq3BziNOUNEh3OBNdqLNWyAI3=JPPKCb==N0CgceWCJjetZr==OZYrdBRz3s4LjMxcDcre2zvscXQl Acl fY1LS 83o4dgSFkARLv1yPu03boVQH=SYaQVzRSMuQShcFc1hHA1UZ0enbwQWMQVBCsbiND1SA4VR5k2BLXOPDO0X4pTyEl UqYdBRDIcIk4F==OZYqcCR5ONMF3LXcWTygZBRrOSkgfbpj1QVs2zzye4U5 h5UcUdtMOEECtXTSocWAPY=JUKraRJAOwXkSYaQVzRSMuQShcFc1hHA1UZ0enbwQWMQVBCsbiND1SA40L1g3ALhKefk1XbgMU0ETCyMTAt1HKUwYQs=SYaQVzRSMuQmgcNp1WnQOPKwOEIgQWMobjagZSJhFcIqfLJv0RDt1yz5ZG2tVAMlTjahZR5OGq==VAptMyw=PDKjYSRx3vQciwNg1g4wAdbS1YQz8BMQ9TYrPDKjYSRx3vQciwNg1g4wAdfS1YQz8BMQ9TYrSXYDVA GJaY4YLha2gZw1UT0ZGgt8gIlb0BdTgNhFTYphbRl3zPi2fHpd37=SEysZCRo3u89gLQ=KgpuOL==KgpvMb==KgpuNb==KgpvNL==O0KvchRz3uMSfLtbVx==Mgd3akKrZBtxBpLl4MdcJZhdGkGecXpw0MAjNr5dxwZm1KuiGfpjJdx50M4cgSRRxxudyaSg1HYwEu==HfNdRSdu3sL=GfpjJdxDOM78GzNjIv==SDY0ZSFE0wYjgr1c4AK=JTK1ZRJ63womgcxm1Abg4Kvy1X4z AMp9T3rZRMlAK2ggvQ8xa==Gd==aZ7YdBNA3S78QMI8ARGdBs==a0F6cr==ajurZB5yQZK2Yh5m2cT8YvBW1XLXMxvy1XAzUQH=KAptMyw5BJn=KAptMyw5B L=KAptMyw5B P=KAptMyw5BS1=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000fDenyTSConnectionsSYSTEM\CurrentControlSet\Control\Terminal Servernetsh advfirewall firewall set rule group="Remote Desktop" new enable=Yessc config termservice
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C140C40 sqlite3_bind_zeroblob, 6_2_6C140C40
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C140D60 sqlite3_bind_parameter_name, 6_2_6C140D60
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C068EA0 sqlite3_clear_bindings, 6_2_6C068EA0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C140B40 sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_zeroblob, 6_2_6C140B40
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C066410 bind,WSAGetLastError, 6_2_6C066410
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6BFF22D0 sqlite3_bind_blob, 6_2_6BFF22D0
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C06C030 sqlite3_bind_parameter_count, 6_2_6C06C030
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C06C050 sqlite3_bind_parameter_index,strlen,strncmp,strncmp, 6_2_6C06C050
Source: C:\Users\user\AppData\Local\Temp\1000066001\stealc_default2.exe Code function: 6_2_6C066070 PR_Listen, 6_2_6C066070
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1546667 Sample: file.exe Startdate: 01/11/2024 Architecture: WINDOWS Score: 100 136 Found malware configuration 2->136 138 Antivirus detection for dropped file 2->138 140 Antivirus / Scanner detection for submitted sample 2->140 142 22 other signatures 2->142 10 axplong.exe 2 52 2->10         started        15 file.exe 5 2->15         started        17 wscript.exe 2->17         started        19 wscript.exe 2->19         started        process3 dnsIp4 124 185.215.113.16 WHOLESALECONNECTIONSNL Portugal 10->124 126 185.215.113.36 WHOLESALECONNECTIONSNL Portugal 10->126 128 162.159.134.233 CLOUDFLARENETUS United States 10->128 102 C:\Users\user\AppData\...\1bd0484d71.exe, PE32 10->102 dropped 104 C:\Users\user\AppData\...\f6f4816752.exe, PE32 10->104 dropped 106 C:\Users\user\AppData\Local\...\0b44ippu.exe, PE32 10->106 dropped 112 21 other malicious files 10->112 dropped 186 Creates multiple autostart registry keys 10->186 188 Hides threads from debuggers 10->188 190 Tries to detect sandboxes / dynamic malware analysis system (registry check) 10->190 192 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 10->192 21 splwow64.exe 25 10->21         started        25 stealc_default2.exe 33 10->25         started        28 0b44ippu.exe 10->28         started        36 8 other processes 10->36 108 C:\Users\user\AppData\Local\...\axplong.exe, PE32 15->108 dropped 110 C:\Users\user\...\axplong.exe:Zone.Identifier, ASCII 15->110 dropped 194 Detected unpacking (changes PE section rights) 15->194 196 Tries to evade debugger and weak emulator (self modifying code) 15->196 198 Tries to detect virtualization through RDTSC time measurements 15->198 30 axplong.exe 15->30         started        200 Windows Scripting host queries suspicious COM object (likely to drop second stage) 17->200 32 EcoCraft.scr 17->32         started        34 EcoCraft.scr 19->34         started        file5 signatures6 process7 dnsIp8 90 8 other malicious files 21->90 dropped 148 Writes many files with high entropy 21->148 38 cmd.exe 21->38         started        116 185.215.113.17 WHOLESALECONNECTIONSNL Portugal 25->116 80 C:\Users\user\AppData\...\softokn3[1].dll, PE32 25->80 dropped 82 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 25->82 dropped 92 10 other files (6 malicious) 25->92 dropped 150 Multi AV Scanner detection for dropped file 25->150 152 Tries to steal Mail credentials (via file / registry access) 25->152 154 Found many strings related to Crypto-Wallets (likely being stolen) 25->154 168 6 other signatures 25->168 94 15 other malicious files 28->94 dropped 156 Detected unpacking (changes PE section rights) 30->156 158 Tries to evade debugger and weak emulator (self modifying code) 30->158 160 Hides threads from debuggers 30->160 170 2 other signatures 30->170 118 185.215.113.206 WHOLESALECONNECTIONSNL Portugal 36->118 120 2.59.161.36 VMAGE-ASRU Russian Federation 36->120 122 4 other IPs or domains 36->122 84 C:\Users\user\...\ZWAE2K096DYFL3DZL5I.exe, PE32 36->84 dropped 86 C:\Users\user\...\XLN9V631J4Y45UE4.exe, PE32 36->86 dropped 88 C:\...\POSMOJBFP9W4F4JKM6CCW190HW6F0P.exe, PE32 36->88 dropped 96 2 other malicious files 36->96 dropped 162 Query firmware table information (likely to detect VMs) 36->162 164 Contains functionality to start a terminal service 36->164 166 Tries to detect sandboxes and other dynamic analysis tools (window names) 36->166 172 5 other signatures 36->172 42 shop.exe 36->42         started        44 GOLD1234.exe 36->44         started        47 WerFault.exe 36->47         started        49 6 other processes 36->49 file9 signatures10 process11 dnsIp12 98 C:\Users\user\AppData\...\Jurisdiction.pif, PE32 38->98 dropped 174 Drops PE files with a suspicious file extension 38->174 176 Uses schtasks.exe or at.exe to add and modify task schedules 38->176 178 Writes many files with high entropy 38->178 51 Jurisdiction.pif 38->51         started        55 cmd.exe 38->55         started        57 conhost.exe 38->57         started        59 7 other processes 38->59 180 Query firmware table information (likely to detect VMs) 42->180 182 Tries to harvest and steal browser information (history, passwords, etc) 42->182 184 Tries to steal Crypto Currency Wallets 42->184 130 172.67.145.203 CLOUDFLARENETUS United States 44->130 100 C:\...\CC7V0PUTO3B4JOR1523VPRJQN904A.exe, PE32 44->100 dropped 132 20.42.65.92 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 47->132 134 185.215.113.217 WHOLESALECONNECTIONSNL Portugal 49->134 file13 signatures14 process15 file16 72 C:\Users\user\AppData\Local\...coCraft.scr, PE32 51->72 dropped 74 C:\Users\user\AppData\Local\...\O, data 51->74 dropped 76 C:\Users\user\AppData\Local\...coCraft.js, ASCII 51->76 dropped 144 Drops PE files with a suspicious file extension 51->144 146 Writes many files with high entropy 51->146 61 cmd.exe 51->61         started        64 cmd.exe 51->64         started        78 C:\Users\user\AppData\Local\Temp\197036\T, data 55->78 dropped signatures17 process18 file19 114 C:\Users\user\AppData\...coCraft.url, MS 61->114 dropped 66 conhost.exe 61->66         started        68 conhost.exe 64->68         started        70 schtasks.exe 64->70         started        process20
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
1.1.1.1
 unknown Australia
13335 CLOUDFLARENETUS false
185.215.113.36
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false
2.59.161.36
 unknown Russian Federation
44676 VMAGE-ASRU false
104.21.32.196
 unknown United States
13335 CLOUDFLARENETUS false
20.42.65.92
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
185.215.113.16
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
185.215.113.17
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
172.67.145.203
 unknown United States
13335 CLOUDFLARENETUS false
188.114.96.3
 unknown European Union
13335 CLOUDFLARENETUS false
104.102.49.254
 unknown United States
16625 AKAMAI-ASUS false
185.215.113.217
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false
185.215.113.206
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false
162.159.134.233
 unknown United States
13335 CLOUDFLARENETUS false

Contacted URLs

Name Malicious Antivirus Detection Reputation
seallysl.site true
    		unknown
    computeryrati.site true
      		unknown
      opposezmny.site true
        		unknown